Spring-security：即使在 JVM 重启后也能保持活动会话

Posted 2023-03-25

【中文标题】Spring-security：即使在 JVM 重启后也能保持活动会话

【英文标题】：Spring-security : Maintaing active sessions even after JVM restart

【发布时间】：2016-06-21 00:43:02

【问题描述】：

我正在开发一个在 Tomcat 上运行的 Spring-MVC 项目，其中我有 Spring-security 用于身份验证和授权。由于我们的项目目前正在开发中，我们有比平时更多的部署。通常在部署后发生的情况是所有客户端都在服务器重新启动时注销。

有什么方法可以将会话数据放入数据库或某处，因此即使在 Tomcat/JVM 崩溃/重新启动后，已经登录的用户也不会遇到问题。

有解决这个问题的策略吗？知道怎么做吗？

security-applicationContext.xml：

 <!-- Global Security settings -->
    <security:http pattern="/resources/template/demo/clients" security="none"/>

    <security:http create-session="ifRequired" use-expressions="true" auto-config="false" disable-url-rewriting="true">
        <security:form-login login-page="/login" username-parameter="j_username" password-parameter="j_password"
                             login-processing-url="/j_spring_security_check" default-target-url="/dashboard"
                             always-use-default-target="true" authentication-failure-url="/denied"/>
        <security:remember-me key="_spring_security_remember_me" user-service-ref="userDetailsService"
                              token-validity-seconds="1209600" data-source-ref="dataSource"/>
        <security:logout delete-cookies="JSESSIONID" invalidate-session="true" logout-url="/j_spring_security_logout"/>
     <!--<security:intercept-url pattern="/**" requires-channel="https"/>-->
        <security:port-mappings>
            <security:port-mapping http="80" https="443"/>
        </security:port-mappings>
        <security:logout logout-url="/logout" logout-success-url="/" success-handler-ref="myLogoutHandler"/>

        <security:session-management session-fixation-protection="migrateSession">
            <security:concurrency-control session-registry-ref="sessionReg" max-sessions="5" expired-url="/login"/>
        </security:session-management>
    </security:http>

    <beans:bean id="sessionReg" class="org.springframework.security.core.session.SessionRegistryImpl"/>

    <beans:bean id="rememberMeAuthenticationProvider"
                class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
        <beans:constructor-arg index="0" value="_spring_security_remember_me"/>
        <beans:constructor-arg index="1" ref="userDetailsService"/>
        <beans:constructor-arg index="2" ref="jdbcTokenRepository"/>
        <property name="alwaysRemember" value="true"/>
    </beans:bean>

    <beans:bean id="jdbcTokenRepository"
                class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
        <beans:property name="createTableOnStartup" value="false"/>
        <beans:property name="dataSource" ref="dataSource"/>
    </beans:bean>

    <!-- Remember me ends here -->
    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider user-service-ref="LoginServiceImpl">
            <security:password-encoder ref="encoder"/>
        </security:authentication-provider>
    </security:authentication-manager>

    <beans:bean id="encoder"
                class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
        <beans:constructor-arg name="strength" value="11"/>
    </beans:bean>

    <beans:bean id="daoAuthenticationProvider"
                class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <beans:property name="userDetailsService" ref="LoginServiceImpl"/>
        <beans:property name="passwordEncoder" ref="encoder"/>
    </beans:bean>
</beans>

登录服务实现：

@Transactional
@Service("userDetailsService")
public class LoginServiceImpl implements UserDetailsService 

    @Autowired
    private PersonDAO personDAO;

    @Autowired
    private Assembler assembler;

    public LoginServiceImpl() 
    

@Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException 
        Person person = personDAO.findPersonByUsername(username.toLowerCase());
        if (person == null) 
            throw new UsernameNotFoundException("Wrong username or password");
        
        return assembler.buildUserFromUserEntity(person);
    

汇编器：

@Service("assembler")
public class Assembler 
    @Transactional(readOnly = true)
    User buildUserFromUserEntity(Person userEntity) 
        String username = userEntity.getUsername().toLowerCase();
        String password = userEntity.getPassword();

        boolean enabled = userEntity.isEnabled();
        boolean accountNonExpired = userEntity.isAccountNonExpired();
        boolean credentialsNonExpired = userEntity.isCredentialsNonExpired();
        boolean accountNonLocked = userEntity.isAccountNonLocked();

        Collection<GrantedAuthority> authorities = new ArrayList<>();
        authorities.add(new SimpleGrantedAuthority("ROLE_USER"));

        return new User(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
    

如果需要更多信息，请告诉我。谢谢.. :-)

【问题讨论】：

为什么这个问题被否决了？有什么解释吗？

看看这个问题和答案的想法：***.com/questions/13211615/…

@Fortunato ：Redis 选项听起来不错。我已经有了记住我的功能，正如链接所说，与 Redis 的 Spring-session 已经开箱即用。知道我必须在这个项目中进行哪些更改才能正确集成吗？

【参考方案1】：

不确定 Spring 中可用的配置，但可以使用 Tomcat（您提到使用 Tomcat）。

在您的 context.xml 文件中，找到此行/语句

<Manager pathname="" />

评论/删除此条目。这将在优雅的 tomcat 重新启动时启用会话持久性。