1. 首页
  2. 问答
  3. Spring-security:即使在JVM重启后也维护活动会话

Spring-security:即使在JVM重启后也维护活动会话

2016-03-07 164 views
-1

我正在开发一个在Tomcat上运行的Spring-MVC项目,其中我拥有用于​​身份验证和授权的Spring-security。由于我们的项目目前正在开发中,我们有比平常更多的部署。通常,部署之后发生的情况是所有客户端都在服务器重新启动时注销。Spring-security:即使在JVM重启后也维护活动会话

有什么办法,我可以把会话数据的数据库或其他地方,所以即使之后的Tomcat/JVM崩溃/重新启动,已登录的用户不会有问题。

有没有解决这个问题的策略?任何想法如何?

安全的applicationContext.xml:

<!-- Global Security settings --> 
    <security:http pattern="/resources/template/demo/clients" security="none"/> 

    <security:http create-session="ifRequired" use-expressions="true" auto-config="false" disable-url-rewriting="true"> 
     <security:form-login login-page="/login" username-parameter="j_username" password-parameter="j_password" 
          login-processing-url="/j_spring_security_check" default-target-url="/dashboard" 
          always-use-default-target="true" authentication-failure-url="/denied"/> 
     <security:remember-me key="_spring_security_remember_me" user-service-ref="userDetailsService" 
           token-validity-seconds="1209600" data-source-ref="dataSource"/> 
     <security:logout delete-cookies="JSESSIONID" invalidate-session="true" logout-url="/j_spring_security_logout"/> 
    <!--<security:intercept-url pattern="/**" requires-channel="https"/>--> 
     <security:port-mappings> 
      <security:port-mapping http="80" https="443"/> 
     </security:port-mappings> 
     <security:logout logout-url="/logout" logout-success-url="/" success-handler-ref="myLogoutHandler"/> 

     <security:session-management session-fixation-protection="migrateSession"> 
      <security:concurrency-control session-registry-ref="sessionReg" max-sessions="5" expired-url="/login"/> 
     </security:session-management> 
    </security:http> 

    <beans:bean id="sessionReg" class="org.springframework.security.core.session.SessionRegistryImpl"/> 

    <beans:bean id="rememberMeAuthenticationProvider" 
       class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices"> 
     <beans:constructor-arg index="0" value="_spring_security_remember_me"/> 
     <beans:constructor-arg index="1" ref="userDetailsService"/> 
     <beans:constructor-arg index="2" ref="jdbcTokenRepository"/> 
     <property name="alwaysRemember" value="true"/> 
    </beans:bean> 

    <beans:bean id="jdbcTokenRepository" 
       class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl"> 
     <beans:property name="createTableOnStartup" value="false"/> 
     <beans:property name="dataSource" ref="dataSource"/> 
    </beans:bean> 

    <!-- Remember me ends here --> 
    <security:authentication-manager alias="authenticationManager"> 
     <security:authentication-provider user-service-ref="LoginServiceImpl"> 
      <security:password-encoder ref="encoder"/> 
     </security:authentication-provider> 
    </security:authentication-manager> 

    <beans:bean id="encoder" 
       class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"> 
     <beans:constructor-arg name="strength" value="11"/> 
    </beans:bean> 

    <beans:bean id="daoAuthenticationProvider" 
       class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> 
     <beans:property name="userDetailsService" ref="LoginServiceImpl"/> 
     <beans:property name="passwordEncoder" ref="encoder"/> 
    </beans:bean> 
</beans>

LoginServiceImpl:

@Transactional 
@Service("userDetailsService") 
public class LoginServiceImpl implements UserDetailsService { 

    @Autowired 
    private PersonDAO personDAO; 

    @Autowired 
    private Assembler assembler; 

    public LoginServiceImpl() { 
    } 

@Override 
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException { 
     Person person = personDAO.findPersonByUsername(username.toLowerCase()); 
     if (person == null) { 
      throw new UsernameNotFoundException("Wrong username or password"); 
     } 
     return assembler.buildUserFromUserEntity(person); 
    } 
}

汇编:

@Service("assembler") 
public class Assembler { 
    @Transactional(readOnly = true) 
    User buildUserFromUserEntity(Person userEntity) { 
     String username = userEntity.getUsername().toLowerCase(); 
     String password = userEntity.getPassword(); 

     boolean enabled = userEntity.isEnabled(); 
     boolean accountNonExpired = userEntity.isAccountNonExpired(); 
     boolean credentialsNonExpired = userEntity.isCredentialsNonExpired(); 
     boolean accountNonLocked = userEntity.isAccountNonLocked(); 

     Collection<GrantedAuthority> authorities = new ArrayList<>(); 
     authorities.add(new SimpleGrantedAuthority("ROLE_USER")); 

     return new User(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities); 
    } 
}

如果有任何需要了解更多信息,请让我知道。谢谢。:-)

来源

2016-03-07 We are Borg

+0

为什么这个问题被低估?任何解释? –

+0

看看这个问题和答案的想法:http://stackoverflow.com/questions/13211615/how-to-store-spring-security-session-information-in-redis – Fortunato

+0

@Fortunato:Redis的选项执行的声音好。我已经具备了记忆功能,正如链接所言,与Redis的Spring会话已经开箱即用。任何想法,我必须改变这个项目的正确整合? –

回答

0

不知道在春季可配置的,但是这是可能的Tomcat的(你提到使用Tomcat)。

在你的context.xml文件,找到这一行/语句

<Manager pathname="" />

评论/删除此日志。这将在优雅的tomcat重启之间启用会话持久性。

来源

2016-03-07 13:10:43 Anirudh

+0

该条目已被评论。 –

 相关问题

  • 暂无相关问题^_^