0
我正在使用Spring Security 3.0.5並試圖獲取當前登錄用戶的數量。我的情況是預驗證和使用基於bean配置,而不是基於<http>命名空間配置(在這種情況下,這似乎是微不足道的Spring安全性基於SessionRegistry和Bean的配置困境
我的配置文件如下:
<beans:bean id="springSecurityFilterChain"
class="org.springframework.security.web.FilterChainProxy">
<filter-chain-map path-type="ant">
<filter-chain pattern="/**/resources/**" filters="none" />
<filter-chain pattern="/**/logout/**" filters="none" />
<filter-chain pattern="/service/**" filters="none" />
<filter-chain pattern="/**"
filters="sif,concurrencyFilter,shibbolethFilter,smf,logoutFilter,etf,fsi" />
</filter-chain-map>
</beans:bean>
<beans:bean id="sif"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />
<beans:bean id="scr"
class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
<beans:bean id="smf"
class="org.springframework.security.web.session.SessionManagementFilter">
<beans:constructor-arg name="securityContextRepository"
ref="scr" />
<beans:property name="sessionAuthenticationStrategy"
ref="sas" />
</beans:bean>
<beans:bean id="shibbolethFilter"
class="PreAuthenticatedShibbolethAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="exceptionIfHeaderMissing" value="true" />
<beans:property name="continueFilterChainOnUnsuccessfulAuthentication"
value="true" />
<beans:property name="developmentMode" value="true" />
<beans:property name="authenticationSuccessHandler"
ref="customAuthenticationSuccessHandlerBean" />
</beans:bean>
<beans:bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry"
ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/session-expired.html" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref='preauthAuthProvider' />
</authentication-manager>
<beans:bean id="preauthAuthProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:property name="userDetailsService" ref="userDetailsService" />
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean id="logoutHandlerBean"
class="LogoutSuccessHandlerImpl" />
<beans:bean id="userDetailsService"
class="CustomJdbcDaoImpl">
<beans:property name="dataSource" ref="projectDS" />
<beans:property name="enableGroups" value="true" />
<beans:property name="enableAuthorities" value="false" />
</beans:bean>
在我的控制我有以下代碼:
@Resource(名稱= 「的SessionRegistry」) 私人的SessionRegistry sessionReg;
private void doTest() {
List<Object> principals = sessionReg.getAllPrincipals();
for (Object o : principals) {
List<SessionInformation> siList = sessionReg.getAllSessions(o,
true);
for (SessionInformation si : siList) {
logger.error(si.getSessionId() + " " + si.getPrincipal());
}
}
}
列表principals始終爲空。我覺得PreAuthenticatedShibbolethAuthenticationFilter過濾器哪個extendsAbstractPreAuthenticatedProcessingFilter應該得到ref到ConcurrentSessionControlStrategy,但是,沒有這樣的屬性可以設置。
我錯過了什麼?
是否「maximumSessions = 1」極限如預期工作,即是有可能爲一個主兩次認證? – Xaerxess
這是'PreAuthenticatedShibbolethAuthenticationFilter'你寫的一個自定義類嗎?如果是這樣,你能給我們一些關於它擴展的基類的想法嗎? –