hiro 的部分配置如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
<
bean
id
=
"securityManager"
class
=
"org.apache.shiro.web.mgt.DefaultWebSecurityManager"
>
<
property
name
=
"sessionMode"
value
=
"native"
/>
<
property
name
=
"cacheManager"
ref
=
"cacheManager"
/>
<
property
name
=
"sessionManager"
ref
=
"sessionManager"
/>
<
property
name
=
"realm"
ref
=
"shiroDbRealm"
/>
</
bean
>
<
bean
id
=
"cacheManager"
class
=
"org.apache.shiro.cache.ehcache.EhCacheManager"
/>
<
bean
id
=
"sessionValidationScheduler"
class
=
"org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler"
>
<
property
name
=
"interval"
value
=
"1800000"
/>
</
bean
>
<
bean
id
=
"sessionManager"
class
=
"org.apache.shiro.web.session.mgt.DefaultWebSessionManager"
>
<
property
name
=
"sessionDAO"
ref
=
"sessionDAO"
/>
<
property
name
=
"globalSessionTimeout"
value
=
"3600000"
/>
<
property
name
=
"sessionValidationScheduler"
ref
=
"sessionValidationScheduler"
/>
<
property
name
=
"sessionValidationSchedulerEnabled"
value
=
"true"
/>
</
bean
>
<
bean
id
=
"shiroFilter"
class
=
"org.apache.shiro.spring.web.ShiroFilterFactoryBean"
>
<
property
name
=
"securityManager"
ref
=
"securityManager"
/>
<
property
name
=
"loginUrl"
value
=
"/login"
/>
<
property
name
=
"successUrl"
value
=
"/system"
/>
<
property
name
=
"unauthorizedUrl"
value
=
"/login?unauthorized"
/>
<
property
name
=
"filterChainDefinitions"
>
<
value
>
/login = authc
...
</
bean
>
|
用户登录后没有安全退出就直接关闭浏览器后,有两种可能:
1) 用户就是想退出,且没有在会话超时时间内再次登录。缓存中孤立会话在超时后,被一个定时任务清理掉。
2) 用户误关闭了浏览器。这种情况下,用户会再次登录。此时因为上次的会话还存在,所以不会去执行FormAuthenticationFilter,也就不会跳转到successUrl,而是会执行登录页面中form的post action。
我就想到了两种解决方法:
1) 显示登录页面的 get /login 方法里,判断会话,有就安全退出
1
2
3
4
5
6
7
|
@RequestMapping
(value =
"/login"
, method = RequestMethod.GET)
public
String loginInit() {
if
(SecurityUtils.getSubject().getSession() !=
null
) {
SecurityUtils.getSubject().logout();
}
return
"login"
;
}
|
2) 写在post /login 里。
不知道各位有没有更好的方法?