升级到 Grails 3 后,sessionRegistry 为空,但身份验证有效
After upgrading to Grails 3 the sessionRegistry is empty, but authentication is working
将旧应用程序 (grails 1.3.7) 升级到最新的 grails 版本 3.1.3 后,sessionRegistry 保持为空。 spring 安全性有一些变化,我试图让它工作,但看起来好像缺少了一些东西......我正在使用 spring-security-web-4.0.3.RELEASE.jar
我可以使用 spring 安全性进行身份验证,看起来一切正常。但我喜欢计算公开会议。我使用 sessionRegistry.getAllPrincipals() 查找打开的会话,但现在它总是空的。
在resources.groovy中:
import com.myApp.LicenceCheck
import org.springframework.security.core.session.SessionRegistryImpl
import org.springframework.security.web.session.ConcurrentSessionFilter
import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy
beans = {
sessionRegistry(SessionRegistryImpl)
sessionAuthenticationStrategy(ConcurrentSessionControlAuthenticationStrategy){
it.constructorArgs = [sessionRegistry]
maximumSessions = -1
}
concurrentSessionFilter(ConcurrentSessionFilter){
it.constructorArgs = [sessionRegistry,'/login/concurrentSession'];
}
licenceCheck(LicenceCheck)
}
在bootstrap.groovy中:
SpringSecurityUtils.clientRegisterFilter('concurrentSessionFilter', SecurityFilterPosition.CONCURRENT_SESSION_FILTER)
application.groovy中的配置:
// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.basic.realmName='myApp'
grails.plugin.springsecurity.successHandler.defaultTargetUrl='/search/'
grails.plugin.springsecurity.password.algorithm='MD5'
grails.plugin.springsecurity.password.hash.iterations = 1
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.myApp.Account'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.myApp.AccountAccountGroup'
grails.plugin.springsecurity.authority.className = 'com.myApp.AccountGroup'
grails.plugin.springsecurity.authority.nameField = 'role'
grails.plugin.springsecurity.useSecurityEventListener = true
grails.plugin.springsecurity.useSessionFixationPrevention = false
grails.plugin.springsecurity.rejectIfNoRule = false
grails.plugin.springsecurity.fii.rejectPublicInvocations = false
grails.plugin.springsecurity.auth.loginFormUrl = '/login/auth'
grails.plugin.springsecurity.apf.storeLastUsername=true
grails.plugin.springsecurity.filterChain.filterNames = [
'securityContextPersistenceFilter', 'logoutFilter',
'authenticationProcessingFilter', 'concurrentSessionFilter',
'rememberMeAuthenticationFilter', 'anonymousAuthenticationFilter',
'exceptionTranslationFilter', 'filterInvocationInterceptor'
]
身份验证成功后,我正在尝试计算打开的会话数:
import org.springframework.context.ApplicationListener
import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent
import grails.util.Holders
class LicenceCheck implements ApplicationListener<InteractiveAuthenticationSuccessEvent> {
void onApplicationEvent(InteractiveAuthenticationSuccessEvent event) {
def sessionRegistry = Holders.grailsApplication.mainContext.getBean('sessionRegistry')
sessionRegistry.getAllPrincipals() <= list is always empty
}
}
这在以前的版本中有效(使用非常旧的 grails)。现在身份验证正在运行,但 sessionRegistry 保持为空。知道我错过了什么吗?
问候,grailsfan
我找到了这个问题的解决方案。
问题是新的 ConcurrentSessionControlAuthenticationStrategy(ConcurrentSessionControlStrategy 的新功能)没有在 sessionRegistry 中注册会话。您必须将不同的策略与 CompositeSessionAuthenticationStrategy 相结合。
这对我有用:
将旧应用程序 (grails 1.3.7) 升级到最新的 grails 版本 3.1.3 后,sessionRegistry 保持为空。 spring 安全性有一些变化,我试图让它工作,但看起来好像缺少了一些东西......我正在使用 spring-security-web-4.0.3.RELEASE.jar
我可以使用 spring 安全性进行身份验证,看起来一切正常。但我喜欢计算公开会议。我使用 sessionRegistry.getAllPrincipals() 查找打开的会话,但现在它总是空的。
在resources.groovy中:
import com.myApp.LicenceCheck
import org.springframework.security.core.session.SessionRegistryImpl
import org.springframework.security.web.session.ConcurrentSessionFilter
import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy
beans = {
sessionRegistry(SessionRegistryImpl)
sessionAuthenticationStrategy(ConcurrentSessionControlAuthenticationStrategy){
it.constructorArgs = [sessionRegistry]
maximumSessions = -1
}
concurrentSessionFilter(ConcurrentSessionFilter){
it.constructorArgs = [sessionRegistry,'/login/concurrentSession'];
}
licenceCheck(LicenceCheck)
}
在bootstrap.groovy中:
SpringSecurityUtils.clientRegisterFilter('concurrentSessionFilter', SecurityFilterPosition.CONCURRENT_SESSION_FILTER)
application.groovy中的配置:
// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.basic.realmName='myApp'
grails.plugin.springsecurity.successHandler.defaultTargetUrl='/search/'
grails.plugin.springsecurity.password.algorithm='MD5'
grails.plugin.springsecurity.password.hash.iterations = 1
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.myApp.Account'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.myApp.AccountAccountGroup'
grails.plugin.springsecurity.authority.className = 'com.myApp.AccountGroup'
grails.plugin.springsecurity.authority.nameField = 'role'
grails.plugin.springsecurity.useSecurityEventListener = true
grails.plugin.springsecurity.useSessionFixationPrevention = false
grails.plugin.springsecurity.rejectIfNoRule = false
grails.plugin.springsecurity.fii.rejectPublicInvocations = false
grails.plugin.springsecurity.auth.loginFormUrl = '/login/auth'
grails.plugin.springsecurity.apf.storeLastUsername=true
grails.plugin.springsecurity.filterChain.filterNames = [
'securityContextPersistenceFilter', 'logoutFilter',
'authenticationProcessingFilter', 'concurrentSessionFilter',
'rememberMeAuthenticationFilter', 'anonymousAuthenticationFilter',
'exceptionTranslationFilter', 'filterInvocationInterceptor'
]
身份验证成功后,我正在尝试计算打开的会话数:
import org.springframework.context.ApplicationListener
import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent
import grails.util.Holders
class LicenceCheck implements ApplicationListener<InteractiveAuthenticationSuccessEvent> {
void onApplicationEvent(InteractiveAuthenticationSuccessEvent event) {
def sessionRegistry = Holders.grailsApplication.mainContext.getBean('sessionRegistry')
sessionRegistry.getAllPrincipals() <= list is always empty
}
}
这在以前的版本中有效(使用非常旧的 grails)。现在身份验证正在运行,但 sessionRegistry 保持为空。知道我错过了什么吗?
问候,grailsfan
我找到了这个问题的解决方案。
问题是新的 ConcurrentSessionControlAuthenticationStrategy(ConcurrentSessionControlStrategy 的新功能)没有在 sessionRegistry 中注册会话。您必须将不同的策略与 CompositeSessionAuthenticationStrategy 相结合。
这对我有用: