Spring安全SessionRegistry无法正常工作

时间:2014-07-24 09:50:43

标签: spring spring-mvc

首先,我将监听器保存在web.xml中

<listener>
     <listener-class>
      org.springframework.security.web.session.HttpSessionEventPublisher
    </listener-class>
</listener> 

然后我的springSecurity.xml就像

 <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:security="http://www.springframework.org/schema/security"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xsi:schemaLocation="http://www.springframework.org/schema/beans 
                            http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
                            http://www.springframework.org/schema/context 
                            http://www.springframework.org/schema/context/spring-context-3.2.xsd                                  
                            http://www.springframework.org/schema/security 
                            http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<security:http auto-config="true" use-expressions="true">

     <security:intercept-url pattern="/*" access="permitAll" />
     <security:session-management invalid-session-url="/" session-fixation-protection="newSession">
            <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" session-registry-alias="sessionRegistry"/>
     </security:session-management>

       <!--         access denied page -->
      <security:access-denied-handler error-page="/loginerror" />

      <security:form-login 
            login-page="/login?login_error=1" 
            default-target-url="/employee/listEmployee" 
            authentication-failure-url="/login/error" 
       />
        <security:logout invalidate-session="true" logout-success-url="/login" delete-cookies="JSESSIONID"  />
        <!-- enable csrf protection -->
<!--        <csrf/>-->

 </security:http>

<!--     Select users and user_roles from database -->
    <security:authentication-manager>
        <security:authentication-provider ref="authenticationProvider"></security:authentication-provider>
    </security:authentication-manager>
    <bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <property name="userDetailsService">
            <bean id="userAuthenticationService" class="com.elitenet.los.security.UserDetailsServiceImpl" />
        </property>
        <property name="passwordEncoder">
            <bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />
        </property>
    </bean>

控制器如下:我需要登录的用户名列表。但是sessionRegistry没有工作。

@Autowired
@Qualifier("sessionRegistry")
private SessionRegistry sessionRegistry;





   @RequestMapping(value = "/showUserStatus",method = RequestMethod.GET)
    public ModelAndView showUserStatus() {
    List<String> usersNamesList = new ArrayList<String>();
     List<User> userList = new ArrayList<User>();
    try {

          List<Object> principals =sessionRegistry.getAllPrincipals();//the  principals  here is empty
            for (Object principal: principals) {
        //import org.springframework.security.core.userdetails for User class
        //User is a built in class of spring security core
                 if (principal instanceof User) {
                     getLog().info(((User) principal).getUserName());
                     getLog().info("going to list userNameList");
                      usersNamesList.add(((User) principal).getUserName());
        }
    }

        getLog().info("going to list user");
        userList = getUserService().getList();
    } catch (Exception er) {
        getLog().error("error while listing userList" + er);
    }
    return new ModelAndView("/user/showUserStatus", "userList", userList);

} 

任何人都可以帮助我,我做错了什么

1 个答案:

答案 0 :(得分:0)

请尝试在xml文件中提及

<bean id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" />

@Controller类

尝试注射如下

@Resource(name="sessionRegistry")
 private SessionRegistryImpl sessionRegistry;

我想你差不多了。您唯一可能错过的是使用session-registry-alias。通过在concurrency-control元素上使用该属性,您可以公开会话注册表,以便将其注入您自己的bean。

现在您有一个会话注册表的引用,该注册表将由ConcurrentSessionControlStrategy填充,该注册表由上述配置隐式设置。要使用它,您只需将其注入您的bean:

<security:session-management>
    <security:concurrency-control max-sessions="10" session-registry-ref="sessionRegistry"/>
</security:session-management>

 <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>

或类似下面的内容

<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"
    p:maximumSessions="1" >
    <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
 </bean>