java – Spring security 3.2.4中的ConcurrentSession...

codeday· 2019-11-11
本文来自 codeday ,作者 codeday
我有一个使用ConcurrentSessionControlStrategy和我自己的sessionRegistry实现的工作配置.我升级到spring security 3.2.4并且必须将ConcurrentSessionControlStrategy更改为ConcurrentSessionControlAuthenticationStrategy.现在似乎sessionRegistry没有连接意味着ConcurrentSessionControlAuthenticationStrategy.onAuthenticaton没有进入sessionRegistry.registerNewSession.怎么去?

我的配置xml:

    <security:http use-expressions="true" auto-config="false"
        entry-point-ref="loginUrlAuthenticationEntryPoint">


        <security:intercept-url pattern="/**"
            access="isAuthenticated()" />

        <security:custom-filter position="FORM_LOGIN_FILTER"
            ref="twoFactorAuthenticationFilter" />



        <security:logout logout-url="/player/logout"
            logout-success-url="/demo/player/logoutSuccess" />

        <security:session-management>
            <security:concurrency-control
                max-sessions="1" session-registry-ref="clusteredSessionRegistryImpl"
                error-if-maximum-exceeded="false" />
        </security:session-management>

    </security:http>



    <bean
        class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
        <constructor-arg ref="clusteredSessionRegistryImpl" />
        <property name="maximumSessions" value="1" />
    </bean>

    <bean id="loginUrlAuthenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <property name="loginFormUrl" value="/demo/player/login?login_error=true" />
    </bean>

    <bean id="twoFactorAuthenticationFilter" class="com.XXX.filter.TwoFactorAuthenticationFilter">
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="authenticationFailureHandler" ref="failureHandler" />
        <property name="authenticationSuccessHandler" ref="playerAuthenticationSuccessHandler" />
        <property name="postOnly" value="true" />
    </bean>


    <bean id="failureHandler"
        class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <property name="defaultFailureUrl" value="/login?login_error=true" />

    </bean>

    <bean id="bCryptPasswordEncoder"
        class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider
            ref="authenticationProvider">
        </security:authentication-provider>
    </security:authentication-manager>

</beans>
最佳答案
似乎我迟到了答案,但无论如何……

ConcurrentSessionControlStrategy的功能现在完全分为三个策略 – ConcurrentSessionControlAuthenticationStrategy,SessionFixationProtectionStrategy和RegisterSessionAuthenticationStrategy.

要拥有正确的替代品,您应该使用CompositeSessionAuthenticationStrategy以上述顺序添加这三个代理.

所以,害怕,在弃用评论中错误地提到ConcurrentSessionControlAuthenticationStrategy作为ConcurrentSessionControlStrategy的替代品.它至少需要RegisterSessionAuthenticationStrategy的可用性来维护SessionRegistry.否则,SessionRegistry仍为空,“替换”始终报告“ok”.

我想,改变方法是为了让它更灵活,有几个处理程序作为委托而不是一个(使用CompositeSessionAuthenticationStrategy,你可以有任意数量的SessionAuthenticationStrategy做独立的事情).