升級到Grails 3後，sessionRegistry爲空，但驗證正在工作

Question

將舊應用程序（grails 1.3.7）升級到最新的grails版本3.1.3後，sessionRegistry保持爲空。春季安全有一些變化，我試圖得到它的工作，但它看起來像缺少一些東西...我使用的是spring-security-web-4.0.3.RELEASE.jar

我可以通過春季安全認證，看起來一切正常。但我喜歡計算公開會議。我使用sessionRegistry.getAllPrincipals（）來查找打開的會話，但現在它總是空的。

在resources.groovy：

import com.myApp.LicenceCheck 
import org.springframework.security.core.session.SessionRegistryImpl 
import org.springframework.security.web.session.ConcurrentSessionFilter 
import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy 


beans = { 
     sessionRegistry(SessionRegistryImpl) 

     sessionAuthenticationStrategy(ConcurrentSessionControlAuthenticationStrategy){   
      it.constructorArgs = [sessionRegistry] 
      maximumSessions = -1    
     } 

     concurrentSessionFilter(ConcurrentSessionFilter){   
      it.constructorArgs = [sessionRegistry,'/login/concurrentSession']; 
     } 

     licenceCheck(LicenceCheck)   
} 

BootStrap.groovy中：

SpringSecurityUtils.clientRegisterFilter('concurrentSessionFilter', SecurityFilterPosition.CONCURRENT_SESSION_FILTER) 

配置在application.groovy：

// Added by the Spring Security Core plugin: 
grails.plugin.springsecurity.basic.realmName='myApp' 
grails.plugin.springsecurity.successHandler.defaultTargetUrl='/search/' 
grails.plugin.springsecurity.password.algorithm='MD5' 
grails.plugin.springsecurity.password.hash.iterations = 1 
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.myApp.Account' 
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.myApp.AccountAccountGroup' 
grails.plugin.springsecurity.authority.className = 'com.myApp.AccountGroup' 
grails.plugin.springsecurity.authority.nameField = 'role' 
grails.plugin.springsecurity.useSecurityEventListener = true 
grails.plugin.springsecurity.useSessionFixationPrevention = false 
grails.plugin.springsecurity.rejectIfNoRule = false 
grails.plugin.springsecurity.fii.rejectPublicInvocations = false 
grails.plugin.springsecurity.auth.loginFormUrl = '/login/auth' 
grails.plugin.springsecurity.apf.storeLastUsername=true 

grails.plugin.springsecurity.filterChain.filterNames = [ 
    'securityContextPersistenceFilter', 'logoutFilter', 
    'authenticationProcessingFilter', 'concurrentSessionFilter', 
    'rememberMeAuthenticationFilter', 'anonymousAuthenticationFilter', 
    'exceptionTranslationFilter', 'filterInvocationInterceptor' 
] 

全成驗證我想算後公開課：

import org.springframework.context.ApplicationListener 
import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent 
import grails.util.Holders 

class LicenceCheck implements ApplicationListener<InteractiveAuthenticationSuccessEvent> { 

void onApplicationEvent(InteractiveAuthenticationSuccessEvent event) { 
     def sessionRegistry = Holders.grailsApplication.mainContext.getBean('sessionRegistry') 
     sessionRegistry.getAllPrincipals() <= list is always empty 
    } 
} 

這是在以前的版本（與非常老的grails）工作。現在身份驗證正在工作，但sessionRegistry保持空白。任何想法我失蹤？

Regards，grailsfan

Answer 1

我找到了這個問題的解決方案。

問題是，新的ConcurrentSessionControlAuthenticationStrategy（新的ConcurrentSessionControlStrategy）未在sessionRegistry中註冊會話。你必須將不同的策略與CompositeSessionAuthenticationStrategy結合起來。

這對我有用： Grails Spring Security max concurrent session