Java spring安全认证入口点&x27;开始';方法不是第一次调用的
我正在尝试使用ajax感知的身份验证入口点来处理会话超时问题。但在会话过期后收到第一个AJAX请求时,不会调用它的comment方法。当spring security第一次返回302状态和登录url时。然后浏览器会自动从位置标题请求登录页面。但是,当另一个后续AJAX请求被激发时,将调用我的Java spring安全认证入口点&x27;开始';方法不是第一次调用的,java,ajax,spring,spring-security,session-timeout,Java,Ajax,Spring,Spring Security,Session Timeout,我正在尝试使用ajax感知的身份验证入口点来处理会话超时问题。但在会话过期后收到第一个AJAX请求时,不会调用它的comment方法。当spring security第一次返回302状态和登录url时。然后浏览器会自动从位置标题请求登录页面。但是,当另一个后续AJAX请求被激发时,将调用我的AjaxAwareAuthenticationEntryPoint方法,服务器将401状态返回给客户端。我不确定我的配置有什么问题导致了这种奇怪的行为。我使用的是spring-security3.1.4版 下
AjaxAwareAuthenticationEntryPoint
方法,服务器将401状态返回给客户端。我不确定我的配置有什么问题导致了这种奇怪的行为。我使用的是spring-security
3.1.4版
下面是我的AJAX感知身份验证入口点:
public class AjaxAwareAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint {
public AjaxAwareAuthenticationEntryPoint(String loginUrl) {
super(loginUrl);
}
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
if (isAjax(request)) {
response.sendError(HttpStatus.UNAUTHORIZED.value(), "Please re-authenticate yourself");
} else {
super.commence(request, response, authException);
}
}
public static boolean isAjax(HttpServletRequest request) {
return "XMLHttpRequest".equals(request.getHeader("X-Requested-With"));
}
}
这是我的spring安全配置
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
<intercept-url pattern="/index.jsp" access="permitAll" />
<intercept-url pattern="/qualifiers/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/userpreference/**" access="hasRole('ROLE_USER')" />
<!--<intercept-url pattern="/import.do" access="hasRole('ROLE_USER')" />-->
<!-- <anonymous username="guest" granted-authority="ROLE_USER" /> -->
<form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-success-handler-ref="authSuccessBean" authentication-failure-handler-ref="authFailureBean"
authentication-failure-url="/login.jsp?error=true" always-use-default-target="false" />
<logout logout-success-url="/login.jsp" delete-cookies="JSESSIONID" />
<!-- Spring Security supports rolling tokens for more advanced security needs, but this requires a database to persist the tokens -->
<remember-me />
<session-management invalid-session-url="/login.jsp">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
</http>
<beans:bean id="authenticationEntryPoint" class="com.pcc.myapp.controller.auth.AjaxAwareAuthenticationEntryPoint">
<beans:constructor-arg name="loginUrl" value="/login.jsp" />
</beans:bean>
<authentication-manager>
<authentication-provider user-service-ref="userLoginService">
<!-- <password-encoder hash="sha" /> -->
</authentication-provider>
</authentication-manager>
<beans:bean id="authFailureBean" class="com.pcc.myapp.controller.auth.AuthFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.jsp?error=true" />
</beans:bean>
<beans:bean id="authSuccessBean" class="com.pcc.myapp.controller.auth.AuthSuccessHandler">
<beans:property name="defaultTargetUrl" value="/qualifiers/attributes.do" />
<beans:property name="alwaysUseDefaultTargetUrl" value="true" />
</beans:bean>
</beans:beans>
这是最后两个请求的firebug屏幕截图
我的实现与此类似。您解决问题了吗?