这是使用Spring Security 4.0 RELEASE和Spring Security CAS。
我正在使用Java Config设置会话并发管理:
http
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(false)
.expiredUrl("/tooManySessions")
.and()
.and();
HttpSessionEventublisher已在WebApplicationInitializer中启用,我可以确认它正在运行,因为我将其用于其他正在运行的内容:
@Override
protected void registerDispatcherServlet(ServletContext servletContext) {
super.registerDispatcherServlet(servletContext);
// to handle session creation and destruction events
servletContext.addListener(new HttpSessionEventPublisher());
}
但是在运行时看起来似乎永远不会调用代码。
请注意,我使用的是Spring Security CA.这会影响会话并发管理吗?
答案 0 :(得分:0)
事实证明,在使用Java Config(不了解XML配置)时让Session Management使用CAS,您需要确保在SessionAuthenticationStrategy上明确设置CASAuthorizationFilter(s)
我在CsfrFilter上使用ObjectPostProcessor解决了这个问题(在会话管理设置中执行它不会得到特定于Csrf的SessionAuthenticationStrategy):
final CasAuthenticationFilter casAuthenticationFilter = casAuthenticationFilter();
http
.csrf()
.withObjectPostProcessor(new ObjectPostProcessor<CsrfFilter>() {
@Override
public <O extends CsrfFilter> O postProcess(O csrfFilter) {
try {
final SessionAuthenticationStrategy sessionAuthenticationStrategy = httpFinal.getSharedObject(SessionAuthenticationStrategy.class);
if (sessionAuthenticationStrategy == null || !(sessionAuthenticationStrategy instanceof CompositeSessionAuthenticationStrategy)) {
throw new IllegalStateException("Cannot get CompositeSessionAuthenticationStrategy");
}
casAuthenticationFilter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy);
} catch (Exception e) {
throw new IllegalStateException("Cannot get ahold of CasAuthenticationFilter in CsrfFilter post-processor");
}
return csrfFilter;
}
});
}