本文探讨了并发会话控制器中过滤器的工作原理及其在管理过期会话信息方面的作用。详细介绍了如何避免过期会话永久存在的问题,并讨论了在会话失效后清理上下文的重要性。此外,还涉及了在请求过程中如何正确使用getSession方法。
this filter must be first in the filter chan.it use for concurrentSessionController.in ConcurrentSessionFilter,u must remove the expired
session info,other wise the expired ie will expired for ever.
(because some times after
session.invalidate(),the HttpSession session = httpRequest.getSession(false) not null.I don't know weathe is the problem of the
servlet)
and it also set the session.invalidate(),this will clear the context in the session.
the HttpSessionContextIntegrationFilter will create a new security
context in the session or get the security context from the session
if the session is not invalidate. SecurityContextHolder.setContext
will invoked each request because it may be that in the filter chain the context in SecurityContextHolder has chaned.
I see some people invokeing sessionRegistry.removeSessionInformation(session.getId()); in the logout filter.it seems needless.
[code]getSession
public HttpSession getSession(boolean create)Returns the current HttpSession associated with this request or, if if there is no current session and create is true, returns a new session.
If create is false and the request has no valid HttpSession, this method returns null.
To make sure the session is properly maintained, you must call this method before the response is committed. If the container is using cookies to maintain session integrity and is asked to create a new session when the response is committed, an IllegalStateException is thrown.
[/code]
session info,other wise the expired ie will expired for ever.
(because some times after
session.invalidate(),the HttpSession session = httpRequest.getSession(false) not null.I don't know weathe is the problem of the
servlet)
and it also set the session.invalidate(),this will clear the context in the session.
the HttpSessionContextIntegrationFilter will create a new security
context in the session or get the security context from the session
if the session is not invalidate. SecurityContextHolder.setContext
will invoked each request because it may be that in the filter chain the context in SecurityContextHolder has chaned.
I see some people invokeing sessionRegistry.removeSessionInformation(session.getId()); in the logout filter.it seems needless.
[code]getSession
public HttpSession getSession(boolean create)Returns the current HttpSession associated with this request or, if if there is no current session and create is true, returns a new session.
If create is false and the request has no valid HttpSession, this method returns null.
To make sure the session is properly maintained, you must call this method before the response is committed. If the container is using cookies to maintain session integrity and is asked to create a new session when the response is committed, an IllegalStateException is thrown.
[/code]
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
