grails 3与并发会话

时间:2016-09-28 08:00:28

标签: spring session grails spring-security

我试图从2.1.1升级我的项目。到3.1.1

我遇到并发会话的问题 例如......

我使用用户名" AAA"在浏览器" chrome" 然后其他用户再次使用用户名" AAA"在其他浏览器上然后用户名" AAA"将自动退出浏览器" chrome"

..继承我的代码

登录控制器

package accounter

import com.vastpalaso.security.User
import grails.converters.JSON
import grails.plugin.springsecurity.SpringSecurityUtils
import org.slf4j.Logger
import org.slf4j.LoggerFactory
import grails.converters.JSON
import org.springframework.security.access.annotation.Secured
import org.springframework.security.authentication.AccountExpiredException
import org.springframework.security.authentication.AuthenticationTrustResolver
import org.springframework.security.authentication.CredentialsExpiredException
import org.springframework.security.authentication.DisabledException
import org.springframework.security.authentication.LockedException
import org.springframework.security.core.Authentication
import org.springframework.security.core.context.SecurityContextHolder
import org.springframework.security.web.WebAttributes
import grails.plugin.springsecurity.SpringSecurityUtils
import org.springframework.security.web.authentication.session.SessionAuthenticationException

import javax.servlet.http.HttpServletResponse

@Secured('permitAll')
class LoginController {

    /** Dependency injection for the authenticationTrustResolver. */
    AuthenticationTrustResolver authenticationTrustResolver

    /** Dependency injection for the springSecurityService. */
    def springSecurityService
    def cifService

    private static final Logger logger = LoggerFactory.getLogger(this)

    /** Default action; redirects to 'defaultTargetUrl' if logged in, /login/auth otherwise. */
    def index() {
        if (springSecurityService.isLoggedIn()) {
            redirect uri: conf.successHandler.defaultTargetUrl
        }
        else {
            redirect action: 'auth', params: params
        }
    }

    /** Show the login page. */
    def auth() {

        def conf = getConf()

        if (springSecurityService.isLoggedIn()) {
            redirect uri: conf.successHandler.defaultTargetUrl
            return
        }

        String postUrl = request.contextPath + conf.apf.filterProcessesUrl
        render view: 'auth', model: [postUrl: postUrl,
                                     rememberMeParameter: conf.rememberMe.parameter,
                                     usernameParameter: conf.apf.usernameParameter,
                                     passwordParameter: conf.apf.passwordParameter,
                                     gspLayout: conf.gsp.layoutAuth]
    }

    /** The redirect action for Ajax requests. */
    def authAjax() {
        response.setHeader 'Location', conf.auth.ajaxLoginFormUrl
        render(status: HttpServletResponse.SC_UNAUTHORIZED, text: 'Unauthorized')
    }

    /** Show denied page. */
    def denied() {
        if (springSecurityService.isLoggedIn() && authenticationTrustResolver.isRememberMe(authentication)) {
            // have cookie but the page is guarded with IS_AUTHENTICATED_FULLY (or the equivalent expression)
            redirect action: 'full', params: params
            return
        }

        [gspLayout: conf.gsp.layoutDenied]
    }

    /** Login page for users with a remember-me cookie but accessing a IS_AUTHENTICATED_FULLY page. */
    def full() {
        def conf = getConf()
        render view: 'auth', params: params,
                model: [hasCookie: authenticationTrustResolver.isRememberMe(authentication),
                        postUrl: request.contextPath + conf.apf.filterProcessesUrl,
                        rememberMeParameter: conf.rememberMe.parameter,
                        usernameParameter: conf.apf.usernameParameter,
                        passwordParameter: conf.apf.passwordParameter,
                        gspLayout: conf.gsp.layoutAuth]
    }

    /** Callback after a failed login. Redirects to the auth page with a warning message. */
    def authfail() {
        def username = session['SPRING_SECURITY_LAST_USERNAME']
        String msg = ''
        def exception = session[WebAttributes.AUTHENTICATION_EXCEPTION]
        if (exception) {
            if (exception instanceof AccountExpiredException) {
                msg = message(code: 'springSecurity.errors.login.expired')
            }
            else if (exception instanceof CredentialsExpiredException) {
                msg = message(code: 'springSecurity.errors.login.passwordExpired')
            }
            else if (exception instanceof DisabledException) {
                msg = message(code: 'springSecurity.errors.login.disabled')
            }
            else if (exception instanceof LockedException) {
                msg = message(code: 'springSecurity.errors.login.locked')
            }
            else if (exception instanceof SessionAuthenticationException){
                msg = exception.getMessage()
                println "test"
            }
            else {
                msg = message(code: 'springSecurity.errors.login.fail')
            }
        }

        try {
            boolean block = false;

            block = cifService.addTryLogin(username)
            if(session){
                render([error: msg, block: block, reload: false] as JSON)
            }
            else{
                render([error: msg, block: block, reload: true] as JSON)
            }
        }
        //catch unknown RuntimeException, redirect to Error 500 server Error page
        catch (RuntimeException e) {
            logger.error(e.getMessage(), e)
            redirect(controller: "error", action: "serverError")
            return
        }

        if (springSecurityService.isAjax(request)) {
            render([error: msg] as JSON)
        }
        else {
            flash.message = msg
            redirect action: 'auth', params: params
        }
    }

