Java 如何在带有FilterChainProxy的SpringSecurity3.1中使用并发控制
您好,我正在尝试使用spring security3.1实现并发控制,但它不起作用。我正在使用FilterChainProxy,因此我不知道如何在其中使用并发控制。我尝试的代码如下所示,我缺少了什么请帮助我 Bean文件Java 如何在带有FilterChainProxy的SpringSecurity3.1中使用并发控制,java,spring,spring-security,Java,Spring,Spring Security,您好,我正在尝试使用spring security3.1实现并发控制,但它不起作用。我正在使用FilterChainProxy,因此我不知道如何在其中使用并发控制。我尝试的代码如下所示,我缺少了什么请帮助我 Bean文件 <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
">
<!-- Custom code by rajesh -->
<!-- =================================================================== -->
<!-- Create sessionRegistry Implementation Bean -->
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<bean name="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
<property name="sessionRegistry" ref="sessionRegistry"/>
<property name="expiredUrl" value="/modules/my/login.do"/>
</bean>
<bean id="sas" class="com.xxxx.xxx.security.filter.MyConcurrentSessionControlStrategy">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<property name="securityImpl" ref="SecurityImpl"/>
</bean>
<!-- =================================================================== -->
<!-- Custom code ended by rajesh -->
<!-- Create ISecurity Implementation Bean -->
<bean id="SecurityImpl" class="com.xxxx.xxx.security.impl.SecurityImpl">
<property name="dao">
<bean class="com.xxxx.xxx.security.impl.SecurityDAO">
<property name="sessionFactory" ref="mySessionFactory" />
</bean>
</property>
<property name="sessionRegistry" ref="sessionRegistry" />
<property name="persistentRememberMeTokenRepositoryImpl" >
<bean
class="com.xxxx.xxx.impl.core.security.persisted.tokens.PersistentRememberMeTokenRepositoryImpl">
<property name="dao">
<bean
class="com.xxxx.xxx.impl.core.security.persisted.tokens.PersistentRememberMeTokenDAO">
<property name="sessionFactory" ref="mySessionFactory" />
</bean>
</property>
</bean>
</property>
</bean>
<bean id="ISecurityImpl"
class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
<property name="transactionManager" ref="myTransactionManager" />
<property name="target" ref="SecurityImpl" />
<property name="proxyTargetClass" value="false" />
<property name="transactionAttributes">
<props>
<prop key="set*">PROPAGATION_REQUIRED</prop>
<prop key="checkPasswordExpiry">PROPAGATION_REQUIRED</prop>
<prop key="expireSessionBySessionId">PROPAGATION_REQUIRED</prop>
</props>
</property>
</bean>
<bean id="myFilterSecurityInterceptor" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map request-matcher="ant" >
<security:filter-chain pattern="/**"
filters="securityContextPersistenceFilter,concurrencyFilter, logoutFilter, usernamePasswordAuthenticationFilter, rememberMeAuthenticationFilter, passwordExpiryFilter , anonymousAuthenticationFilter, accountExpiryFilter, exceptionTranslationFilter, filterSecurityInterceptor" />
</security:filter-chain-map>
</bean>
<bean id="securityContextPersistenceFilter"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />
<bean id="logoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<!-- the post-logout destination -->
<constructor-arg value="/modules/my/login.do" />
<constructor-arg>
<array>
<ref bean="myRememberMeService"/>
<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
</array>
</constructor-arg>
<property name="filterProcessesUrl" value="/logout_my" />
</bean>
<bean id="usernamePasswordAuthenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="sessionAuthenticationStrategy" ref="sas" />
<property name="authenticationManager" ref="myAuthenticationManager" />
<property name="rememberMeServices" ref="myRememberMeService" />
<property name="filterProcessesUrl" value="/my_authentication_service"></property>
<property name="usernameParameter" value="loginid" />
<property name="passwordParameter" value="password" />
<property name="authenticationFailureHandler" ref="AuthenticationFailureHandler" />
<property name="authenticationSuccessHandler" ref="AuthenticationSuccessHandler" />
</bean>
<bean id="accountExpiryFilter" class="com.xxxx.xxx.security.filter.MyAccountExpiryFilter">
<property name="securityImpl" ref="SecurityImpl"/>
<property name="authenticationFailureHandler" ref="AuthenticationFailureHandler" />
<property name="authenticationSuccessHandler" ref="AuthenticationSuccessHandler" />
</bean>
<bean id="passwordExpiryFilter"
