我的應用程序的sequrity系統是基於Spring Sequrity 3.1。我正在使用PersistentTokenBasedRememberMeServices。春季安全的SessionRegistry與對PersistentTokenBasedRememberMeServices
我需要顯示所有的列表使用Sessionregistrympl登錄的用戶。問題是,當網站變成「rememberme-user」時,會話在SessionRegistry中不存在。
我的配置文件:web.xml中
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
和彈簧sequrity.xml:
<s:http auto-config="false" entry-point-ref="authenticationEntryPoint" >
<s:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
<s:custom-filter position="REMEMBER_ME_FILTER" ref="rememberMeFilter" />
<s:custom-filter position="CONCURRENT_SESSION_FILTER" ref= "concurrencyFilter" />
<s:custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />
<s:intercept-url pattern="/admin/**/" access="ROLE_ADMIN"/>
<s:intercept-url pattern="/**/" access="ROLE_USER, ROLE_GUEST"/>
<s:anonymous username="guest" granted-authority="ROLE_GUEST" />
</s:http>
<bean
id="logoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter"
p:filterProcessesUrl="/logout/">
<constructor-arg value="/login/" />
<constructor-arg>
<list>
<ref bean="rememberMeServices" />
<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" p:invalidateHttpSession="true"/>
</list>
</constructor-arg>
</bean>
<bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/login/"/>
<bean id="customAuthenticationSuccessHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
p:defaultTargetUrl="/index/" />
<bean id="customAuthenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/login/error/" />
<bean id="rememberMeServices"
class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices"
p:tokenRepository-ref="jdbcTokenRepository"
p:userDetailsService-ref="hibernateUserService"
p:key="pokeristStore"
p:tokenValiditySeconds="1209600" />
<bean id="jdbcTokenRepository"
class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl"
p:dataSource-ref="dataSource"/>
<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider"
p:key="pokeristStore" />
<bean id="rememberMeFilter"
class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter"
p:rememberMeServices-ref="rememberMeServices"
p:authenticationManager-ref="authenticationManager" />
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:sessionAuthenticationStrategy-ref="sas"
p:authenticationManager-ref="authenticationManager"
p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
p:rememberMeServices-ref="rememberMeServices"
p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler"/>
<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"
p:maximumSessions="1">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>
<bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter"
p:sessionRegistry-ref="sessionRegistry" />
<bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
<bean id="passwordEncoder"
class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
<constructor-arg value="256"/>
</bean>
<bean id="saltSource"
class="org.springframework.security.authentication.dao.ReflectionSaltSource">
<property name="userPropertyToUse" value="username"/>
</bean>
<bean id="hibernateUserService"
class="com.mysite.service.simple.SecurityUserDetailsService"/>
<s:authentication-manager alias="authenticationManager">
<s:authentication-provider user-service-ref="hibernateUserService">
<s:password-encoder ref="passwordEncoder">
<s:salt-source ref="saltSource"/>
</s:password-encoder>
</s:authentication-provider>
<s:authentication-provider ref="rememberMeAuthenticationProvider" />
我怎樣才能解決這個問題?
一個被我找到了解決方案 - 是alwaysReauthenticate屬性設置爲FilterSecurityInterceptor豆「真」,但它影響的網站的性能。
不,不應該是必要的,並會導致不必要創建的會話。 –