Spring 安全 SessionRegistry 和基于 bean 的配置问题
Posted
技术标签:
【中文标题】Spring 安全 SessionRegistry 和基于 bean 的配置问题【英文标题】:Spring security SessionRegistry and bean based configuration woes 【发布时间】:2012-08-30 15:07:21 【问题描述】:我正在使用 Spring Security 3.0.5 并尝试获取当前登录用户的计数。我的场景是预认证并使用基于 bean 的配置,而不是基于 <http> 命名空间的配置(在这种情况下,这似乎是微不足道的。
我的配置文件如下:
<beans:bean id="springSecurityFilterChain"
class="org.springframework.security.web.FilterChainProxy">
<filter-chain-map path-type="ant">
<filter-chain pattern="/**/resources/**" filters="none" />
<filter-chain pattern="/**/logout/**" filters="none" />
<filter-chain pattern="/service/**" filters="none" />
<filter-chain pattern="/**"
filters="sif,concurrencyFilter,shibbolethFilter,smf,logoutFilter,etf,fsi" />
</filter-chain-map>
</beans:bean>
<beans:bean id="sif"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />
<beans:bean id="scr"
class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
<beans:bean id="smf"
class="org.springframework.security.web.session.SessionManagementFilter">
<beans:constructor-arg name="securityContextRepository"
ref="scr" />
<beans:property name="sessionAuthenticationStrategy"
ref="sas" />
</beans:bean>
<beans:bean id="shibbolethFilter"
class="PreAuthenticatedShibbolethAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="exceptionIfHeaderMissing" value="true" />
<beans:property name="continueFilterChainOnUnsuccessfulAuthentication"
value="true" />
<beans:property name="developmentMode" value="true" />
<beans:property name="authenticationSuccessHandler"
ref="customAuthenticationSuccessHandlerBean" />
</beans:bean>
<beans:bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry"
ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/session-expired.html" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref='preauthAuthProvider' />
</authentication-manager>
<beans:bean id="preauthAuthProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:property name="userDetailsService" ref="userDetailsService" />
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean id="logoutHandlerBean"
class="LogoutSuccessHandlerImpl" />
<beans:bean id="userDetailsService"
class="CustomJdbcDaoImpl">
<beans:property name="dataSource" ref="projectDS" />
<beans:property name="enableGroups" value="true" />
<beans:property name="enableAuthorities" value="false" />
</beans:bean>
在我的控制器中,我有以下代码:
@Resource(name="sessionRegistry") 私人 SessionRegistry sessionReg;
private void doTest()
List<Object> principals = sessionReg.getAllPrincipals();
for (Object o : principals)
List<SessionInformation> siList = sessionReg.getAllSessions(o,
true);
for (SessionInformation si : siList)
logger.error(si.getSessionId() + " " + si.getPrincipal());
列表principals 始终为空。我觉得PreAuthenticatedShibbolethAuthenticationFilter 过滤器extends AbstractPreAuthenticatedProcessingFilter 应该得到ref 到ConcurrentSessionControlStrategy,但是,没有可以设置这样的属性。
我错过了什么?
【问题讨论】:
“maximumSessions=1”限制是否按预期工作,即一个主体是否可以进行两次身份验证? 这PreAuthenticatedShibbolethAuthenticationFilter是你写的自定义类吗?如果是这样,你能告诉我们它扩展了什么基类吗?
【参考方案1】:
SecurityContextPersistenceFilter 需要 SecurityContextRespository
<bean id="sif" class="org.springframework.security.web.context.SecurityContextPersistenceFilter" >
<property name="securityContextRepository" ref="scr" />
</bean>
【讨论】:
以上是关于Spring 安全 SessionRegistry 和基于 bean 的配置问题的主要内容,如果未能解决你的问题,请参考以下文章
如何获取 Spring Security SessionRegistry?
Spring Security 4 sessionRegistry 不填充主体列表
Spring Boot 会话管理——为啥会有两个 sessionRegistry 实例?
SAML 身份验证的用户不会出现在 Spring Security 的 SessionRegistry 中