class="com.xxxx.xxx.security.filter.MyPasswordExpiryFilter">
<property name="securityImpl" ref="SecurityImpl"/>
<property name="authenticationFailureHandler" ref="AuthenticationFailureHandler" />
<property name="authenticationSuccessHandler" ref="AuthenticationSuccessHandler" />
</bean>
<bean id="AuthenticationFailureHandlerImpl"
class="com.xxxx.xxx.security.impl.AuthenticationFailureHandlerImpl">
<property name="dao">
<bean class="com.xxxx.xxx.security.impl.SecurityDAO">
<property name="sessionFactory" ref="mySessionFactory" />
</bean>
</property>
<property name="defaultFailureUrl" value="/modules/my/login.do?error=1" />
</bean>
<bean id="AuthenticationFailureHandler"
class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
<property name="transactionManager" ref="myTransactionManager" />
<property name="target" ref="AuthenticationFailureHandlerImpl" />
<property name="proxyTargetClass" value="true" />
<property name="transactionAttributes">
<props>
<prop key="onAuthenticationFailure">PROPAGATION_REQUIRED</prop>
</props>
</property>
</bean>
<bean id="AuthenticationSuccessHandlerImpl"
class="com.xxxx.xxx.security.impl.AuthenticationSuccessHandler">
<property name="dao">
<bean class="com.xxxx.xxx.security.impl.SecurityDAO">
<property name="sessionFactory" ref="mySessionFactory" />
</bean>
</property>
<property name="targetUrlParameter" value="redirect-to"></property>
</bean>
<bean id="AuthenticationSuccessHandler"
class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
<property name="transactionManager" ref="myTransactionManager" />
<property name="target" ref="AuthenticationSuccessHandlerImpl" />
<property name="proxyTargetClass" value="true" />
<property name="transactionAttributes">
<props>
<prop key="onAuthenticationSuccess">PROPAGATION_REQUIRED</prop>
</props>
</property>
</bean>
<bean id="rememberMeAuthenticationFilter"
class="com.xxxx.xxx.security.filter.MyRememberMeAuthenticationFilter">
<property name="rememberMeServices" ref="myRememberMeService" />
<property name="authenticationManager" ref="myAuthenticationManager" />
<property name="securityImpl" ref="SecurityImpl"/>
</bean>
<bean id="anonymousAuthenticationFilter"
class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS" />
<property name="key" value="XXXXXXXX" />
</bean>
<bean id="exceptionTranslationFilter"
class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<bean
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/modules/my/login.do" />
</bean>
</property>
<property name="accessDeniedHandler" ref="AccessDeniedHandler" />
</bean>
<bean id="AccessDeniedHandlerImpl" class="com.xxxx.xxx.security.impl.AccessDeniedHandlerImpl">
<property name="dao">
<bean class="com.xxxx.xxx.security.impl.SecurityDAO">
<property name="sessionFactory" ref="mySessionFactory" />
</bean>
</property>
<property name="errorPage" value="/modules/errors/accessDenied.do" />
</bean>
<bean id="AccessDeniedHandler"
class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
<property name="transactionManager" ref="myTransactionManager" />
<property name="target" ref="AccessDeniedHandlerImpl" />
<property name="proxyTargetClass" value="true" />
<property name="transactionAttributes">
<props>
<prop key="handle">PROPAGATION_REQUIRED</prop>
</props>
</property>
</bean>
<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="myAuthenticationManager" />
<property name="accessDecisionManager" ref="myAffirmativeBasedAccessDecisionManager" />
<property name="securityMetadataSource">
<security:filter-security-metadata-source
use-expressions="true" lowercase-comparisons="true">
<!-- Core Actions -->
<security:intercept-url pattern="/modules/my/login.do"
access="permitAll" />
<security:intercept-url pattern="/modules/my/credentialExpired.do"
access="hasRole('ROLE_ANONYMOUS')" />
<security:intercept-url pattern="/modules/my/*"
access="hasRole('ROLE_ADMIN')" />
</security:filter-security-metadata-source>
</property>
</bean>
<bean class="org.springframework.security.access.vote.AffirmativeBased"
id="myAffirmativeBasedAccessDecisionManager">
<property name="decisionVoters">
<list>
<bean id="webExpressionVoter"
class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler" ref="MyWebSecurityExpressionHandler" />
</bean>
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</property>
