春季安全的SessionRegistry与对PersistentTokenBasedRememberMeServices

Question

我的应用程序的sequrity系统是基于Spring Sequrity 3.1。我正在使用PersistentTokenBasedRememberMeServices。

我需要显示所有的列表使用Sessionregistrympl登录的用户。问题是，当网站变成“rememberme-user”时，会话在SessionRegistry中不存在。

我的配置文件：web.xml中

<listener> 
    <listener-class> 
     org.springframework.web.context.ContextLoaderListener 
    </listener-class> 
</listener> 

<listener> 
    <listener-class> 
     org.springframework.security.web.session.HttpSessionEventPublisher 
</listener-class> 

和弹簧sequrity.xml：

<s:http auto-config="false" entry-point-ref="authenticationEntryPoint" > 

    <s:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationFilter"/> 
    <s:custom-filter position="REMEMBER_ME_FILTER" ref="rememberMeFilter" /> 
    <s:custom-filter position="CONCURRENT_SESSION_FILTER" ref= "concurrencyFilter" />   
    <s:custom-filter position="LOGOUT_FILTER" ref="logoutFilter" /> 

    <s:intercept-url pattern="/admin/**/" access="ROLE_ADMIN"/>  
    <s:intercept-url pattern="/**/" access="ROLE_USER, ROLE_GUEST"/>   
    <s:anonymous username="guest" granted-authority="ROLE_GUEST" /> 

</s:http> 



<bean 
    id="logoutFilter" 
    class="org.springframework.security.web.authentication.logout.LogoutFilter" 
    p:filterProcessesUrl="/logout/"> 
    <constructor-arg value="/login/" /> 
    <constructor-arg> 
    <list> 
     <ref bean="rememberMeServices" /> 
     <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" p:invalidateHttpSession="true"/> 
    </list> 
    </constructor-arg> 
</bean> 


<bean id="authenticationEntryPoint" 
    class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" 
    p:loginFormUrl="/login/"/> 


<bean id="customAuthenticationSuccessHandler" 
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler" 
    p:defaultTargetUrl="/index/" /> 


<bean id="customAuthenticationFailureHandler" 
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" 
    p:defaultFailureUrl="/login/error/" /> 


<bean id="rememberMeServices" 
    class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices" 
    p:tokenRepository-ref="jdbcTokenRepository" 
    p:userDetailsService-ref="hibernateUserService" 
    p:key="pokeristStore" 
    p:tokenValiditySeconds="1209600" /> 

<bean id="jdbcTokenRepository" 
    class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl" 
    p:dataSource-ref="dataSource"/> 

<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider" 
    p:key="pokeristStore" /> 

<bean id="rememberMeFilter" 
    class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter" 
    p:rememberMeServices-ref="rememberMeServices" 
    p:authenticationManager-ref="authenticationManager" /> 


<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" 
    p:sessionAuthenticationStrategy-ref="sas" 
    p:authenticationManager-ref="authenticationManager" 
    p:authenticationFailureHandler-ref="customAuthenticationFailureHandler" 
    p:rememberMeServices-ref="rememberMeServices" 
    p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler"/> 

<bean id="sas"  class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy" 
    p:maximumSessions="1"> 
    <constructor-arg name="sessionRegistry" ref="sessionRegistry" /> 
</bean> 

<bean id="concurrencyFilter" 
    class="org.springframework.security.web.session.ConcurrentSessionFilter" 
    p:sessionRegistry-ref="sessionRegistry" /> 


<bean id="sessionRegistry" 
    class="org.springframework.security.core.session.SessionRegistryImpl" /> 


<bean id="passwordEncoder" 
    class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"> 
    <constructor-arg value="256"/> 
</bean> 

<bean id="saltSource" 
    class="org.springframework.security.authentication.dao.ReflectionSaltSource"> 
    <property name="userPropertyToUse" value="username"/> 
</bean> 

<bean id="hibernateUserService" 
    class="com.mysite.service.simple.SecurityUserDetailsService"/> 


<s:authentication-manager alias="authenticationManager">  
    <s:authentication-provider user-service-ref="hibernateUserService">    
     <s:password-encoder ref="passwordEncoder"> 
      <s:salt-source ref="saltSource"/> 
     </s:password-encoder> 
    </s:authentication-provider> 
    <s:authentication-provider ref="rememberMeAuthenticationProvider" /> 

我怎样才能解决这个问题？

一个被我找到了解决方案 - 是alwaysReauthenticate属性设置为FilterSecurityInterceptor豆“真”，但它影响的网站的性能。

Answer 1

如果您想要填充SessionRegistry Spring Security必须创建一个会话，请尝试将create-session="always"添加到您在Spring Security配置文件中的<http>标记中。

Answer 2

你需要一个ConcurrentSessionControlStrategy，填充会话注册表。这在手册的session management部分有所描述。如果你想使用普通的Spring bean，请查看那里的配置示例。请注意，您需要将其注入到提供与UsernamePasswordAuthenticationFilter和session-management命名空间元素相同的参考中。