    /** The Ajax success redirect url. */
    def ajaxSuccess() {
        def user = com.vastpalaso.security.User.findByUsername(springSecurityService.authentication.name)
        def userDetails = com.vastpalaso.security.UserDetails.findByUser(user)
        def cifUsergetCif

        try{
            cifUsergetCif = com.vastpalaso.app.cif.CifUser.findByUserDetails(userDetails)
            session.setAttribute("company",cifUsergetCif.cif.corpName)
        }
        catch (Exception e){
            println "e = "+e
            println "You are loginning as admin!"
        }

        try {

            println "params = "+params
            def ipAddress = request.getHeader("Client-IP")
            if (!ipAddress) {
                ipAddress = request.getHeader("X-Forwarded-For")
            }
            if (!ipAddress) {
                ipAddress = request.getRemoteAddr()
            }

            try{

                cifService.resetTryLoginAddInfo(userDetails, ipAddress, session.id)
            }catch (Exception e){
                println "e = "+e
            }

            session.setAttribute("alias", userDetails.userAlias)
            session.setAttribute("fullName", userDetails.firstName + " " + userDetails.lastName)
            session.setAttribute("change", userDetails.forceChangePassword)
            session.setAttribute("userType", userDetails.userType)


            if(userDetails.language != null){
                session[org.springframework.web.servlet.i18n.SessionLocaleResolver.LOCALE_SESSION_ATTRIBUTE_NAME] = new Locale(userDetails.language)
            }
            else{
                session[org.springframework.web.servlet.i18n.SessionLocaleResolver.LOCALE_SESSION_ATTRIBUTE_NAME] = new Locale("id")
            }
            buildMenuList()
            println "test = "
            if (params.callback) {
                render"${params.callback} (${[success: true,id: userDetails.id ,change: userDetails.forceChangePassword, username: springSecurityService.authentication.name, fullName: (userDetails.firstName + " " + userDetails.lastName)] as JSON})"
            }
            else {
                render([success: true,id: userDetails.id, change: userDetails.forceChangePassword, username: springSecurityService.authentication.name, fullName: (userDetails.firstName + " " + userDetails.lastName)] as JSON)
            }
        }
        //catch unknown RuntimeException, redirect to Error 500 server Error page
        catch (RuntimeException e) {
            logger.error(e.getMessage(), e)
            redirect(controller: "error", action: "serverError")
            return
        }

        render([success: true, username: authentication.name] as JSON)
    }


    /** The Ajax denied redirect url. */
    def ajaxDenied() {
        render([error: 'access denied'] as JSON)
    }

    protected Authentication getAuthentication() {
        SecurityContextHolder.context?.authentication
    }

    protected ConfigObject getConf() {
        SpringSecurityUtils.securityConfig
    }

    def concurrentSession = {

        def msg = "Your account is logged in from another browser or location."

        if (springSecurityService.isAjax(request)) {
            render([error: msg] as JSON)
        }
        else {
            flash.message = msg
            redirect action: 'auth', params: params
        }

    }
}

这是resouces.groovy

// Place your Spring DSL code here
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy;
import com.vastpalaso.helper.CustomSessionLogoutHandler
import org.springframework.security.web.session.ConcurrentSessionFilter
beans = {

    sessionRegistry(SessionRegistryImpl)

    customSessionLogoutHandler(CustomSessionLogoutHandler,ref('sessionRegistry'))

    concurrencyFilter(ConcurrentSessionFilter) {
        sessionRegistry = sessionRegistry
        logoutHandlers = [ref("rememberMeServices"), ref("securityContextLogoutHandler")]
        expiredUrl='/login/concurrentSession'
    }

    concurrentSessionControlAuthenticationStrategy(ConcurrentSessionControlAuthenticationStrategy,ref('sessionRegistry')){
        exceptionIfMaximumExceeded = true
        maximumSessions = 1
    }

    sessionFixationProtectionStrategy(SessionFixationProtectionStrategy){
        migrateSessionAttributes = true
        alwaysCreateSession = true
    }
    registerSessionAuthenticationStrategy(RegisterSessionAuthenticationStrategy,ref('sessionRegistry'))

    sessionAuthenticationStrategy(CompositeSessionAuthenticationStrategy,[ref('concurrentSessionControlAuthenticationStrategy'),ref('sessionFixationProtectionStrategy'),ref('registerSessionAuthenticationStrategy')])


    jmsConnectionFactory(org.apache.activemq.ActiveMQConnectionFactory) { brokerURL = "tcp://localhost:61616" }
}

这是我从此page

复制的代码
package com.vastpalaso.helper;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.util.Assert;
import org.springframework.security.core.session.SessionRegistry;

/**
 * {@link CustomSessionLogoutHandler} is in charge of removing the {@link SessionRegistry} upon logout. A
 * new {@link SessionRegistry} will then be generated by the framework upon the next request.
 *
 * @author Mohd Qusyairi
 * @since 0.1
 */
public final class CustomSessionLogoutHandler implements LogoutHandler {
    private final SessionRegistry sessionRegistry;

    /**
     * Creates a new instance
     * @param sessionRegistry the {@link SessionRegistry} to use
     */
    public CustomSessionLogoutHandler(SessionRegistry sessionRegistry) {
        Assert.notNull(sessionRegistry, "sessionRegistry cannot be null");
        this.sessionRegistry = sessionRegistry;
    }

    /**
     * Clears the {@link SessionRegistry}
     *
     * @see org.springframework.security.web.authentication.logout.LogoutHandler#logout(javax.servlet.http.HttpServletRequest,
     * javax.servlet.http.HttpServletResponse,
     * org.springframework.security.core.Authentication)
     */
    public void logout(HttpServletRequest request, HttpServletResponse response,
                       Authentication authentication) {
        this.sessionRegistry.removeSessionInformation(request.getSession().getId());
    }
}

1 个答案:

答案 0 :(得分:2)

这将使当前登录的用户过期(相同的用户名和密码)。新用户可以继续登录而不会出现任何问题。

通过将此实例添加到src文件夹来创建SessionAuthenticationStrategy的新实现。在grails中的 grails 3,(src / main / groovy)(2.x src / groovy)。 我将此称为基于您想要实现的内容的自定义名称,将其保存为 ConcurrentSingleSessionAuthenticationStrategy.groovy

onload=checkAuth

resources.groovy

    package com.myapp.test;

    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;

    import org.springframework.security.core.Authentication;
    import org.springframework.security.web.session.HttpSessionEventPublisher;
    import org.springframework.util.Assert;
    import org.springframework.security.core.session.SessionRegistry;
    import grails.plugin.springsecurity.SpringSecurityUtils;
    import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;

    /**
     * Strategy used to register a user with the {@link SessionRegistry} after successful
     * {@link Authentication}.
     *
     * <p>
     * {@link RegisterSessionAuthenticationStrategy} is typically used in combination with
     * {@link CompositeSessionAuthenticationStrategy} and
     * {@link ConcurrentSessionControlAuthenticationStrategy}, but can be used on its own if
     * tracking of sessions is desired but no need to control concurrency.
     *
     * <p>
     * NOTE: When using a {@link SessionRegistry} it is important that all sessions (including
     * timed out sessions) are removed. This is typically done by adding
     * {@link HttpSessionEventPublisher}.
     *
     * @see CompositeSessionAuthenticationStrategy
     *
     * @author Luke Taylor
     * @author Rob Winch
     * @since 3.2
     */
    public class ConcurrentSingleSessionAuthenticationStrategy implements
            SessionAuthenticationStrategy {
        private SessionRegistry sessionRegistry;

        /**
         * @param sessionRegistry the session registry which should be updated when the
         * authenticated session is changed.
         */
        public ConcurrentSingleSessionAuthenticationStrategy(SessionRegistry sessionRegistry) {
            Assert.notNull(sessionRegistry, "SessionRegistry cannot be null");
            this.sessionRegistry = sessionRegistry;
        }
        /**
         * In addition to the steps from the superclass, the sessionRegistry will be removing
         * with the new session information.
         */
        public void onAuthentication(Authentication authentication,
                HttpServletRequest request, HttpServletResponse response) {

            def sessions = sessionRegistry.getAllSessions(
                    authentication.getPrincipal(), false);

            def principals = sessionRegistry.getAllPrincipals()
            sessions.each{
                if(it.principal == authentication.getPrincipal()){
                    it.expireNow()
                }
            }


        }
    }

在config中,最后添加以下行:

    import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
    import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
    import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy;
    import org.springframework.security.core.session.SessionRegistryImpl;
    import com.myapp.test.ConcurrentSingleSessionAuthenticationStrategy;
    import org.springframework.security.web.session.ConcurrentSessionFilter
    // Place your Spring DSL code here
    beans = {
            sessionRegistry(SessionRegistryImpl)
            //I see you did not have this. Very dangerous!
            sessionFixationProtectionStrategy(SessionFixationProtectionStrategy){
                migrateSessionAttributes = true
                alwaysCreateSession = true
            }
            //Initiate the bean
            concurrentSingleSessionAuthenticationStrategy(ConcurrentSingleSessionAuthenticationStrategy,ref('sessionRegistry'))
            registerSessionAuthenticationStrategy(RegisterSessionAuthenticationStrategy,ref('sessionRegistry'))
            sessionAuthenticationStrategy(CompositeSessionAuthenticationStrategy,[ref('concurrentSingleSessionAuthenticationStrategy'),ref('sessionFixationProtectionStrategy'),ref('registerSessionAuthenticationStrategy')])
            concurrentSessionFilter(ConcurrentSessionFilter,ref('sessionRegistry'))
    }

希望这会有所帮助。