SpringBoot设置Session失效时间

时间:2021-11-16 17:10:26
1 #Session超时时间设置,单位是秒,默认是30分钟
2 server.session.timeout=10

然而并没有什么用,因为SpringBoot在TomcatServletWebServerFactory代码中写了这个

1     private long getSessionTimeoutInMinutes() {
2         Duration sessionTimeout = this.getSession().getTimeout();
3         return this.isZeroOrLess(sessionTimeout) ? 0L : Math.max(sessionTimeout.toMinutes(), 1L);
4     }

 

⒈Session失效后如何跳转到Session失效地址

 1 package cn.coreqi.security.config;
 2 
 3 import cn.coreqi.security.Filter.SmsCodeFilter;
 4 import cn.coreqi.security.Filter.ValidateCodeFilter;
 5 import org.springframework.beans.factory.annotation.Autowired;
 6 import org.springframework.context.annotation.Bean;
 7 import org.springframework.context.annotation.Configuration;
 8 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 9 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
10 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
11 import org.springframework.security.crypto.password.PasswordEncoder;
12 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
13 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
14 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
15 
16 @Configuration
17 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
18 
19     @Autowired
20     private AuthenticationSuccessHandler coreqiAuthenticationSuccessHandler;
21 
22     @Autowired
23     private AuthenticationFailureHandler coreqiAuthenticationFailureHandler;
24 
25     @Autowired
26     private SmsCodeAuthenticationSecurityConfig smsCodeAuthenticationSecurityConfig;
27 
28     @Bean
29     public PasswordEncoder passwordEncoder(){
30         return NoOpPasswordEncoder.getInstance();
31     }
32 
33 
34     @Override
35     protected void configure(HttpSecurity http) throws Exception {
36         ValidateCodeFilter validateCodeFilter = new ValidateCodeFilter();
37         validateCodeFilter.setAuthenticationFailureHandler(coreqiAuthenticationFailureHandler);
38 
39         SmsCodeFilter smsCodeFilter = new SmsCodeFilter();
40 
41 
42         //http.httpBasic()    //httpBasic登录 BasicAuthenticationFilter
43         http.addFilterBefore(smsCodeFilter, UsernamePasswordAuthenticationFilter.class)    //加载用户名密码过滤器的前面
44                 .addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class)    //加载用户名密码过滤器的前面
45                 .formLogin()    //表单登录 UsernamePasswordAuthenticationFilter
46                     .loginPage("/coreqi-signIn.html")  //指定登录页面
47                     //.loginPage("/authentication/require")
48                     .loginProcessingUrl("/authentication/form") //指定表单提交的地址用于替换UsernamePasswordAuthenticationFilter默认的提交地址
49                     .successHandler(coreqiAuthenticationSuccessHandler) //登录成功以后要用我们自定义的登录成功处理器,不用Spring默认的。
50                     .failureHandler(coreqiAuthenticationFailureHandler) //自己体会把
51                 .and()
52                 .sessionManagement()
53                     .invalidSessionUrl("session/invalid")    //session过期后跳转的URL
54                 .and()
55                 .authorizeRequests()    //对授权请求进行配置
56                     .antMatchers("/coreqi-signIn.html","/code/image","/session/invalid").permitAll() //指定登录页面不需要身份认证
57                     .anyRequest().authenticated()  //任何请求都需要身份认证
58                     .and().csrf().disable()    //禁用CSRF
59                 .apply(smsCodeAuthenticationSecurityConfig);
60             //FilterSecurityInterceptor 整个SpringSecurity过滤器链的最后一环
61     }
62 }
1     @GetMapping("/session/invalid")
2     @ResponseStatus(code = HttpStatus.UNAUTHORIZED)
3     public SimpleResponse sessionInvalid(){
4         String message = "session失效";
5         return new SimpleResponse(message);
6     }