SpringBoot2.x设置Session失效时间及失效跳转方式
作者:奇
这篇文章主要介绍了SpringBoot2.x设置Session失效时间及失效跳转方式,具有很好的参考价值,希望对大家有所帮助。如有错误或未考虑完全的地方,望不吝赐教
设置Session失效时间及失效跳转
#Session超时时间设置,单位是秒,默认是30分钟 server.servlet.session.timeout=10
然而并没有什么用,因为SpringBoot在TomcatServletWebServerFactory代码中写了这个
private long getSessionTimeoutInMinutes() { Duration sessionTimeout = this.getSession().getTimeout(); return this.isZeroOrLess(sessionTimeout) ? 0L : Math.max(sessionTimeout.toMinutes(), 1L); }
如果说某些人看不懂 Duration 这个类是什么,我不推荐你接着看下去了,因为没有什么帮助。
Session失效后如何跳转到Session失效地址
package cn.coreqi.security.config; import cn.coreqi.security.Filter.SmsCodeFilter; import cn.coreqi.security.Filter.ValidateCodeFilter; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private AuthenticationSuccessHandler coreqiAuthenticationSuccessHandler; @Autowired private AuthenticationFailureHandler coreqiAuthenticationFailureHandler; @Autowired private SmsCodeAuthenticationSecurityConfig smsCodeAuthenticationSecurityConfig; @Bean public PasswordEncoder passwordEncoder(){ return NoOpPasswordEncoder.getInstance(); } @Override protected void configure(HttpSecurity http) throws Exception { ValidateCodeFilter validateCodeFilter = new ValidateCodeFilter(); validateCodeFilter.setAuthenticationFailureHandler(coreqiAuthenticationFailureHandler); SmsCodeFilter smsCodeFilter = new SmsCodeFilter(); //http.httpBasic() //httpBasic登录 BasicAuthenticationFilter http.addFilterBefore(smsCodeFilter, UsernamePasswordAuthenticationFilter.class) //加载用户名密码过滤器的前面 .addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class) //加载用户名密码过滤器的前面 .formLogin() //表单登录 UsernamePasswordAuthenticationFilter .loginPage("/coreqi-signIn.html") //指定登录页面 //.loginPage("/authentication/require") .loginProcessingUrl("/authentication/form") //指定表单提交的地址用于替换UsernamePasswordAuthenticationFilter默认的提交地址 .successHandler(coreqiAuthenticationSuccessHandler) //登录成功以后要用我们自定义的登录成功处理器,不用Spring默认的。 .failureHandler(coreqiAuthenticationFailureHandler) //自己体会把 .and() .sessionManagement() .invalidSessionUrl("session/invalid") //session过期后跳转的URL .and() .authorizeRequests() //对授权请求进行配置 .antMatchers("/coreqi-signIn.html","/code/image","/session/invalid").permitAll() //指定登录页面不需要身份认证 .anyRequest().authenticated() //任何请求都需要身份认证 .and().csrf().disable() //禁用CSRF .apply(smsCodeAuthenticationSecurityConfig); //FilterSecurityInterceptor 整个SpringSecurity过滤器链的最后一环 } }
@GetMapping("/session/invalid") @ResponseStatus(code = HttpStatus.UNAUTHORIZED) public SimpleResponse sessionInvalid(){ String message = "session失效"; return new SimpleResponse(message); }
设置Session失效的几种方式
如果是1.5.6版本
这里可以在application中加上bean文件
package com.example.demo; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.context.embedded.ConfigurableEmbeddedServletContainer; import org.springframework.boot.context.embedded.EmbeddedServletContainerCustomizer; import org.springframework.context.annotation.Bean; @SpringBootApplication public class DemoApplication {undefined public static void main(String[] args) { SpringApplication.run(DemoApplication.class, args); } //设置session过期时间 @Bean public EmbeddedServletContainerCustomizer containerCustomizer() { return new EmbeddedServletContainerCustomizer() { public void customize(ConfigurableEmbeddedServletContainer container) { container.setSessionTimeout(7200);// 单位为S } }; } }
还可以设置
application.yml
server: port: 8081 servlet: session: timeout: 60s
@RestController public class HelloController {undefined @PostMapping("test") public Integer getTest(@RequestParam("nyy")String nn, HttpServletRequest httpServletRequest ){ HttpSession session = httpServletRequest.getSession(); session.setMaxInactiveInterval(60); int maxInactiveInterval = session.getMaxInactiveInterval(); long lastAccessedTime = session.getLastAccessedTime(); return maxInactiveInterval; } }
以上为个人经验,希望能给大家一个参考,也希望大家多多支持脚本之家。