1
問題場景:的Spring Security 3.2和maximumSessions - 退出不更新的SessionRegistry
我試圖使用Spring Security V3.2.3與Java的配置中配置會話管理,使maximumSessions設置爲1和maxSessionsPreventsLogin是設置爲true,例如
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true);
這意味着,如果有人記錄中的同一個登錄在不同的瀏覽器中再次使用,在登錄仍然登錄原人和第二人 試圖登錄被拒絕。
問題與代碼:
我試圖遵循的Javadoc的例子和提示 - 但我的代碼的主要問題是,當你運行我的示例代碼(見下文),您可以登錄一次,然後註銷 - 但如果您嘗試再次登錄,則會被阻止,因爲Spring Security未識別您已註銷。
我跟蹤這個到Spring類SessionRegistryImpl - 當你登錄時,該方法registerNewSession被調用,但是當你登出,該方法removeSessionInformation不叫 - 導致不能登錄第二次。
我知道方法removeSessionInformation不會被調用,因爲這是應該由聽衆的一種特定類型的不是建立在默認情況下被觸發。要使用此功能 - 在你的子類的AbstractSecurityWebApplicationInitializer - 你必須覆蓋的方法enableHttpSessionEventPublisher並返回true。此方法的Javadoc指出:「如果會話管理指定了最大會話數,這應該是真實的」。這樣做似乎沒有什麼區別和註銷仍然不SessionRegistryImpl觸發調用方法removeSessionInformation。
我都沒有成功嘗試的唯一的另一件事是添加了@Order標註各種類的Javadoc中對AbstractSecurityWebApplicationInitializer類的買者部分的建議。這也沒有區別。
有什麼遺漏或錯誤的代碼或使用Spring Security的問題嗎?
我在Tomcat 7.0.53上使用Java 1.7.0_51。
以下是我已經使用的代碼中,JPSS,並與所使用的庫一個pom.xml。我試圖將這個例子簡化爲最簡單的形式。
的例子可以讓你登錄,看到一個歡迎頁面有一個註銷按鈕,然後單擊註銷按鈕。
MessageSecurityWebApplicationInitializer類:
package com.test.config;
import org.springframework.security.web.context.*;
public class MessageSecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
@Override
protected boolean enableHttpSessionEventPublisher() {
return true;
}
}
MvcConfig類:
package com.test.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("home");
}
}
WebAppInitializer類:
package com.test.config;
import org.springframework.web.filter.CharacterEncodingFilter;
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
import javax.servlet.Filter;
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer{
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[] { WebSecurityConfig.class, MvcConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class<?>[] { WebConfig.class };
}
@Override
protected String[] getServletMappings() {
return new String[] { "/" };
}
@Override
protected Filter[] getServletFilters() {
CharacterEncodingFilter characterEncodingFilter = new CharacterEncodingFilter();
characterEncodingFilter.setEncoding("UTF-8");
return new Filter[] { characterEncodingFilter};
}
}
WebConfig類:
package com.test.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter;
import org.springframework.web.servlet.view.JstlView;
import org.springframework.web.servlet.view.UrlBasedViewResolver;
@Configuration
@EnableWebMvc
@ComponentScan(basePackages = {"com.test.web.controller"})
public class WebConfig {
@Bean
public UrlBasedViewResolver setupViewResolver() {
UrlBasedViewResolver resolver = new UrlBasedViewResolver();
resolver.setPrefix("/WEB-INF/jsp/");
resolver.setSuffix(".jsp");
resolver.setViewClass(JstlView.class);
return resolver;
}
@Bean
public RequestMappingHandlerAdapter setupPageCache() {
RequestMappingHandlerAdapter adapter = new RequestMappingHandlerAdapter();
adapter.setCacheSeconds(0);
return adapter;
}
}
WebSecurityConfig類:
package com.test.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
.logoutSuccessUrl("/login?logout")
.permitAll()
.and()
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
CommonController類:
package com.test.web.controller;
import javax.servlet.http.HttpServletRequest;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class CommonController {
@RequestMapping(value="/login", method=RequestMethod.GET)
public String viewLoginPage(HttpServletRequest request, Model model) {
return "login";
}
}
的login.jsp:
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Test</title>
</head>
<body id="loginPage">
<div id="loginWrapper">
<div id="loginForm">
<noscript>
<div>
<spring:message code="login.javascript_disabled" text="JavaScript is not enabled on your browser." />
</div>
</noscript>
<c:url value="/login" var="loginUrl"/>
<form action="${loginUrl}" method="post">
<c:if test="${param.error != null}">
<p>
Invalid username and password.
</p>
</c:if>
<c:if test="${param.logout != null}">
<p>
You have logged out.
</p>
</c:if>
<p>
<label for="username">Username</label>
<input type="text" id="username" name="username"/>
</p>
<p>
<label for="password">Password</label>
<input type="password" id="password" name="password"/>
</p>
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
<button type="submit" class="btn">Log in</button>
</form>
</div>
</div>
</body>
</html>
針對home.jsp:
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<!DOCTYPE HTML>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Spring Security Example</title>
</head>
<body>
<h1>Welcome!</h1>
<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}"
method="post">
<input type="submit" value="Log out"/>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</body>
</html>
的pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.testing.automation</groupId>
<artifactId>test-simple</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>test-simple</name>
<packaging>war</packaging>
<description>Test for single session.</description>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
<artifactId>javax.servlet.jsp.jstl-api</artifactId>
<version>1.2.1</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
<dependency>
<groupId>taglibs</groupId>
<artifactId>standard</artifactId>
<version>1.1.2</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.3.3</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-eclipse-plugin</artifactId>
<version>2.9</version>
<configuration>
<wtpversion>2.0</wtpversion>
<wtpContextName>mmtest</wtpContextName>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.0</version>
<configuration>
<source>1.7</source>
<target>1.7</target>
</configuration>
</plugin>
</plugins>
</build>
</project>
你能找到解決這個問題的方法嗎? – Tito