1. 首頁
  2. 問答
  3. SessionManagementFilter永遠不會調用SessionAuthenticationStrategy

SessionManagementFilter永遠不會調用SessionAuthenticationStrategy

2016-09-22 191 views
0

我很困擾我們的Web應用程序從Wicket 1.4遷移到Wicket 6.20。 我也將Spring Security從以前(和舊版本)2.0.4版本移動到版本3.2.8.RELEASE。SessionManagementFilter永遠不會調用SessionAuthenticationStrategy

這是春季安全上下文配置的副本:

<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy"> 
    <security:filter-chain-map path-type="ant" > 
     <security:filter-chain request-matcher-ref="requestMatcher" 
       filters=" 
     securityContextPersistenceFilter, 
     concurrentSessionFilter,sessionManagementFilter" 
       pattern="/**" /> 
    </security:filter-chain-map> 
</bean> 

<beans:bean id="securityContextPersistenceFilter" 
    class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> 
    <beans:constructor-arg ref="securityContextRepository"></beans:constructor-arg> 
</beans:bean> 

<beans:bean id="sessionManagementFilter" 
    class="org.springframework.security.web.session.SessionManagementFilter"> 
    <beans:constructor-arg ref="securityContextRepository"></beans:constructor-arg> 
    <beans:constructor-arg ref="sas"></beans:constructor-arg> 
</beans:bean> 

<beans:bean id="requestMatcher" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher" > 
    <beans:constructor-arg value="/**"></beans:constructor-arg> 
</beans:bean> 

<beans:bean id="concurrentSessionFilter" 
    class="org.springframework.security.web.session.ConcurrentSessionFilter"> 
    <beans:constructor-arg ref="sessionRegistry" ></beans:constructor-arg> 
    <beans:constructor-arg value="/petrol/login" ></beans:constructor-arg> 
</beans:bean> 

<beans:bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy"> 
    <beans:constructor-arg> 
    <beans:list> 
     <beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy"> 
     <beans:constructor-arg ref="sessionRegistry"/> 
     <beans:property name="maximumSessions" value="1" /> 
     <beans:property name="exceptionIfMaximumExceeded" value="true" /> 
     </beans:bean> 
     <beans:bean class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"> 
     </beans:bean> 
     <beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy"> 
     <beans:constructor-arg ref="sessionRegistry"/> 
     </beans:bean> 
    </beans:list> 
    </beans:constructor-arg> 
</beans:bean> 

<beans:bean id="sessionRegistry" 
    class="org.springframework.security.core.session.SessionRegistryImpl" /> 

<beans:bean id="authenticationManager" 
    class="org.springframework.security.authentication.ProviderManager"> 
    <beans:property name="providers"> 
     <beans:list> 
      <beans:ref local="petrolAuthenticationProvider" /> 
     </beans:list> 
    </beans:property> 
</beans:bean> 

<beans:bean name='securityContextRepository' 
    class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'> 
    <beans:property name='allowSessionCreation' value='true' /> 
</beans:bean> 

<beans:bean id="petrolAuthenticationProvider" 
    class="it.loginet.petrol.infrastructure.security.PetrolAuthenticationProvider"> 
    <beans:property name="utenteRepository" ref="utenteRepository" /> 
</beans:bean>

SessionManagementFilter應該過濾我們的要求,測試,如果併發登錄所允許的用戶。 問題是,當驗證成功驗證時,SecurityContextRepository已經包含SecurityContext,並且它不調用「SessionAuthenticationStrategy.onAuthentication」方法。

 if (!securityContextRepository.containsContext(request)) { 
     Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); 

     if (authentication != null && !trustResolver.isAnonymous(authentication)) { 
     // The user has been authenticated during the current request, so call the session strategy 
      try { 
       sessionAuthenticationStrategy.onAuthentication(authentication, request, response); 
      } catch (SessionAuthenticationException e) { 
       // The session strategy can reject the authentication 
       logger.debug("SessionAuthenticationStrategy rejected the authentication object", e); 
       SecurityContextHolder.clearContext(); 
       failureHandler.onAuthenticationFailure(request, response, e); 

       return; 
      } 
.........

SaveToSessionResponseWrapper類保存在HttpSession中SPRING_SECURITY_KEY屬性,則SessionManagementFilter已經找到HttpSession中這個屬性,實際上跳過內SessionAuthenticationStrategy驗證。

我在做什麼錯誤的遷移?

來源

2016-09-22 leodali

回答

2

OK,我想我找到解決我的問題..

SessionManagementFilter,這裏(http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#ftn.d5e3442)說,因爲我是在我的應用程序中使用它不能識別的形式登錄認證。 該過濾器將不會被調用內部因此併發策略..

所以決定用新SessionManagementProviderManager實例延伸的ProviderManager類,覆蓋ProviderManager.authenticate()方法,使用內AuthenticationManager申請1)初始認證過程和2)SessionAuthenticationStrategy.onAuthentication()對所得從點1)返回認證。

也許這個答案可以幫助其他人遷移Spring Security ..

來源

2016-09-27 18:25:00 leodali

 相關問題

  • 暫無相關問題^_^