使用 Spring Security 的在线用户
Posted
技术标签:
【中文标题】使用 Spring Security 的在线用户【英文标题】:Online users with Spring Security 【发布时间】:2012-03-01 23:18:04 【问题描述】:我正在使用 Spring Security,我想知道哪些用户当前在线。我首先尝试了使用SessionRegistryImpl
和<session-management session-authentication-strategy-ref="..." ... />
的方法,但我猜这个列表存储在内存中,我想避免它(这将是一个巨大的网站,很多用户会同时在线,列表可能会变得很大)。如果我错了,请纠正我。
我尝试的第二种方法是使用侦听器和HttpSessionListener
接口和自定义AuthenticationManager
并将“在线标志”存储在数据库中。基本上,该标志在我的身份验证管理器的authenticate(...)
方法中设置为true,在我的会话监听器的sessionDestroyed(...)
方法中设置为false。
web.xml:
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>Test</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/security.xml</param-value>
</context-param>
<!-- Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>my.package.SessionListener</listener-class>
</listener>
<servlet>
<servlet-name>test</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>test</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>1</session-timeout>
</session-config>
</web-app>
Spring 安全配置:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<beans:bean id="authenticationManager" class="my.package.security.AuthenticationManager" />
<http disable-url-rewriting="true" authentication-manager-ref="authenticationManager">
<!--<intercept-url pattern="/" access="ROLE_ANONYMOUS" />-->
<intercept-url pattern="/login*" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/favicon.ico" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/*" access="ROLE_USER" />
<form-login login-processing-url="/authorize" login-page="/login" authentication-failure-url="/login-failed" />
<logout logout-url="/logout" logout-success-url="/login" />
<remember-me data-source-ref="dataSource" />
</http>
</beans:beans>
my.package.SessionListener:
public class SessionListener implements HttpSessionListener
public void sessionCreated(HttpSessionEvent httpSessionEvent)
public void sessionDestroyed(HttpSessionEvent httpSessionEvent)
UserJpaDao userDao = WebApplicationContextUtils.getWebApplicationContext(httpSessionEvent.getSession().getServletContext()).getBean(UserJpaDao.class);
Authentication a = SecurityContextHolder.getContext().getAuthentication();
if(a != null)
User loggedInUser = userDao.findByAlias(a.getName());
if(loggedInUser != null)
loggedInUser.setOnline(false);
userDao.save(loggedInUser);
my.package.security.AuthenticationManager:
public class AuthenticationManager implements org.springframework.security.authentication.AuthenticationManager
@Autowired
UserJpaDao userDao;
public Authentication authenticate(Authentication authentication) throws AuthenticationException
User loggedInUser = null;
Collection<? extends GrantedAuthority> grantedAuthorities = null;
...
loggedInUser = userDao.findByAlias(authentication.getName());
if(loggedInUser != null)
// Verify password etc.
loggedInUser.setOnline(true);
userDao.save(loggedInUser);
else
loggedInUser = null;
throw new BadCredentialsException("Unknown username");
return new UsernamePasswordAuthenticationToken(loggedInUser, authentication.getCredentials(), grantedAuthorities);
sessionCreated
和 sessionDestroyed
被正确触发,但 SecurityContextHolder.getContext().getAuthentication();
始终为空。
更新:几乎一切都运行良好。唯一的问题是,当会话因超时而过期时,SecurityContextHolder.getContext().getAuthentication()
在sessionDestroyed(...)
方法中返回 null。手动触发注销时效果很好。
有人可以帮助我吗?非常感谢任何提示。
谢谢
【问题讨论】:
【参考方案1】:我决定采用会话注册方法(只是因为我无法使其他方法工作)。这是我的代码(重要部分)。
web.xml:
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>Test</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
/WEB-INF/security.xml
</param-value>
</context-param>
...
