发表新帖
发表新帖

Spring-boot Spring-Security session timeout

后端 未结
关注
5 612
长发绾君心
长发绾君心 2020-12-09 05:52

UPDATED QUESTION:

I have a spring-boot 1.1.3.RELEASE project that is using EmbeddedTomcat and Spring-Security. I posted this a while back

相关标签:
5条回答
  • 别那么骄傲
    2020-12-09 06:06

    So it would appear that to get the Embedded Tomcat to honor a session timeout, when you use the server.session-timeout value, use it in minutes, not seconds. My previous attempts were with server.session-timeout=300 and after waiting at least 45 minutes, the timeout never occurred. However, I added HttpSessionListener bean with system.outs to message on sessionCreated() and sessionDestroyed(). With an application.properties setting of server.session-timeout=5 I saw the session get destroyed just after 5 minutes of inactivity.

    So, I can now control the session length with these parameters. Thank you to M. Deinum and Dave Sayers for your help and advice. If nothing else, you really helped me clean up my code and understand Spring a bit more.

    0 讨论(0)
  • 温柔的废话
    2020-12-09 06:07

    I suggest you take a look at this which explains how to modify the embedded tomcat. Instead of trying to bootstrap your own container let spring boot do that and use a EmbeddedServletContainerCustomizer to modify what you need. 

    public class SessionTimeoutEmbeddedServletContainerCustomizer implements EmbeddedServletContainerCustomizer {
    @Override
    public void customize(ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer) {
        TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) configurableEmbeddedServletContainer;
        tomcat.setSessionTimeout(30, TimeUnit.MINUTES);
        tomcat.addErrorPages(new ErrorPage(HttpStatus.NOT_FOUND, "/notfound.html"));
    }
}

    Then remove your container from the configuration and replace it with a @Bean method constructing this customizer. (I would probably add it as a @Bean method to the starter class, that way you have everything related to bootstrapping the application in one class!). 

    @Configuration
public class OFAConfiguration {

    @Bean
    public EmbeddedServletContainerCustomizer servletContainerCustomizer() {
        return new SessionTimeoutEmbeddedServletContainerCustomizer();
    }
}

    The advantage of this is that Spring Boot still does all its magic with the servlet container and you only modify what is needed.

    Some other things I noticed first your dependencies are a bit of a mess and your configuration contains to much.

    Dependencies

    1. You are mxing Spring Boot 1.0.1 and 1.1.1 and probably also 1.1.3, fix this mixture to prevent weird dependency issues.
    2. YOu include spring-orm version 4.0.0.RC1 whilst this is already on version 4.0.5 and provided by the spring-boot-starter-data-jpa dependency, remove it.

    Configuration

    Your configuration contains multiple @EnableJpaRepositories which you can remove as Spring Boot detects the presence of Spring Data JPA and will enable this for you as well as the @EnableTransactionManagement

    Your main class extends WebMvcConfigurerAdapter which shouldn't be needed as this is also detected and configured by Spring Boot. 

    @ComponentScan
@EnableAutoConfiguration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class OFAC {
    public static void main(String[] args) {
        ApplicationContext ofac = SpringApplication.run( OFAC.class, args );
    }
}

    This should be all you need for your starter class.

    0 讨论(0)
  • 野趣味
    2020-12-09 06:10

    as of current version (http://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html) there is typo, property is: server.session.timeout

    0 讨论(0)
  • 不要未来只要你来
    2020-12-09 06:13

    Things change but as of Spring boot 2.1.3 (which has Spring web 5.1.5, optionally adding Spring Session 2.1.4), the property is now

    server.servlet.session.timeout=<your-value>><units>

    for example the value to be set could be 1800s for 1800 seconds or 30m for 30 minutes

    The spring session property spring.session.timeout if not configured falls back to the property above..

    0 讨论(0)
  • 臣服心动
    2020-12-09 06:18

    Just to update this, because I went looking for an answer and couldn't find it easily:

    You can set the server.session.cookie.max-age=

    in your application.properties to force the log out after a certain time.

    This one actually uses seconds, not minutes, as the integer value. So set it to something reasonable like 120 for 2 minutes.

    0 讨论(0)
 看不清?
提交回复
热议问题