java spring security - 有没有办法在我的应用程序中获取会话注册表(无需明确自定义并发过滤器)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11791154/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
spring security - is there an way to get session registry inside my application (without explicilty customizing the concurrentFilter)
提问by Daud
I was referring to thisthread, and in the second last post by Rob Winch(Spring Security Lead), he mentions that we can have access to the sessionRegisty :
我指的是这个线程,在Rob Winch(Spring Security Lead)的倒数第二篇文章中,他提到我们可以访问 sessionRegisty :
<session-management>
<concurrency-control session-registry-alias="sessionRegistry"/>
</session-management>
Therefore, I register the HttpSessionEventPublisherfilter in web.xmland specify the above setting in my <http>section. I DON'Tadd this :
因此,我注册HttpSessionEventPublisher过滤器web.xml并在我的<http>部分中指定上述设置。我不添加这个:
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
and in my class, I inject an instance of sessionRegistry like this :
在我的课堂上,我注入了一个 sessionRegistry 实例,如下所示:
@Autowired
private SessionRegistry sessionRegistry
This is how I am trying to find out the sessions for a user:
这就是我试图找出用户会话的方式:
List<SessionInformation> userSessions = sessionRegistry.getAllSessions(username,false);
for (SessionInformation userSession : userSessions){
userSession.expireNow();
}
The principal is the username of the user. Upon debugging, the sessionRegistryvariable's principalsand sessionidsvariables are empty.
Am I doing anything wrong here, or are the steps mentioned by krams's blog, the only way to do this ?
主体是用户的用户名。调试时,sessionRegistry变量principals和sessionids变量为空。我在这里做错了什么,还是krams 的博客提到的步骤是唯一的方法?
采纳答案by Xaerxess
Too long for comment, so I answer.
评论太长,所以我回答。
Turn Spring Security debugging on (add to
log4j.propertieslinelog4j.logger.org.springframework.security=DEBUG). This should be standard procedure in such problems, as debugging prints many handy information that can show were the problem is.Can you debug if
public void registerNewSession(String sessionId, Object principal)method insideSessionRegistryImplis called after logging? If not that meansHttpSessionEventPublisheris not set up correctly.You use
@Autowired private SessionRegistry sessionRegistry;in your class, dont't you?EDIT: Can you check if there are any principals in registry?
List<Object> userSessions = sessionRegistry.getAllPrincipals();where
Objects are principals instances you use.
打开 Spring Security 调试(添加到
log4j.properties行log4j.logger.org.springframework.security=DEBUG)。这应该是此类问题的标准程序,因为调试会打印许多可以显示问题所在的方便信息。如果在登录后调用
public void registerNewSession(String sessionId, Object principal)内部方法,您可以调试SessionRegistryImpl吗?如果不是,则表示HttpSessionEventPublisher设置不正确。你
@Autowired private SessionRegistry sessionRegistry;在课堂上使用,不是吗?编辑:您能检查注册表中是否有任何主体吗?
List<Object> userSessions = sessionRegistry.getAllPrincipals();其中
Objects 是您使用的主体实例。
回答by Nandkumar Tekale
Well you can autowire sessionRegistry. Nothing is wrong. I used it to track SessionInformationand registered sessions for UserPrincipal
那么你可以自动装配 sessionRegistry。没有错误。我用它来跟踪SessionInformation和注册会话UserPrincipal
回答by user1817243
It only worked for me if I changed session-registry-alias to session-registry-ref,and then defined the default impl:
如果我将 session-registry-alias 更改为 session-registry-ref,然后定义默认实现,它只对我有用:
<security:session-management>
<security:concurrency-control max-sessions="10" session-registry-ref="sessionRegistry"/>
</security:session-management>
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
回答by Pawe? Grze?
Well it depends which version of spring security you use.
好吧,这取决于您使用哪个版本的 Spring Security。
In Spring Security 3.0it is enough to have the configuration as follows:
在 Spring Security 3.0 中,配置如下就足够了:
<security:session-management>
<security:concurrency-control max-sessions="1"/>
</security:session-management>
Because internally there is used class ConcurrentSessionControlStrategywhich invokes registerNewSessionon sessionRegistryobject.
因为在内部使用了类ConcurrentSessionControlStrategy,它在sessionRegistry对象上调用registerNewSession。
In Spring Security 3.2it is different and you have to use more verbose configuration. There is an example in the Spring Security reference docThe most important part to have sessionRegistryfilled with data is the following:
在 Spring Security 3.2 中它是不同的,你必须使用更详细的配置。Spring Security 参考文档中有一个例子 让sessionRegistry填充数据的最重要的部分如下:
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry"/>
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry"/>
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
The registration of a new session in sessionRegistryis performed in RegisterSessionAuthenticationStrategyclass.
sessionRegistry 中新会话的注册在RegisterSessionAuthenticationStrategy类中执行。
Hopefully it will help you.
希望它会帮助你。
