Java Spring Security 3.2和maximumSessions-注销而不更新SessionRegistry
问题场景: 我正在尝试使用SpringSecurityV3.2.3和Java配置来配置会话管理,以便将maximumSessions设置为1,将maxSessionsPreventsLogin设置为true,例如Java Spring Security 3.2和maximumSessions-注销而不更新SessionRegistry,java,spring-mvc,spring-security,Java,Spring Mvc,Spring Security,问题场景: 我正在尝试使用SpringSecurityV3.2.3和Java配置来配置会话管理,以便将maximumSessions设置为1,将maxSessionsPreventsLogin设置为true,例如 .sessionManagement() .maximumSessions(1) .maxSessionsPreventsLogin(true); 这意味着,如果有人登录,并且在不同的浏览器中再次使用相同的登录名,则原始登录名保持登录,
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true);
这意味着,如果有人登录,并且在不同的浏览器中再次使用相同的登录名,则原始登录名保持登录,第二个登录名保持登录
试图登录的人被拒绝
代码问题:
我曾尝试遵循Javadoc中的示例和提示—但我的代码的主要问题是,当您运行我的示例代码(见下文)时,您可以登录一次,然后注销—但如果您尝试再次登录,则会被阻止,因为Spring Security尚未识别您已注销
我将其追溯到Spring类SessionRegistryImpl—当您登录时,会调用registerNewSession方法,但当您注销时,不会调用removeSessionInformation方法—导致无法再次登录
我知道没有调用removeSessionInformation方法,因为它应该由默认情况下未设置的特定类型的侦听器触发。要在AbstractSecurityWebApplicationInitializer的子类中进行设置,必须重写方法enableHttpSessionEventPublisher并返回true。此方法的Javadoc声明“如果会话管理指定了最大会话数,则应为true”。这样做似乎没有什么区别,注销仍然不会触发对SessionRegistryImpl中removeSessionInformation方法的调用
我尝试过的另一件事没有成功,就是按照Javadoc中AbstractSecurityWebApplicationInitializer类的警告部分的建议,将@Order注释添加到各个类中。这也没什么区别
代码是否丢失或出错,或者Spring Security是否存在问题
我正在使用Java1.7.0_51和Tomcat7.0.53
下面是我使用的代码、JPSs和一个pom.xml,其中使用了libs。我试图把这个例子简化成最简单的形式
该示例允许您登录,查看带有注销按钮的欢迎页面,然后单击注销按钮
MessageSecurityWebApplicationInitializer类:
package com.test.config;
import org.springframework.security.web.context.*;
public class MessageSecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
@Override
protected boolean enableHttpSessionEventPublisher() {
return true;
}
}
package com.test.config;
import org.springframework.web.filter.CharacterEncodingFilter;
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
import javax.servlet.Filter;
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer{
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[] { WebSecurityConfig.class, MvcConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class<?>[] { WebConfig.class };
}
@Override
protected String[] getServletMappings() {
return new String[] { "/" };
}
@Override
protected Filter[] getServletFilters() {
CharacterEncodingFilter characterEncodingFilter = new CharacterEncodingFilter();
characterEncodingFilter.setEncoding("UTF-8");
return new Filter[] { characterEncodingFilter};
}
}
MvcConfig类:
package com.test.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("home");
}
}
WebAppInitializer类:
package com.test.config;
import org.springframework.security.web.context.*;
public class MessageSecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
@Override
protected boolean enableHttpSessionEventPublisher() {
return true;
}
}
package com.test.config;
import org.springframework.web.filter.CharacterEncodingFilter;
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
import javax.servlet.Filter;
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer{
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[] { WebSecurityConfig.class, MvcConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class<?>[] { WebConfig.class };
}
@Override
protected String[] getServletMappings() {
return new String[] { "/" };
}
@Override
protected Filter[] getServletFilters() {
CharacterEncodingFilter characterEncodingFilter = new CharacterEncodingFilter();
characterEncodingFilter.setEncoding("UTF-8");
return new Filter[] { characterEncodingFilter};
}
}
WebSecurity配置类:
package com.test.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter;
import org.springframework.web.servlet.view.JstlView;
import org.springframework.web.servlet.view.UrlBasedViewResolver;
@Configuration
@EnableWebMvc
@ComponentScan(basePackages = {"com.test.web.controller"})
public class WebConfig {
@Bean
public UrlBasedViewResolver setupViewResolver() {
UrlBasedViewResolver resolver = new UrlBasedViewResolver();
