Java Spring安全性:即使在JVM重新启动后仍保持活动会话
我正在从事一个在Tomcat上运行的SpringMVC项目,在该项目中,我拥有用于身份验证和授权的SpringSecurity。由于我们的项目目前正在开发中,我们的部署比平时更多。通常,部署后发生的情况是,在服务器重新启动时,所有客户端都将注销 是否有任何方法可以将会话数据放入数据库或其他地方,这样即使在Tomcat/JVM崩溃/重启之后,已经登录的用户也不会有问题 有没有解决这个问题的策略?知道怎么做吗 security-applicationContext.xml:Java Spring安全性:即使在JVM重新启动后仍保持活动会话,java,spring,spring-mvc,authentication,spring-security,Java,Spring,Spring Mvc,Authentication,Spring Security,我正在从事一个在Tomcat上运行的SpringMVC项目,在该项目中,我拥有用于身份验证和授权的SpringSecurity。由于我们的项目目前正在开发中,我们的部署比平时更多。通常,部署后发生的情况是,在服务器重新启动时,所有客户端都将注销 是否有任何方法可以将会话数据放入数据库或其他地方,这样即使在Tomcat/JVM崩溃/重启之后,已经登录的用户也不会有问题 有没有解决这个问题的策略?知道怎么做吗 security-applicationContext.xml: <!-- Glo
<!-- Global Security settings -->
<security:http pattern="/resources/template/demo/clients" security="none"/>
<security:http create-session="ifRequired" use-expressions="true" auto-config="false" disable-url-rewriting="true">
<security:form-login login-page="/login" username-parameter="j_username" password-parameter="j_password"
login-processing-url="/j_spring_security_check" default-target-url="/dashboard"
always-use-default-target="true" authentication-failure-url="/denied"/>
<security:remember-me key="_spring_security_remember_me" user-service-ref="userDetailsService"
token-validity-seconds="1209600" data-source-ref="dataSource"/>
<security:logout delete-cookies="JSESSIONID" invalidate-session="true" logout-url="/j_spring_security_logout"/>
<!--<security:intercept-url pattern="/**" requires-channel="https"/>-->
<security:port-mappings>
<security:port-mapping http="80" https="443"/>
</security:port-mappings>
<security:logout logout-url="/logout" logout-success-url="/" success-handler-ref="myLogoutHandler"/>
<security:session-management session-fixation-protection="migrateSession">
<security:concurrency-control session-registry-ref="sessionReg" max-sessions="5" expired-url="/login"/>
</security:session-management>
</security:http>
<beans:bean id="sessionReg" class="org.springframework.security.core.session.SessionRegistryImpl"/>
<beans:bean id="rememberMeAuthenticationProvider"
class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<beans:constructor-arg index="0" value="_spring_security_remember_me"/>
<beans:constructor-arg index="1" ref="userDetailsService"/>
<beans:constructor-arg index="2" ref="jdbcTokenRepository"/>
<property name="alwaysRemember" value="true"/>
</beans:bean>
<beans:bean id="jdbcTokenRepository"
class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
<beans:property name="createTableOnStartup" value="false"/>
<beans:property name="dataSource" ref="dataSource"/>
</beans:bean>
<!-- Remember me ends here -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="LoginServiceImpl">
<security:password-encoder ref="encoder"/>
</security:authentication-provider>
</security:authentication-manager>
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11"/>
</beans:bean>
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="LoginServiceImpl"/>
<beans:property name="passwordEncoder" ref="encoder"/>
</beans:bean>
</beans>
汇编程序:
@Service("assembler")
public class Assembler {
@Transactional(readOnly = true)
User buildUserFromUserEntity(Person userEntity) {
String username = userEntity.getUsername().toLowerCase();
String password = userEntity.getPassword();
boolean enabled = userEntity.isEnabled();
boolean accountNonExpired = userEntity.isAccountNonExpired();
boolean credentialsNonExpired = userEntity.isCredentialsNonExpired();
boolean accountNonLocked = userEntity.isAccountNonLocked();
Collection<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
return new User(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
}
}
@服务(“汇编程序”)
公共类汇编程序{
@事务(只读=真)
用户buildUserFromUserEntity(Person userEntity){
字符串username=userEntity.getUsername().toLowerCase();
字符串password=userEntity.getPassword();
boolean enabled=userEntity.isEnabled();
布尔AccountNoneExpired=userEntity.IsAccountNoneExpired();
boolean credentialsNonExpired=userEntity.isCredentialsNonExpired();
布尔AccountNonlock=userEntity.IsAccountNonlock();
收集权限=新建ArrayList();
添加(新的SimpleGrantedAuthority(“角色用户”);
返回新用户(用户名、密码、已启用、AccountNoExpired、CredentialsNoExpired、AccountNoLocked、权限);
}
}
如果需要更多信息,请告诉我。谢谢……:) 不确定Spring中可用的配置,但这在Tomcat中是可能的(您提到过使用Tomcat) 在context.xml文件中,找到以下行/语句
<Manager pathname="" />
注释/删除此条目。这将在tomcat重启期间启用会话持久性 为什么这个问题被否决了?有什么解释吗?看看这个问题和答案,看看有什么想法:@Fortunato:Redis选项听起来不错。我已经有了记忆我的功能,正如链接所说,与Redis的Spring会话已经开箱即用。你知道我在这个项目中需要改变什么才能进行适当的整合吗?
<Manager pathname="" />