2012-05-14 113 views
2

我的應用程序的sequrity系統是基於Spring Sequrity 3.1。我正在使用PersistentTokenBasedRememberMeServices。春季安全的SessionRegistry與對PersistentTokenBasedRememberMeServices

我需要顯示所有的列表使用Sessionregistrympl登錄的用戶。問題是,當網站變成「rememberme-user」時,會話在SessionRegistry中不存在。

我的配置文件:web.xml中

<listener> 
    <listener-class> 
     org.springframework.web.context.ContextLoaderListener 
    </listener-class> 
</listener> 

<listener> 
    <listener-class> 
     org.springframework.security.web.session.HttpSessionEventPublisher 
</listener-class> 

和彈簧sequrity.xml:

<s:http auto-config="false" entry-point-ref="authenticationEntryPoint" > 

    <s:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationFilter"/> 
    <s:custom-filter position="REMEMBER_ME_FILTER" ref="rememberMeFilter" /> 
    <s:custom-filter position="CONCURRENT_SESSION_FILTER" ref= "concurrencyFilter" />   
    <s:custom-filter position="LOGOUT_FILTER" ref="logoutFilter" /> 

    <s:intercept-url pattern="/admin/**/" access="ROLE_ADMIN"/>  
    <s:intercept-url pattern="/**/" access="ROLE_USER, ROLE_GUEST"/>   
    <s:anonymous username="guest" granted-authority="ROLE_GUEST" /> 

</s:http> 



<bean 
    id="logoutFilter" 
    class="org.springframework.security.web.authentication.logout.LogoutFilter" 
    p:filterProcessesUrl="/logout/"> 
    <constructor-arg value="/login/" /> 
    <constructor-arg> 
    <list> 
     <ref bean="rememberMeServices" /> 
     <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" p:invalidateHttpSession="true"/> 
    </list> 
    </constructor-arg> 
</bean> 


<bean id="authenticationEntryPoint" 
    class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" 
    p:loginFormUrl="/login/"/> 


<bean id="customAuthenticationSuccessHandler" 
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler" 
    p:defaultTargetUrl="/index/" /> 


<bean id="customAuthenticationFailureHandler" 
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" 
    p:defaultFailureUrl="/login/error/" /> 


<bean id="rememberMeServices" 
    class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices" 
    p:tokenRepository-ref="jdbcTokenRepository" 
    p:userDetailsService-ref="hibernateUserService" 
    p:key="pokeristStore" 
    p:tokenValiditySeconds="1209600" /> 

<bean id="jdbcTokenRepository" 
    class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl" 
    p:dataSource-ref="dataSource"/> 

<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider" 
    p:key="pokeristStore" /> 

<bean id="rememberMeFilter" 
    class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter" 
    p:rememberMeServices-ref="rememberMeServices" 
    p:authenticationManager-ref="authenticationManager" /> 


<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" 
    p:sessionAuthenticationStrategy-ref="sas" 
    p:authenticationManager-ref="authenticationManager" 
    p:authenticationFailureHandler-ref="customAuthenticationFailureHandler" 
    p:rememberMeServices-ref="rememberMeServices" 
    p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler"/> 

<bean id="sas"  class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy" 
    p:maximumSessions="1"> 
    <constructor-arg name="sessionRegistry" ref="sessionRegistry" /> 
</bean> 

<bean id="concurrencyFilter" 
    class="org.springframework.security.web.session.ConcurrentSessionFilter" 
    p:sessionRegistry-ref="sessionRegistry" /> 


<bean id="sessionRegistry" 
    class="org.springframework.security.core.session.SessionRegistryImpl" /> 


<bean id="passwordEncoder" 
    class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"> 
    <constructor-arg value="256"/> 
</bean> 

<bean id="saltSource" 
    class="org.springframework.security.authentication.dao.ReflectionSaltSource"> 
    <property name="userPropertyToUse" value="username"/> 
</bean> 

<bean id="hibernateUserService" 
    class="com.mysite.service.simple.SecurityUserDetailsService"/> 


<s:authentication-manager alias="authenticationManager">  
    <s:authentication-provider user-service-ref="hibernateUserService">    
     <s:password-encoder ref="passwordEncoder"> 
      <s:salt-source ref="saltSource"/> 
     </s:password-encoder> 
    </s:authentication-provider> 
    <s:authentication-provider ref="rememberMeAuthenticationProvider" /> 

我怎樣才能解決這個問題?

一個被我找到了解決方案 - 是alwaysReauthenticate屬性設置爲FilterSecurityInterceptor豆「真」,但它影響的網站的性能。

回答

0

如果您想要填充SessionRegistry Spring Security必須創建一個會話,請嘗試將create-session="always"添加到您在Spring Security配置文件中的<http>標記中。

+0

不,不應該是必要的,並會導致不必要創建的會話。 –

2

你需要一個ConcurrentSessionControlStrategy,填充會話註冊表。這在手冊的session management部分有所描述。如果你想使用普通的Spring bean,請查看那裏的配置示例。請注意,您需要將其注入到提供與UsernamePasswordAuthenticationFiltersession-management命名空間元素相同的參考中。

+0

非常感謝您的幫助。一切正常! – user1012746

+0

我還沒有能夠讓sessionregistry與rememberMe和https://jira.springsource.org/browse/SEC-2028一起工作,說明這個問題仍然存在。誰錯了? – Marc