2

この記事を参考にして、ログイン ページの Krams チュートリアルを作成しました。

しかし、最新のドキュメントに従って sessionRegistry 構成を変更しました

http://docs.spring.io/autorepo/docs/spring-security/3.2.7.RELEASE/reference/htmlsingle/#concurrent-sessions

そして、プリンシパルのリストを 0 として取得します。

ここに私の設定ファイルがあります

        <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns:security="http://www.springframework.org/schema/security"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
        xmlns:context="http://www.springframework.org/schema/context"
        xmlns:mvc="http://www.springframework.org/schema/mvc"
        xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
            http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
            http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">

        <!-- DispatcherServlet Context: defines this servlet's request-processing 
            infrastructure -->

        <!-- Enables the Spring MVC @Controller programming model -->
        <mvc:annotation-driven />

    <!-- Handles HTTP GET requests for /resources/** by efficiently serving 
        up static resources in the ${webappRoot}/resources directory -->
    <!-- <mvc:resources mapping="/resources/**" location="/resources/" /> -->

    <!-- Resolves views selected for rendering by @Controllers to .jsp resources 
        in the /WEB-INF/views directory -->
    <beans:bean
        class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <beans:property name="prefix" value="/WEB-INF/views/" />
        <beans:property name="suffix" value=".jsp" />
    </beans:bean>

    <context:component-scan base-package="com.project.session" />

    <security:http auto-config="false" entry-point-ref="authenticationEntryPoint" use-expressions="true" >



        <security:intercept-url pattern="/krams/auth/login" access="permitAll" />
        <security:intercept-url pattern="/krams/main/admin" access="hasRole('ROLE_ADMIN')" />
        <security:intercept-url pattern="/krams/main/common"    access="hasRole('ROLE_USER')" />
        <security:intercept-url pattern="/krams/main/users" access="hasRole('ROLE_USER')" />

        <security:logout 
                invalidate-session="true"
            logout-success-url="/krams/auth/login" 
            logout-url="/krams/auth/logout" />


        <security:custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
                <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
        <security:session-management    session-authentication-strategy-ref="sas" />

    </security:http>



    <beans:bean id="myAuthFilter"   class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="sessionAuthenticationStrategy"
            ref="sas" />
        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="authenticationSuccessHandler"
            ref="customAuthenticationSuccessHandler" />
        <beans:property name="authenticationFailureHandler"
            ref="customAuthenticationFailureHandler" />
    </beans:bean>


    <beans:bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <beans:property name="defaultFailureUrl" value="/krams/auth/login?error=true"></beans:property>
    </beans:bean>

    <beans:bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
        <beans:property name="defaultTargetUrl" value="/krams/main/common"></beans:property>
    </beans:bean>





    <beans:bean id="concurrencyFilter"  class="org.springframework.security.web.session.ConcurrentSessionFilter">
        <beans:property name="sessionRegistry" ref="sessionRegistry" />
        <beans:property name="expiredUrl" value="/krams/auth/session-expired" />
    </beans:bean>


    <beans:bean id="authenticationEntryPoint"   class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/krams/auth/login"></beans:property>
    </beans:bean>
    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider user-service-ref="myUserDetailService">
            <!-- <security:password-encoder hash="sha" /> -->
        </security:authentication-provider>
    </security:authentication-manager>

    <security:user-service id="myUserDetailService">
        <security:user name="john" password="admin1234"
            authorities="ROLE_USER" />
        <security:user name="jane" password="admin1234"
            authorities="ROLE_USER" />
    </security:user-service>

<!--    <beans:bean id="sas"    class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
        <beans:constructor-arg>
            <beans:list>
                <beans:bean
                    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
                    <beans:constructor-arg ref="sessionRegistry" />
                    <beans:property name="maximumSessions" value="1" />
                    <beans:property name="exceptionIfMaximumExceeded"
                        value="true" />
                </beans:bean>
                <beans:bean
                    class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
                </beans:bean>
                <beans:bean
                    class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
                    <beans:constructor-arg ref="sessionRegistry" />
                </beans:bean>
            </beans:list>
        </beans:constructor-arg>
    </beans:bean> -->

    <beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
            <beans:property name = "maximumSessions" value="-1" />
            <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
    </beans:bean>

    <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
</beans:beans>

そして、これがコントローラーでの使用方法です

     @Autowired
 @Qualifier("sessionRegistry")
 private SessionRegistry sessionRegistry;



