Spring security 具有PersistentTokenBasedMemberMeservices的Spring Security SessionRegistry_Spring Security

Spring security 具有PersistentTokenBasedMemberMeservices的Spring Security SessionRegistry

spring-security

Spring security 具有PersistentTokenBasedMemberMeservices的Spring Security SessionRegistry,spring-security,Spring Security,我的应用程序的Security系统基于Spring Security 3.1。我正在使用PersistentTokenBasedMemberMeservices 我需要显示使用Sessionregistrympl的所有登录用户的列表。问题是，当站点变为“rememberme user”时，它的会话在SessionRegistry中不存在我的配置文件：web.xml <listener> <listener-class> org.springfra

我的应用程序的Security系统基于Spring Security 3.1。我正在使用PersistentTokenBasedMemberMeservices

我需要显示使用Sessionregistrympl的所有登录用户的列表。问题是，当站点变为“rememberme user”时，它的会话在SessionRegistry中不存在

我的配置文件：web.xml

<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>

<listener>
    <listener-class>
        org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>


org.springframework.web.context.ContextLoaderListener
org.springframework.security.web.session.HttpSessionEventPublisher

和spring-sequerity.xml：

<s:http auto-config="false" entry-point-ref="authenticationEntryPoint" > 

    <s:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
    <s:custom-filter position="REMEMBER_ME_FILTER" ref="rememberMeFilter" />
    <s:custom-filter position="CONCURRENT_SESSION_FILTER" ref= "concurrencyFilter" />           
    <s:custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />

    <s:intercept-url pattern="/admin/**/" access="ROLE_ADMIN"/>     
    <s:intercept-url pattern="/**/" access="ROLE_USER, ROLE_GUEST"/>        
    <s:anonymous username="guest" granted-authority="ROLE_GUEST" />

</s:http>



<bean 
  id="logoutFilter"
  class="org.springframework.security.web.authentication.logout.LogoutFilter"
  p:filterProcessesUrl="/logout/">
  <constructor-arg value="/login/" />
    <constructor-arg>
    <list>
      <ref bean="rememberMeServices" />
      <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" p:invalidateHttpSession="true"/>
    </list>
    </constructor-arg>
</bean>


<bean id="authenticationEntryPoint"  
    class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
    p:loginFormUrl="/login/"/>


<bean id="customAuthenticationSuccessHandler" 
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
    p:defaultTargetUrl="/index/" />


<bean id="customAuthenticationFailureHandler" 
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
    p:defaultFailureUrl="/login/error/" />


<bean id="rememberMeServices" 
    class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices"
    p:tokenRepository-ref="jdbcTokenRepository"
    p:userDetailsService-ref="hibernateUserService"
    p:key="pokeristStore"
    p:tokenValiditySeconds="1209600" />

<bean id="jdbcTokenRepository" 
    class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl"
    p:dataSource-ref="dataSource"/>

<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider"
    p:key="pokeristStore" />

<bean id="rememberMeFilter" 
    class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter"
    p:rememberMeServices-ref="rememberMeServices"
    p:authenticationManager-ref="authenticationManager" />


<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
    p:sessionAuthenticationStrategy-ref="sas"
    p:authenticationManager-ref="authenticationManager"
    p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
    p:rememberMeServices-ref="rememberMeServices"
    p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler"/>

<bean id="sas"      class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"
    p:maximumSessions="1">
    <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>

<bean id="concurrencyFilter" 
    class="org.springframework.security.web.session.ConcurrentSessionFilter"
    p:sessionRegistry-ref="sessionRegistry" />


<bean id="sessionRegistry" 
    class="org.springframework.security.core.session.SessionRegistryImpl" />


<bean id="passwordEncoder"
    class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
    <constructor-arg value="256"/>
</bean>

<bean id="saltSource"  
    class="org.springframework.security.authentication.dao.ReflectionSaltSource">  
    <property name="userPropertyToUse" value="username"/>
</bean>

<bean id="hibernateUserService"
    class="com.mysite.service.simple.SecurityUserDetailsService"/>


<s:authentication-manager alias="authenticationManager">    
     <s:authentication-provider user-service-ref="hibernateUserService">            
        <s:password-encoder ref="passwordEncoder">
            <s:salt-source ref="saltSource"/>
        </s:password-encoder>   
    </s:authentication-provider>
    <s:authentication-provider ref="rememberMeAuthenticationProvider" />

我怎样才能解决这个问题

我找到的解决方案之一是在FilterSecurityInterceptor bean中将alwaysReauthenticate属性设置为'true'，但这会影响网站的性能。

如果您想填充

SessionRegistry

，Spring Security必须创建会话，请尝试添加

create session=“always”

到Spring安全配置文件中的

标记。

您需要一个

ConcurrentSessionControl策略来填充会话注册表。本手册章节对此进行了说明。如果您想使用普通Springbean，请查看其中的配置示例。请注意，您需要将其注入到两个命名空间元素中，并提供对用户名密码AuthenticationFilter
和会话管理
命名空间元素的相同引用。
不，这应该不是必需的，并将导致不必要地创建会话。我无法让sessionregistry与rememberMe一起工作，并声明此问题仍然存在。谁错了？