如何使用弹簧安全和jQuery来处理过期的会话?
我用在我的应用弹簧的安全性和jQuery。主页使用动态加载的内容为通过Ajax选项卡。而且一切正常,但有时我已经得到了登录页面我的标签内,如果我输入凭据,我会被重定向到内容页面没有标签。
I'm using spring-security and jQuery in my application. Main page uses loading content dynamically into tabs via Ajax. And all is ok, however sometimes I've got the login page inside my tab and if I type credentials I will be redirected to the content page without tabs.
所以,我想处理这种情况。我知道有些人用ajax验证,但我不知道这是适合我,因为它看起来很复杂,我和我的应用程序不允许没有登录任何访问到之前。我想只写所有Ajax响应,将做 window.location.reload()如果我们需要验证一个全球性的处理程序。我认为,在这种情况下,最好让 401 错误而不是标准的登录方式,因为它更容易处理。
So I'd like to handle this situation. I know some of the people use ajax authentication, but I'm not sure it's suitable for me because it looks quite complicated for me and my application doesn't allow any access without log into before. I would like to just write a global handler for all ajax responses that will do window.location.reload() if we need to authenticate. I think in this case it's better to get 401 error instead of standard login form because it's easier to handle.
因此,
1)是否有可能写入全局错误处理程序为所有的jQuery Ajax请求?
1) Is it possible to write global error handler for all jQuery ajax requests?
2)如何自春季安全的行为,发送401错误的Ajax请求,但是对于普通的请求,以显示标准的登录页面,像往常一样?
2) How can I customize behavior of spring-security to send 401 error for ajax requests but for regular requests to show standard login page as usual?
3)可能是你有更优雅的解决方案?请分享。
3) May be you have more graceful solution? Please share it.
感谢。
下面是我认为是相当简单的方法。它是我在本网站所观察到的方法的结合。我写了一篇博客文章吧: http://yoyar.com/blog/2012/06/dealing-with-the-spring-security-ajax-session-timeout-problem/
Here's an approach that I think is quite simple. It's a combination of approaches that I've observed on this site. I wrote a blog post about it: http://yoyar.com/blog/2012/06/dealing-with-the-spring-security-ajax-session-timeout-problem/
的基本思想是使用API URL preFIX(即/ API /固定)如上述建议连同认证入口点。这是简单而有效。
The basic idea is to use an api url prefix (i.e. /api/secured) as suggested above along with an authentication entry point. It's simple and works.
下面是身份验证入口点:
Here's the authentication entry point:
package com.yoyar.yaya.config;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import javax.servlet.ServletException;
import javax.servlet.http.*;
import java.io.IOException;
public class AjaxAwareAuthenticationEntryPoint
extends LoginUrlAuthenticationEntryPoint {
public AjaxAwareAuthenticationEntryPoint(String loginUrl) {
super(loginUrl);
}
@Override
public void commence(
HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException)
throws IOException, ServletException {
boolean isAjax
= request.getRequestURI().startsWith("/api/secured");
if (isAjax) {
response.sendError(403, "Forbidden");
} else {
super.commence(request, response, authException);
}
}
}
和这里发生的事情在你的Spring上下文的xml:
And here's what goes in your spring context xml:
<bean id="authenticationEntryPoint"
class="com.yoyar.yaya.config.AjaxAwareAuthenticationEntryPoint">
<constructor-arg name="loginUrl" value="/login"/>
</bean>
<security:http auto-config="true"
use-expressions="true"
entry-point-ref="authenticationEntryPoint">
<security:intercept-url pattern="/api/secured/**" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/logout" access="permitAll"/>
<security:intercept-url pattern="/denied" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/" access="permitAll"/>
<security:form-login login-page="/login"
authentication-failure-url="/loginfailed"
default-target-url="/login/success"/>
<security:access-denied-handler error-page="/denied"/>
<security:logout invalidate-session="true"
logout-success-url="/logout/success"
logout-url="/logout"/>
</security:http>