</bean>
<bean id="MyWebSecurityExpressionHandler"
class="com.xxxx.xxx.security.spring.web.MyWebSecurityExpressionHandler">
<property name="iSecurity" ref="SecurityImpl" />
<property name="roleHierarchy">
<bean
class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<property name="hierarchy">
<value>
ROLE_MY > ROLE_ADMIN
ROLE_ADMIN > ROLE_USER
ROLE_USER > ROLE_PORTAL_USER
ROLE_PORTAL_USER > ROLE_GUEST
ROLE_GUEST > ROLE_ANONYMOUS
</value>
</property>
</bean>
</property>
</bean>
<bean id="myAuthenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<property name="authenticationEventPublisher" ref="myAuthEventPublisher" />
<property name="providers">
<list>
<bean
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="myUserDetailsService" />
<property name="passwordEncoder">
<bean id="myPasswordEncoder"
class="com.xxxx.xxx.security.spring.MyPasswordEncoder">
<property name="passwordEncryptor" ref="myPasswordEncryptor"></property>
</bean>
</property>
</bean>
<bean
class="org.springframework.security.authentication.AnonymousAuthenticationProvider ">
<property name="key" value="xxxxxxxxxxxxxx" />
</bean>
<bean
class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
<property name="key" value="MY_SECURE_REMME_MY_APP" />
</bean>
</list>
</property>
</bean>
<bean id="myUserDetailsService" class="com.xxxx.xxx.impl.core.users.UserImpl">
<property name="dao" ref="userDao" />
<property name="passwordEncryptor" ref="myPasswordEncryptor" />
</bean>
<!-- like for example at new user sign-up. -->
<bean id="myRememberMeService"
class="com.xxxx.xxx.security.impl.DefaultMyRememberMeServices">
<property name="tokenRepository">
<bean
class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
<property name="transactionManager" ref="myTransactionManager" />
<property name="target">
<bean
class="com.xxxx.xxx.impl.core.security.persisted.tokens.PersistentRememberMeTokenRepositoryImpl">
<property name="dao">
<bean
class="com.xxxx.xxx.impl.core.security.persisted.tokens.PersistentRememberMeTokenDAO">
<property name="sessionFactory" ref="mySessionFactory" />
</bean>
</property>
</bean>
</property>
<property name="proxyTargetClass" value="false" />
<property name="transactionAttributes">
<props>
<prop key="*">PROPAGATION_REQUIRED</prop>
</props>
</property>
</bean>
</property>
<property name="userDetailsService" ref="myUserDetailsService" />
<property name="key" value="MY_SECURE_REMME_MY_APP" />
<property name="alwaysRemember" value="false" />
<property name="useSecureCookie" value="true" />
<property name="cookieName" value="MY_SECURE_REMME" />
<property name="parameter" value="MY_REMME" />
<property name="dao">
<bean class="com.xxxx.xxx.security.impl.SecurityDAO">
<property name="sessionFactory" ref="mySessionFactory" />
</bean>
</property>
</bean>
<bean id="myPasswordEncryptor" class="com.xxxx.xxx.security.spring.MyPasswordEncryptor" />
<bean id="myAuthEventPublisher"
class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher" />
<bean id="authenticationListener"
class="org.springframework.security.authentication.event.LoggerListener" />
<bean id="authorizationListener"
class="org.springframework.security.access.event.LoggerListener" />
<bean id="DatabaseConfigImpl" class="com.xxxx.xxx.impl.core.database.config.DatabaseConfigImpl"></bean>
<bean id="IDatabaseConfig" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
<property name="target" ref="DatabaseConfigImpl" />
<property name="proxyTargetClass" value="false"/>
<property name="transactionAttributes">
<props>
<prop key="add*">PROPAGATION_REQUIRED</prop>
<prop key="update*">PROPAGATION_REQUIRED</prop>
<prop key="delete*">PROPAGATION_REQUIRED</prop>
</props>
</property>
</bean>
</beans>
需要进行传播
需要进行传播
需要进行传播
需要进行传播
需要进行传播
需要进行传播
角色\我的>角色\管理员
角色\管理>角色\用户
角色用户>角色门户用户
角色\门户\用户>角色\来宾
角色\u来宾>角色\u匿名
需要进行传播
需要进行传播
需要进行传播
需要进行传播
在此MyConcurrentSessionControlStrategy类中,使用自定义实现扩展了ConcurrentSessionControlStrategy类。我还使用自定义筛选器。我还在web.xml中添加了HttpSessionEventPublisher
我的应用程序正在运行。我不知道如何应用并发控制 由于您没有显示
用户名密码身份验证过滤器的配置,我的第一个猜测是您忘记了通过将ConcurrentSessionControlStrategy
注入该bean来添加必要的钩子。在添加您自己的自定义版本的类之前,您应该表明您可以让它与标准类一起工作。中有一个配置示例。从这里开始,确保它起作用,然后尝试添加您的MyConcurrentSessionControlStrategy
。如果看不到该类的代码,很容易就会发现其中存在错误
此外,如果您试图描述一个问题,您应该详细解释什么“不起作用”,即使只是在您认为应该启用的时候该功能似乎没有启用。调试日志也是一个有用的信息源