Spring security Spring会话存储在DB+;Spring安全认证,集群环境
我在Spring4上有一个应用程序,其中spring安全性用于身份验证,spring会话用于在集群环境上共享会话 我从Spring会话中实现sessionRepository以将会话存储在数据库中,因此当我进入Spring会话站点时,创建一个名为“会话”的cookie并将其存储在数据库中 此会话数据库实现的思想如下: 现在我有一个cookie“会话”。 当我登录站点时,spring security创建了另一个cookie“JSESSION”,但它没有存储在DB中,并且该cookie具有“身份验证信息” 我的问题是:这个实现对于集群环境是正确的吗?或者我需要再做一次修改 提前谢谢 编辑2: 我最近测试了我的应用程序,在我的解释上犯了一个错误,当我进入网站时,我有一个cookie“SESSION”,即使我登录的“SESSION”cookie仍然存在,但没有其他cookie,如果我清理SESSION表并刷新网站,用户就是loggedoff。这是正确的行为吗 编辑: 这是我从SecurityConfig(从WebSecurityConfigureAdapter扩展而来)中的“配置” 这里是我的登录成功处理程序:Spring security Spring会话存储在DB+;Spring安全认证,集群环境,spring-security,cluster-computing,spring-session,Spring Security,Cluster Computing,Spring Session,我在Spring4上有一个应用程序,其中spring安全性用于身份验证,spring会话用于在集群环境上共享会话 我从Spring会话中实现sessionRepository以将会话存储在数据库中,因此当我进入Spring会话站点时,创建一个名为“会话”的cookie并将其存储在数据库中 此会话数据库实现的思想如下: 现在我有一个cookie“会话”。 当我登录站点时,spring security创建了另一个cookie“JSESSION”,但它没有存储在DB中,并且该cookie具有“身份
@Component("myAuthenticationSuccessHandler")
public class MySimpleUrlAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
private final Logger LOGGER = LoggerFactory.getLogger(getClass());
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException {
handle(request, response, authentication);
HttpSession session = request.getSession(false);
if (session != null) {
session.setMaxInactiveInterval(60 * 10);
}
clearAuthenticationAttributes(request);
}
protected void handle(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException {
String targetUrl = determineTargetUrl(authentication);
if (response.isCommitted()) {
return;
}
redirectStrategy.sendRedirect(request, response, targetUrl);
}
protected String determineTargetUrl(Authentication authentication) {
boolean isUser = false;
boolean isAdmin = false;
Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
for (GrantedAuthority grantedAuthority : authorities) {
if (grantedAuthority.getAuthority().equals("OPER") || grantedAuthority.getAuthority().equals("AUDITOR")) {
isUser = true;
} else if (grantedAuthority.getAuthority().equals("ADMIN")) {
isAdmin = true;
isUser = false;
break;
}
}
if(isUser || isAdmin)
{
return "/home.html";
}
else
{
throw new IllegalStateException();
}
}
protected void clearAuthenticationAttributes(HttpServletRequest request) {
HttpSession session = request.getSession(false);
if (session == null) {
return;
}
session.removeAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);
}
public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
this.redirectStrategy = redirectStrategy;
}
protected RedirectStrategy getRedirectStrategy() {
return redirectStrategy;
}
@组件(“myAuthenticationSuccessHandler”)
公共类MySimpleUrlAuthenticationSuccessHandler实现AuthenticationSuccessHandler{
私有最终记录器Logger=LoggerFactory.getLogger(getClass());
private RedirectStrategy RedirectStrategy=新的DefaultRedirectStrategy();
AuthenticationSuccess(HttpServletRequest请求、HttpServletResponse响应、身份验证)上的公共void引发IOException{
处理(请求、响应、身份验证);
HttpSession session=request.getSession(false);
if(会话!=null){
session.setMaxInactiveInterval(60*10);
}
clearAuthenticationAttributes(请求);
}
受保护的无效句柄(HttpServletRequest请求、HttpServletResponse响应、身份验证)引发IOException{
字符串targetUrl=DeterminiteTargetUrl(身份验证);
if(response.isCommitted()){
回来
}
redirectStrategy.sendRedirect(请求、响应、目标URL);
}
受保护的字符串determinateTargetURL(身份验证){
布尔值isUser=false;
布尔值isAdmin=false;
收集经过几天的研究和测试,此实现可以在集群环境中正常工作
如果有人需要一个示例项目,Mati在您的github存储库上有一个示例项目:
@Component("myAuthenticationSuccessHandler")
public class MySimpleUrlAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
private final Logger LOGGER = LoggerFactory.getLogger(getClass());
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException {
handle(request, response, authentication);
HttpSession session = request.getSession(false);
if (session != null) {
session.setMaxInactiveInterval(60 * 10);
}
clearAuthenticationAttributes(request);
}
protected void handle(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException {
String targetUrl = determineTargetUrl(authentication);
if (response.isCommitted()) {
return;
}
redirectStrategy.sendRedirect(request, response, targetUrl);
}
protected String determineTargetUrl(Authentication authentication) {
boolean isUser = false;
boolean isAdmin = false;
Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
for (GrantedAuthority grantedAuthority : authorities) {
if (grantedAuthority.getAuthority().equals("OPER") || grantedAuthority.getAuthority().equals("AUDITOR")) {
isUser = true;
} else if (grantedAuthority.getAuthority().equals("ADMIN")) {
isAdmin = true;
isUser = false;
break;
}
}
if(isUser || isAdmin)
{
return "/home.html";
}
else
{
throw new IllegalStateException();
}
}
protected void clearAuthenticationAttributes(HttpServletRequest request) {
HttpSession session = request.getSession(false);
if (session == null) {
return;
}
session.removeAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);
}
public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
this.redirectStrategy = redirectStrategy;
}
protected RedirectStrategy getRedirectStrategy() {
return redirectStrategy;
}