resolver.setPrefix("/WEB-INF/jsp/");
resolver.setSuffix(".jsp");
resolver.setViewClass(JstlView.class);
return resolver;
}
@Bean
public RequestMappingHandlerAdapter setupPageCache() {
RequestMappingHandlerAdapter adapter = new RequestMappingHandlerAdapter();
adapter.setCacheSeconds(0);
return adapter;
}
}
package com.test.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
.logoutSuccessUrl("/login?logout")
.permitAll()
.and()
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
CommonController类:
package com.test.web.controller;
import javax.servlet.http.HttpServletRequest;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class CommonController {
@RequestMapping(value="/login", method=RequestMethod.GET)
public String viewLoginPage(HttpServletRequest request, Model model) {
return "login";
}
}
login.jsp:
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Test</title>
</head>
<body id="loginPage">
<div id="loginWrapper">
<div id="loginForm">
<noscript>
<div>
<spring:message code="login.javascript_disabled" text="JavaScript is not enabled on your browser." />
</div>
</noscript>
<c:url value="/login" var="loginUrl"/>
<form action="${loginUrl}" method="post">
<c:if test="${param.error != null}">
<p>
Invalid username and password.
</p>
</c:if>
<c:if test="${param.logout != null}">
<p>
You have logged out.
</p>
</c:if>
<p>
<label for="username">Username</label>
<input type="text" id="username" name="username"/>
</p>
<p>
<label for="password">Password</label>
<input type="password" id="password" name="password"/>
</p>
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
<button type="submit" class="btn">Log in</button>
</form>
</div>
</div>
</body>
</html>
试验
无效的用户名和密码。
您已注销。
用户名
密码
登录
home.jsp:
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<!DOCTYPE HTML>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Spring Security Example</title>
</head>
<body>
<h1>Welcome!</h1>
<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}"
method="post">
<input type="submit" value="Log out"/>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</body>
</html>
Spring安全示例
欢迎
pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.testing.automation</groupId>
<artifactId>test-simple</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>test-simple</name>
<packaging>war</packaging>
<description>Test for single session.</description>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
<artifactId>javax.servlet.jsp.jstl-api</artifactId>
<version>1.2.1</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
<dependency>
<groupId>taglibs</groupId>
<artifactId>standard</artifactId>
<version>1.1.2</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.3.3</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-eclipse-plugin</artifactId>
<version>2.9</version>
<configuration>
<wtpversion>2.0</wtpversion>
<wtpContextName>mmtest</wtpContextName>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.0</version>
<configuration>
<source>1.7</source>
<target>1.7</target>
</configuration>
</plugin>
</plugins>
</build>
</project>
4.0.0
com.testing.automation
测试简单
0.0.1-快照
测试简单
战争
测试单个会话。
javax.servlet
javax.servlet-api
3.0.1
假如
org.springframework
spring上下文
4.0.3.1发布
org.springframework
SpringWebMVC
4.0.3.1发布
org.springframework.security
spring安全内核
3.2.3.1发布
org.springframework.security
spring安全网
3.2.3.1发布
org.springframework.security
spring安全配置
3.2.3.1发布
org.springframework.security
spring安全标记库
3.2.3.1发布
javax.servlet.jsp.jstl
javax.servlet.jsp.jstl-api
1.2.1
log4j
log4j
1.2.17
塔格利布
标准
1.1.2
javax.servlet
jstl
1.2
org.apache.httpcomponents
httpclient
4.3.3
org.apache.maven.plugins
maven eclipse插件
2.9
2
mmtest
org.apache.maven.plugins
maven编译器插件
3
1.7
1.7
我在使用Spring安全性时遇到了类似的问题(配置是通过编程配置进行的,而不是XML)
我可以登录,但当我注销时,invalidateHttpSession()
不起作用。会话没有失效,因为由于某种原因没有调用相应的方法
通过删除我在引导中使用的基本身份验证过滤器,问题得到了解决。
因此,使用错误o的过滤器声明