java - Spring安全代理问题

Question

我有一个一般性问题。我有一个使用 Spring Security 3.2 和 Spring 4 编写的 Web 项目。我在 Tomcat 7.0 中部署了项目。 spring sec 中项目用户有 2 个角色:USER 和 COMPANY。当我从家庭计算机登录(没有任何代理)时，一切正常。但是，如果我从我的工作计算机登录(我的计算机位于公司代理后面)，我的 Web 应用程序将无法正常工作，它无法进行本地化，或者通常会为公司帐户提供用户角色等。我在网络中查找了此问题，但无法找到任何解决方案。希望任何人都可以弄清楚可能是什么原因。提前致谢..

spring-security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:security="http://www.springframework.org/schema/security"
   xmlns:p="http://www.springframework.org/schema/p"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
                       http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                       http://www.springframework.org/schema/security
                       http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<bean id="securityExpressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" />

<security:global-method-security
    pre-post-annotations="enabled">
    <security:expression-handler ref="securityExpressionHandler" />
</security:global-method-security>

<security:http auto-config="false" use-expressions="true" access-denied-page="/login" entry-point-ref="authenticationEntryPoint">

    <security:intercept-url pattern="/login" access="permitAll"/>
    <security:intercept-url pattern="/account/register" access="permitAll"/>
    <security:intercept-url pattern="/main" access="hasAnyRole('ROLE_USER, ROLE_COMPANY')"/>
    <security:intercept-url pattern="/profile" access="hasAnyRole('ROLE_USER, ROLE_COMPANY')"/>
    <security:intercept-url pattern="/wishlist" access="hasRole('ROLE_USER')"/>
    <security:intercept-url pattern="/messagebox" access="hasAnyRole('ROLE_USER, ROLE_COMPANY')"/>
    <security:intercept-url pattern="/settings" access="hasAnyRole('ROLE_USER, ROLE_COMPANY')"/>
    <security:intercept-url pattern="/search" access="hasAnyRole('ROLE_USER, ROLE_COMPANY')"/>



    <security:logout invalidate-session="true" logout-success-url="/login" logout-url="/logout" />

    <security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
    <security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>
    <security:session-management session-authentication-strategy-ref="sas" />

</security:http>

<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
    p:sessionAuthenticationStrategy-ref="sas"
    p:authenticationManager-ref="authenticationManager"
      p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
      p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler"/>

<bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
     p:defaultFailureUrl="/login?fail=true" />

  <!-- We just actually need to set the default target url here -->
<bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
     p:defaultTargetUrl="/main" />

<bean id="authenticationEntryPoint"  class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
     p:loginFormUrl="/login"/>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="customAuthenticationProvider" />
</security:authentication-manager>

<bean id="customAuthenticationProvider" class="service.CustomAuthenticationManager">
</bean>


<!-- A custom service where Spring will retrieve users and their corresponding access levels  -->
<bean id="customUserDetailsService" class="service.CustomUserDetailsService"/>


<bean id="concurrencyFilter" class="filter.AzunisConcurrentSessionFilter"
          p:sessionRegistry-ref="sessionRegistry"
          p:expiredUrl="/login" /> 
<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"
         p:maximumSessions="-1" p:exceptionIfMaximumExceeded="false" p:alwaysCreateSession="true">
    <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>

<!-- Maintains a registry of SessionInformation instances
       See: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/core/session/SessionRegistry.html -->
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

Answer 1

我认为这就是代理的缓存机制。让登录和登陆页面网站在您的响应 header 中过期。