时间戳

首页 > 解决方案 > 如何以编程方式使用户超时会话到期

java - 如何以编程方式使用户超时会话到期

问题描述

如果管理员禁用或删除它们,我希望用户即使他们有活动会话也要注销。我正在使用过滤器进行操作,但我无法清除会话,我什至不明白为什么?

我还在 web.xml 文件中添加了 HttpSessionEventPublisher

public class CheckUserFilter extends GenericFilterBean{

    private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();

    @Autowired
    private UserService userService;

    @Autowired
    private SessionRegistryImpl sessionRegistryImpl;

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException{

        boolean enabled = true;

         HttpServletRequest req = (HttpServletRequest) request;

         String ajaxHeader = ((HttpServletRequest) request).getHeader("X-Requested-With");

         if ("XMLHttpRequest".equals(ajaxHeader)) {

             if (!authenticationTrustResolver.isAnonymous(SecurityContextHolder.getContext().getAuthentication())) {

                    UserDetails loggedUser = (UserDetails) SecurityContextHolder.getContext()
                            .getAuthentication().getPrincipal();


                    enabled = userService.isUserEnabled(loggedUser.getUsername(), req);

                    if(!enabled){
                        //req.logout();

                        List<SessionInformation> sessions = sessionRegistryImpl.getAllSessions(SecurityContextHolder.getContext()
                                .getAuthentication().getPrincipal(), false);
                        sessionRegistryImpl.getSessionInformation(sessions.get(0).getSessionId()).expireNow();
                        request.getRequestDispatcher("/login").forward(request, response);


                    }
                }
       }
           chain.doFilter(request, response);

     }
}

标签: javaspringspring-security

解决方案

HttpSession对象具有invalidate使自身过期的方法。

https://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/http/HttpSession.html#invalidate()

推荐阅读