    /**
  * Handles and retrieves list of logged-in users as JSP view
  * 
  * @return the name of the JSP page
  */
    @RequestMapping(value = "/users", method = RequestMethod.GET)
    public String getUsersPage(Model model) {
     logger.debug("Received request to show users page");

     logger.debug("Total logged-in users: " + sessionRegistry.getAllPrincipals().size());
     System.out.println("Total logged-in users: " + sessionRegistry.getAllPrincipals().size());
     logger.debug("List of logged-in users: ");
      System.out.println("List of logged-in users: ");

     for (Object username: sessionRegistry.getAllPrincipals()) {
      logger.debug((String) username);
      System.out.println("names " + (String) username);
     }
     if(sessionRegistry.getAllPrincipals().size() == 0)
         return "userspage";
     logger.debug("Total sessions including expired ones: " + sessionRegistry.getAllSessions(sessionRegistry.getAllPrincipals().get(0), true).size());
     logger.debug("Total sessions: " + sessionRegistry.getAllSessions(sessionRegistry.getAllPrincipals().get(0), false).size());

     // Attach to model list of users and granted authorities
     model.addAttribute("users", sessionRegistry.getAllPrincipals());
     model.addAttribute("total", sessionRegistry.getAllPrincipals().size());

     // This will resolve to /WEB-INF/jsp/userspage.jsp
     return "userspage";
 }

ここにweb.xmlがあります

 <?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/spring/root-context.xml,/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</context-param>

<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

 <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
</filter-mapping>

<!-- Processes application requests -->
<servlet>
    <servlet-name>appServlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>appServlet</servlet-name>
    <url-pattern>/krams/*</url-pattern>
</servlet-mapping>

誰かが私が間違いを犯している場所を教えてもらえますか? 構成が欠落しているか間違っていますか?

4

1 に答える 1

2

ContextLoaderListenerとの両方DispatcherServletが同じ構成をロードしています。これにより、アプリケーション全体が 2 回読み込まれ、Spring Security がコントローラーとは異なるSessionRegistryインスタンスを使用することになり、コントローラーは常に空になります。

ContextLoaderListenerによってロードされる構成とによってロードされる構成に分割する必要がありますDispatcherServlet

ContextLoaderListener1 つには、サービス、リポジトリ、インフラストラクチャ Bean (データソース、接続ファクトリなど) およびセキュリティ構成などのすべてのグローバルなものが含まれている必要があります。また、現在の構成は非常に過剰であり、security名前空間を使用するだけで同じことが実現できると思います。それを考慮すると、構成は次のようになります。

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

    <context:component-scan base-package="com.project.session">
        <context:exclude-filter type="annotation" expression="org.springframework.stereotype.Controller"/>
    </context:component-scan>

    <security:http use-expressions="true">

        <security:intercept-url pattern="/krams/auth/login" access="permitAll"/>
        <security:intercept-url pattern="/krams/main/admin" access="hasRole('ROLE_ADMIN')"/>
        <security:intercept-url pattern="/krams/main/common" access="hasRole('ROLE_USER')"/>
        <security:intercept-url pattern="/krams/main/users" access="hasRole('ROLE_USER')"/>

        <security:form-login login-page="/krams/auth/login"
                             default-target-url="/krams/main/common"
                             authentication-failure-url="/krams/auth/login?error=true"/>
        <security:logout invalidate-session="true" logout-success-url="/krams/auth/login"
                         logout-url="/krams/auth/logout"/>

        <security:session-management>
            <security:concurrency-control max-sessions="1" session-registry-alias="sessionRegistry" expired-url="/krams/auth/session-expired"/>
        </security:session-management>

    </security:http>



    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider>
            <security:user-service>
                <security:user name="john" password="admin1234" authorities="ROLE_USER"/>
                <security:user name="jane" password="admin1234" authorities="ROLE_USER"/>
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>
</beans>

の構成は、DispatcherServletコントローラー、ビュー リゾルバーなどの Web 関連の Bean のみをロードする必要があります。次のようになります。

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:context="http://www.springframework.org/schema/context"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

       <!-- DispatcherServlet Context: defines this servlet's request-processing
           infrastructure -->

       <!-- Enables the Spring MVC @Controller programming model -->
       <mvc:annotation-driven />

       <!-- Handles HTTP GET requests for /resources/** by efficiently serving
           up static resources in the ${webappRoot}/resources directory -->
       <!-- <mvc:resources mapping="/resources/**" location="/resources/" /> -->

       <!-- Resolves views selected for rendering by @Controllers to .jsp resources
           in the /WEB-INF/views directory -->
       <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
              <property name="prefix" value="/WEB-INF/views/" />
              <property name="suffix" value=".jsp" />
       </bean>

       <context:component-scan base-package="com.project.session" use-default-filters="false">
           <context:include-filter type="annotation" expression="org.springframework.stereotype.Controller" />
       </context:component-scan>


</beans>

これにより、Bean が一度ロードされ、コントローラーは正しいSessionRegistryインスタンスを取得する必要があります。

于 2015-05-26T06:39:58.757 に答える