Question

我有一个使用ConcurrentSessionControlStrategy和我自己的sessionRegistry实现的工作配置。我升级到spring security 3.2.4并且必须将ConcurrentSessionControlStrategy更改为ConcurrentSessionControlAuthenticationStrategy。现在似乎sessionRegistry没有连接意味着ConcurrentSessionControlAuthenticationStrategy.onAuthenticaton没有进入sessionRegistry.registerNewSession。怎么去？

我的配置xml：

    <security:http use-expressions="true" auto-config="false"
        entry-point-ref="loginUrlAuthenticationEntryPoint">


        <security:intercept-url pattern="/**"
            access="isAuthenticated()" />

        <security:custom-filter position="FORM_LOGIN_FILTER"
            ref="twoFactorAuthenticationFilter" />



        <security:logout logout-url="/player/logout"
            logout-success-url="/demo/player/logoutSuccess" />

        <security:session-management>
            <security:concurrency-control
                max-sessions="1" session-registry-ref="clusteredSessionRegistryImpl"
                error-if-maximum-exceeded="false" />
        </security:session-management>

    </security:http>



    <bean
        class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
        <constructor-arg ref="clusteredSessionRegistryImpl" />
        <property name="maximumSessions" value="1" />
    </bean>

    <bean id="loginUrlAuthenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <property name="loginFormUrl" value="/demo/player/login?login_error=true" />
    </bean>

    <bean id="twoFactorAuthenticationFilter" class="com.XXX.filter.TwoFactorAuthenticationFilter">
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="authenticationFailureHandler" ref="failureHandler" />
        <property name="authenticationSuccessHandler" ref="playerAuthenticationSuccessHandler" />
        <property name="postOnly" value="true" />
    </bean>


    <bean id="failureHandler"
        class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <property name="defaultFailureUrl" value="/login?login_error=true" />

    </bean>

    <bean id="bCryptPasswordEncoder"
        class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider
            ref="authenticationProvider">
        </security:authentication-provider>
    </security:authentication-manager>

</beans>

Answer 1

似乎我迟到了答案，但无论如何......

ConcurrentSessionControlStrategy的功能现在正好分为三个策略 - ConcurrentSessionControlAuthenticationStrategy，SessionFixationProtectionStrategy和RegisterSessionAuthenticationStrategy。

要拥有正确的替代品，您应该使用CompositeSessionAuthenticationStrategy按照上述顺序添加这三个代表。

所以，害怕，ConcurrentSessionControlAuthenticationStrategy在弃用评论中被错误地提及为ConcurrentSessionControlStrategy的替代品。它至少需要RegisterSessionAuthenticationStrategy的可用性来维护SessionRegistry。否则，SessionRegistry仍为空，＆＃34;替代＆＃34;总是报告＆＃34; ok＆＃34;。

我想，这个方法已经改变，以便让多个处理程序作为代理而不是一个处理程序更加灵活（使用CompositeSessionAuthenticationStrategy，你可以让任何数量的SessionAuthenticationStrategy做独立 :)事情）。

Spring Current 3.2.4中的ConcurrentSessionControlStrategy

1 个答案: