java - Spring Security 3.2.4 中的 ConcurrentSessionControlStrategy

Question

我有一个使用 ConcurrentSessionControlStrategy 和我自己的 sessionRegistry 实现的工作配置。我升级到 spring security 3.2.4 并且不得不将 ConcurrentSessionControlStrategy 更改为 ConcurrentSessionControlAuthenticationStrategy。现在似乎 sessionRegistry 没有连接意味着 ConcurrentSessionControlAuthenticationStrategy.onAuthenticaton 没有进入 sessionRegistry.registerNewSession。去什么？

我的配置文件:

    <security:http use-expressions="true" auto-config="false"
        entry-point-ref="loginUrlAuthenticationEntryPoint">


        <security:intercept-url pattern="/**"
            access="isAuthenticated()" />

        <security:custom-filter position="FORM_LOGIN_FILTER"
            ref="twoFactorAuthenticationFilter" />



        <security:logout logout-url="/player/logout"
            logout-success-url="/demo/player/logoutSuccess" />

        <security:session-management>
            <security:concurrency-control
                max-sessions="1" session-registry-ref="clusteredSessionRegistryImpl"
                error-if-maximum-exceeded="false" />
        </security:session-management>

    </security:http>



    <bean
        class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
        <constructor-arg ref="clusteredSessionRegistryImpl" />
        <property name="maximumSessions" value="1" />
    </bean>

    <bean id="loginUrlAuthenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <property name="loginFormUrl" value="/demo/player/login?login_error=true" />
    </bean>

    <bean id="twoFactorAuthenticationFilter" class="com.XXX.filter.TwoFactorAuthenticationFilter">
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="authenticationFailureHandler" ref="failureHandler" />
        <property name="authenticationSuccessHandler" ref="playerAuthenticationSuccessHandler" />
        <property name="postOnly" value="true" />
    </bean>


    <bean id="failureHandler"
        class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <property name="defaultFailureUrl" value="/login?login_error=true" />

    </bean>

    <bean id="bCryptPasswordEncoder"
        class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider
            ref="authenticationProvider">
        </security:authentication-provider>
    </security:authentication-manager>

</beans>

Answer 1

看来我迟到了，但无论如何..

ConcurrentSessionControlStrategy 的功能现在完全分为三个策略 - ConcurrentSessionControlAuthenticationStrategy、SessionFixationProtectionStrategy 和 RegisterSessionAuthenticationStrategy。

要有一个正确的替代品，您应该使用 CompositeSessionAuthenticationStrategy 按上述顺序添加这三个委托(delegate)。

所以，恐怕，在弃用评论中错误地提到了 ConcurrentSessionControlAuthenticationStrategy 而不是 ConcurrentSessionControlStrategy。它至少需要 RegisterSessionAuthenticationStrategy 的可用性来维护 SessionRegistry。否则，SessionRegistry 保持为空，并且“替代”总是报告“ok”。

我想，这种方法已经改变，使其更灵活地将多个处理程序作为委托(delegate)而不是一个(使用 CompositeSessionAuthenticationStrategy，你可以有任意数量的 SessionAuthenticationStrategy做独立 :) 事情)。