SessionManagementFilter从不调用SessionAuthenticationStrategy

时间:2016-09-22 07:15:31

标签: java spring spring-security wicket-6

我很难将我们的Web应用程序从Wicket 1.4迁移到Wicket 6.20。 我也将Spring Security迁移到之前(和旧版本)2.0.4版本的3.2.8.RELEASE版本。

这是Spring安全上下文配置的副本:

    <bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
    <security:filter-chain-map path-type="ant" >
        <security:filter-chain request-matcher-ref="requestMatcher"
                filters="
       securityContextPersistenceFilter,
       concurrentSessionFilter,sessionManagementFilter"
                pattern="/**" />
    </security:filter-chain-map>
</bean>

<beans:bean id="securityContextPersistenceFilter"
  class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
  <beans:constructor-arg ref="securityContextRepository"></beans:constructor-arg>
</beans:bean>

<beans:bean id="sessionManagementFilter"
    class="org.springframework.security.web.session.SessionManagementFilter">
    <beans:constructor-arg ref="securityContextRepository"></beans:constructor-arg>
    <beans:constructor-arg ref="sas"></beans:constructor-arg>
</beans:bean>

<beans:bean id="requestMatcher" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher" >
    <beans:constructor-arg value="/**"></beans:constructor-arg>
</beans:bean>

<beans:bean id="concurrentSessionFilter"
    class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <beans:constructor-arg ref="sessionRegistry" ></beans:constructor-arg>
    <beans:constructor-arg value="/petrol/login" ></beans:constructor-arg>
</beans:bean>

<beans:bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
  <beans:constructor-arg>
    <beans:list>
      <beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
        <beans:constructor-arg ref="sessionRegistry"/>
        <beans:property name="maximumSessions" value="1" />
        <beans:property name="exceptionIfMaximumExceeded" value="true" />
      </beans:bean>
      <beans:bean class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
      </beans:bean>
      <beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
        <beans:constructor-arg ref="sessionRegistry"/>
      </beans:bean>
    </beans:list>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" />

<beans:bean id="authenticationManager"
    class="org.springframework.security.authentication.ProviderManager">
    <beans:property name="providers">
        <beans:list>
            <beans:ref local="petrolAuthenticationProvider" />
        </beans:list>
    </beans:property>
</beans:bean>

<beans:bean name='securityContextRepository'
    class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'>
    <beans:property name='allowSessionCreation' value='true' />
</beans:bean>

<beans:bean id="petrolAuthenticationProvider"
    class="it.loginet.petrol.infrastructure.security.PetrolAuthenticationProvider">
    <beans:property name="utenteRepository" ref="utenteRepository" />
</beans:bean>

SessionManagementFilter应过滤我们的请求,测试是否允许用户进行并发登录。 问题是,当验证成功的身份验证时,SecurityContextRepository已经包含SecurityContext,并且它不会调用“SessionAuthenticationStrategy.onAuthentication”方法。

        if (!securityContextRepository.containsContext(request)) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

        if (authentication != null && !trustResolver.isAnonymous(authentication)) {
         // The user has been authenticated during the current request, so call the session strategy
            try {
                sessionAuthenticationStrategy.onAuthentication(authentication, request, response);
            } catch (SessionAuthenticationException e) {
                // The session strategy can reject the authentication
                logger.debug("SessionAuthenticationStrategy rejected the authentication object", e);
                SecurityContextHolder.clearContext();
                failureHandler.onAuthenticationFailure(request, response, e);

                return;
            }
.........

SaveToSessionResponseWrapper类在HttpSession上保存SPRING_SECURITY_KEY属性,SessionManagementFilter已在HttpSession上找到此属性并实际跳过内部SessionAuthenticationStrategy验证。

我在迁移时遇到了什么问题?

1 个答案:

答案 0 :(得分:2)

好的,我想我找到了解决问题的方法..

SessionManagementFilter,如此处所述(http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#ftn.d5e3442),无法识别表单登录身份验证,因为我在我的应用程序中使用它。 因此,永远不会调用此过滤器内的并发策略。

所以我决定使用新的SessionManagementProviderManager实例扩展ProviderManager类,重写ProviderManager.authenticate()方法以应用1)使用内部AuthenticationManager和2)SessionAuthenticationStrategy.onAuthentication()的初始身份验证过程结果验证从第1点返回。

也许这个答案可以帮助其他人在迁移Spring Security时遇到同样的问题。

相关问题
最新问题