私はSpring 4.1 Webアプリを持っています。私はSpring-SecurityとSpring Sessionを使用しています.WebSocketで使用したいSpring Sessionは、WebSocketが機能している限りタイムアウトなしでセッションを維持します.
すべて正常に動作しますが、春のセキュリティ用と春のセッション用の 2 つのセッションが実行されていることは明らかです。
これは私の session.xml です:
<bean id="jedisConnFactory" class="org.springframework.data.redis.connection.jedis.JedisConnectionFactory">
<property name="hostName" value="localhost"/>
<property name="port" value="6379" />
</bean>
<bean class="org.springframework.session.data.redis.RedisOperationsSessionRepository" name="sessionRepository" >
<constructor-arg name="redisConnectionFactory" ref="jedisConnFactory" />
<!--<property name="defaultMaxInactiveInterval" value="60" />-->
</bean>
<bean class="org.springframework.session.web.http.HeaderHttpSessionStrategy" name="sessionStrategy" />
<bean name="springSessionRepositoryFilter" class="org.springframework.session.web.http.SessionRepositoryFilter">
<constructor-arg name="sessionRepository" ref="sessionRepository" />
</bean>
<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration" >
<property name="httpSessionStrategy" ref="sessionStrategy"/>
</bean>
そして、ここに私のsecurity.xmlがあります:
<!-- Security -->
<bean id="userDetailsService" class="com.fg.ts.base.security.userdetails.CustomUserDetailsService" />
<bean id="passwordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder">
<constructor-arg value="${encoder.password}" />
</bean>
<sec:authentication-manager id="authenticationManager">
<sec:authentication-provider user-service-ref="userDetailsService">
<sec:password-encoder ref="passwordEncoder" />
</sec:authentication-provider>
</sec:authentication-manager>
<sec:global-method-security pre-post-annotations="enabled" secured-annotations="disabled"
jsr250-annotations="enabled" authentication-manager-ref="authenticationManager" />
<!-- Exclude the resources+error+auth pages from security filter -->
<sec:http pattern="/javax.faces.resource/**" security="none" />
<sec:http pattern="/images/**" security="none" />
<sec:http pattern="/css/**" security="none" />
<sec:http pattern="/ico/**" security="none" />
<sec:http pattern="/lib/**" security="none" />
<sec:http pattern="/js/**" security="none" />
<sec:http pattern="/auth/**" security="none" />
<sec:http pattern="/error/**" security="none" />
<sec:http pattern="/api/concordancer/search/**" security="none" />
<sec:http pattern="/concordancer/search" security="none"/>
<sec:http pattern="/assets/cdSearch.xhtml" security="none"/>
<sec:http pattern="/api/tmGroup/**" security="none"/>
<sec:http pattern="/api/reports/download/**" security="none"/>
<sec:http pattern="/api/socket/tasks/info/**" security="none"/>
<!-- Security Configuration for Faces Pages -->
<!-- Start Customization for Faces -->
<!-- ***************************** -->
<!-- Failure Login Handler -->
<bean id="authenticationFailureHandler" class="com.fg.ts.web.util.security.LoginFailureHandler">
<property name="defaultFailureUrl" value="/auth/login" />
</bean>
<!-- Faces Redirect -->
<bean id="facesRedirectStrategy" class="com.fg.ts.web.util.security.FacesRedirectStrategy">
<property name="invalidSessionUrl" value="/auth/login/sessionExpired" />
</bean>
<!-- Shared Objects -->
<bean id="securityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<!-- Session Authentication Strategy -->
<bean id="sessionFixationAuthenticationStrategy" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" />
<bean id="registerSessionStrategy" class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>
<bean id="sessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
<constructor-arg name="delegateStrategies">
<list>
<!-- <ref bean="concurrentSessionStrategy" /> -->
<ref bean="sessionFixationAuthenticationStrategy" />
<ref bean="registerSessionStrategy" />
</list>
</constructor-arg>
</bean>
<!-- Remember-Me Service -->
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
<constructor-arg name="key" value="${encoder.password}" />
<constructor-arg name="userDetailsService" ref="userDetailsService" />
<property name="parameter" value="j_remember_me" />
<property name="cookieName" value="TMS_REME" />
</bean>
<!-- Filters -->
<bean id="usernamePasswordAuthenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="sessionAuthenticationStrategy" ref="sessionAuthenticationStrategy" />
<property name="rememberMeServices" ref="rememberMeServices" />
<property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
</bean>
<bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
<constructor-arg name="securityContextRepository" ref="securityContextRepository" />
<constructor-arg name="sessionStrategy" ref="sessionAuthenticationStrategy" />
<property name="invalidSessionStrategy" ref="facesRedirectStrategy" />
<property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
</bean>
<bean id="concurrentSessionFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<constructor-arg name="expiredUrl" value="/auth/login/expiredDueToConcurrentAccess" />
<property name="redirectStrategy" ref="facesRedirectStrategy" />
</bean>
<bean id="authEntryPoint" class="com.fg.ts.web.util.security.FacesLoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/auth/login"/>
</bean>
<!-- End Customization for Faces -->
<!-- ***************************** -->
<sec:http use-expressions="true" disable-url-rewriting="true" authentication-manager-ref="authenticationManager"
entry-point-ref="authEntryPoint"> <!--security-context-repository-ref="securityContextRepository"-->
<sec:http-basic />
<sec:custom-filter ref="usernamePasswordAuthenticationFilter" before="FORM_LOGIN_FILTER" />
<sec:custom-filter ref="sessionManagementFilter" position="SESSION_MANAGEMENT_FILTER" />
<sec:anonymous />
<sec:remember-me key="${encoder.password}" services-ref="rememberMeServices" />
<sec:form-login login-page="/auth/login" authentication-failure-handler-ref="authenticationFailureHandler" />
<sec:logout logout-url="/logout" invalidate-session="true" delete-cookies="TMS_SES,TMS_REME"
logout-success-url="/auth/login" />
<sec:session-management session-fixation-protection="none" />
<!-- General Access Control -->
<sec:intercept-url pattern="/projects/**" access="hasAnyRole('ROLE_ADMIN','ROLE_PM')" />
<sec:intercept-url pattern="/assets/**" access="hasAnyRole('ROLE_ADMIN','ROLE_PM')" />
<sec:intercept-url pattern="/setup/**" access="hasAnyRole('ROLE_ADMIN','ROLE_PM')" />
<sec:intercept-url pattern="/tm/**" access="hasAnyRole('ROLE_ADMIN','ROLE_PM')" />
<sec:intercept-url pattern="/termBase/**" access="hasAnyRole('ROLE_ADMIN','ROLE_PM')" />
<sec:intercept-url pattern="/quality/**" access="hasAnyRole('ROLE_ADMIN','ROLE_PM')" />
<sec:intercept-url pattern="/editor/**" access="isAuthenticated()" />
<sec:intercept-url pattern="/api/**" access="isAuthenticated()" />
<sec:intercept-url pattern="/**" access="isAuthenticated()" />
</sec:http>
spring-session によって作成されたセッションを春のセキュリティで使用するにはどうすればよいですか?