Fatal编程技术网
  • spring/
  • Spring security SessionRegistry和基于bean的配置问题

Spring security SessionRegistry和基于bean的配置问题

spring session spring-security

Spring security SessionRegistry和基于bean的配置问题,spring,session,spring-security,Spring,Session,Spring Security,我正在使用SpringSecurity3.0.5,并试图获得当前登录用户的数量。我的场景是预验证的,并使用基于bean的配置,而不是基于命名空间的配置(在这种情况下,这看起来很简单) 我的配置文件如下: <beans:bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy"> <filter-chain-map path-ty

我正在使用SpringSecurity3.0.5,并试图获得当前登录用户的数量。我的场景是预验证的,并使用基于bean的配置,而不是基于
命名空间的配置(在这种情况下,这看起来很简单)

我的配置文件如下:

    <beans:bean id="springSecurityFilterChain"
    class="org.springframework.security.web.FilterChainProxy">
    <filter-chain-map path-type="ant">
        <filter-chain pattern="/**/resources/**" filters="none" />
        <filter-chain pattern="/**/logout/**" filters="none" />
        <filter-chain pattern="/service/**" filters="none" />
        <filter-chain pattern="/**"
            filters="sif,concurrencyFilter,shibbolethFilter,smf,logoutFilter,etf,fsi" />

    </filter-chain-map>
</beans:bean>

<beans:bean id="sif"
    class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />

<beans:bean id="scr"
    class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />

<beans:bean id="smf"
    class="org.springframework.security.web.session.SessionManagementFilter">
    <beans:constructor-arg name="securityContextRepository"
        ref="scr" />
    <beans:property name="sessionAuthenticationStrategy"
        ref="sas" />
</beans:bean>

<beans:bean id="shibbolethFilter"
    class="PreAuthenticatedShibbolethAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager" />
    <beans:property name="exceptionIfHeaderMissing" value="true" />
    <beans:property name="continueFilterChainOnUnsuccessfulAuthentication"
        value="true" />
    <beans:property name="developmentMode" value="true" />
    <beans:property name="authenticationSuccessHandler"
        ref="customAuthenticationSuccessHandlerBean" />
</beans:bean>

<beans:bean id="sas"
    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <beans:constructor-arg name="sessionRegistry"
        ref="sessionRegistry" />
    <beans:property name="maximumSessions" value="1" />
</beans:bean>

<beans:bean id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" />

<beans:bean id="concurrencyFilter"
    class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <beans:property name="sessionRegistry" ref="sessionRegistry" />
    <beans:property name="expiredUrl" value="/session-expired.html" />
</beans:bean>

<authentication-manager alias="authenticationManager">
    <authentication-provider ref='preauthAuthProvider' />
</authentication-manager>

<beans:bean id="preauthAuthProvider"
    class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <beans:property name="preAuthenticatedUserDetailsService">
        <beans:bean id="userDetailsServiceWrapper"
            class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <beans:property name="userDetailsService" ref="userDetailsService" />
        </beans:bean>
    </beans:property>
</beans:bean>

<beans:bean id="logoutHandlerBean"
    class="LogoutSuccessHandlerImpl" />

<beans:bean id="userDetailsService"
    class="CustomJdbcDaoImpl">
    <beans:property name="dataSource" ref="projectDS" />
    <beans:property name="enableGroups" value="true" />
    <beans:property name="enableAuthorities" value="false" />
</beans:bean>
在我的控制器中,我有以下代码:

@资源(name=“sessionRegistry”) 非公开会议登记处会议登记处

private void doTest(){
List principals=sessionReg.getAllPrincipals();
for(对象o:主体){
List siList=sessionReg.getAllSessions(o,
正确的);
用于(会话信息si:siList){
logger.error(si.getSessionId()+“”+si.getPrincipal());
}
}
}
列表
主体
总是空的。我觉得
扩展的
AbstractPreauthenticatedHibbolethAuthenticationFilter
过滤器
AbstractPreAuthenticatedProcessingFilter
应该得到
引用
ConcurrentSessionControl策略
,但是,没有这样的属性可以设置。


我缺少什么?
SecurityContextPersistenceFilter需要SecurityContextExtrespository


<bean id="sif" class="org.springframework.security.web.context.SecurityContextPersistenceFilter" >
<property name="securityContextRepository" ref="scr" />
</bean>



是否“maximumSessions=1”限制了预期的工作,即一个主体可以进行两次身份验证?这是您编写的自定义类吗?如果是,您能告诉我们它扩展了什么基类吗?

<bean id="sif" class="org.springframework.security.web.context.SecurityContextPersistenceFilter" >
<property name="securityContextRepository" ref="scr" />
</bean>