我正在学习春天.执行登录/注销功能.
这就是我的控制器的样子：

@RequestMapping(value="/successfulLoginAuth", method=RequestMethod.GET)
public ModelAndView postHttpLogin(HttpSession session, Authentication authInfo) 
{

ModelAndView mav = new ModelAndView();
mav.setViewName("redirect:/index.html");
session.setAttribute("authInfo", authInfo);

return mav;

}

登录是通过Spring Security使用我实现的dao服务执行的.这很好.

这是index.jsp的内容：

<% 
    HttpSession session1 = request.getSession(false);
    Authentication authInfo; 
    if( (session1 != null) && 
        ( (authInfo = (Authentication)session1.getAttribute("authInfo")) != null) 
      )
    {

        out.print(" yo " + authInfo.getName() + " " + authInfo.getAuthorities().iterator().next().getAuthority());
    }
    else
    {
%>    
<a href="${pageContext.request.contextPath}/registration">New? Sign Up!</a><br/>

<a href="${pageContext.request.contextPath}/login">Existing? Sign In!</a><br/>
<%} %>

当我登录并重新启动服务器时,我仍然登录.在服务器重启后,会话信息是否应该丢失？如果我重新启动浏览器,它将按预期工作(即会话信息丢失).

这是我的Spring Security配置：

<http auto-config="true"  use-expressions="true">
        <intercept-url pattern="/" access="permitAll" />
        <intercept-url pattern="/logout" access="permitAll" />
        <intercept-url pattern="/accessdenied" access="permitAll" />
        <form-login login-page="/login" default-target-url="/successfulLoginAuth" authentication-failure-url="/accessdenied" />
        <logout logout-success-url="/logout" />
    </http>

<authentication-manager>
    <authentication-provider user-service-ref="myUserDetailsService"></authentication-provider>
  </authentication-manager>

解决方法:

我假设您正在使用Tomcat,它使用Manager组件在应用程序生命周期之间保持会话.您可以在the Manager component configuration中更改所有这些设置.

我认为这也取决于你做的改变. Eclipse的Tomcat服务器插件将决定是否应该刷新序列化的HttpSessions.