<!-- Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<servlet>
<servlet-name>test</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>test</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>1</session-timeout>
</session-config>
</web-app>
security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<beans:bean id="authenticationManager" class="my.package.security.AuthenticationManager" />
<beans:bean id="userDetailsDao" class="my.package.dao.UserDetailsDao" />
<http disable-url-rewriting="true" authentication-manager-ref="authenticationManager">
<intercept-url pattern="/login*" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/favicon.ico" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/*" access="ROLE_USER" />
<form-login login-processing-url="/authorize" login-page="/login" authentication-failure-url="/login-failed" />
<logout logout-url="/logout" logout-success-url="/login" />
<remember-me data-source-ref="dataSource" user-service-ref="userDetailsDao" />
<session-management session-authentication-strategy-ref="sas" invalid-session-url="/invalid-session" />
</http>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
</beans:beans>
my.package.security.AuthenticationManager:
public class AuthenticationManager implements org.springframework.security.authentication.AuthenticationManager
@Autowired
UserJpaDao userDao;
public Authentication authenticate(Authentication authentication) throws AuthenticationException
UserDetails userDetails = null;
if(authentication.getPrincipal() == null || authentication.getCredentials() == null)
throw new BadCredentialsException("Invalid username/password");
User loggedInUser = userDao.findByAlias(authentication.getName());
if(loggedInUser != null)
// TODO: check credentials
userDetails = new UserDetails(loggedInUser);
else
loggedInUser = null;
throw new BadCredentialsException("Unknown username");
return new UsernamePasswordAuthenticationToken(userDetails, authentication.getCredentials(), userDetails.getAuthorities());
my.package.dao.UserDetailsDao(这仅用于记住我的功能):
public class UserDetailsDao implements UserDetailsService
@Autowired
UserJpaDao userDao;
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException
User user = userDao.findByAlias(username);
if(user != null)
return new UserDetails(user);
throw new UsernameNotFoundException("The specified user cannot be found");
my.package.UserDetails:
public class UserDetails implements org.springframework.security.core.userdetails.UserDetails
private String alias;
private String encryptedPassword;
public UserDetails(User user)
this.alias = user.getAlias();
this.encryptedPassword = user.getEncryptedPassword();
@Override
public Collection<? extends GrantedAuthority> getAuthorities()
ArrayList<SimpleGrantedAuthority> authorities = new ArrayList<SimpleGrantedAuthority>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
return authorities;
@Override
public String getPassword()
return this.encryptedPassword;
@Override
public String getUsername()
return this.alias;
@Override
public boolean isAccountNonExpired()
return true;
@Override
public boolean isAccountNonLocked()
return true;
@Override
public boolean isCredentialsNonExpired()
return true;
@Override
public boolean isEnabled()
return true;
sessionRegistry.getAllPrincipals()
将返回一个List<Object>
“可转换”给List<UserDetails>
。
我的代码获取在线用户列表,其中User
类型的对象通过JPA持久化在数据库中:
List<User> onlineUsers = userDao.findByListOfUserDetails((List<UserDetails>)(List<?>)sessionRegistry.getAllPrincipals());
注意:sessionRegistry
是 SessionRegistryImpl
类的自动装配实现。
注意:对于记住我的功能,我使用的是持久令牌方法。数据库中需要persistent_logins
(请参阅10.3 Persistent Token Approach)。
希望这对其他人有用。
【讨论】:
【参考方案2】:您不能使用 SecurityContextHolder
获取 SessionListener
中的 Principal,因为这仅在请求的上下文中有效。
您需要的所有信息都在会话本身中
例子:
@Override
public void sessionDestroyed(HttpSessionEvent se)
HttpSession session = se.getSession();
SecurityContext context = (SecurityContext)session.getAttribute("SPRING_SECURITY_CONTEXT");
Authentication authentication = context.getAuthentication();
Object principal = authentication.getPrincipal();
// Your code goes here
【讨论】:
我可以使用 SecurityContextHolder 以防用户单击注销链接,但如果会话超时仅适用于此解决方案。谢谢! (我需要它来协议注销。)以上是关于使用 Spring Security 的在线用户的主要内容,如果未能解决你的问题,请参考以下文章