升级到Grails 3后，sessionRegistry为空，但验证正在工作

Question

将旧应用程序（grails 1.3.7）升级到最新的grails版本3.1.3后，sessionRegistry保持为空。春季安全有一些变化，我试图得到它的工作，但它看起来像缺少一些东西...我使用的是spring-security-web-4.0.3.RELEASE.jar

我可以通过春季安全认证，看起来一切正常。但我喜欢计算公开会议。我使用sessionRegistry.getAllPrincipals（）来查找打开的会话，但现在它总是空的。

在resources.groovy：

import com.myApp.LicenceCheck 
import org.springframework.security.core.session.SessionRegistryImpl 
import org.springframework.security.web.session.ConcurrentSessionFilter 
import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy 


beans = { 
     sessionRegistry(SessionRegistryImpl) 

     sessionAuthenticationStrategy(ConcurrentSessionControlAuthenticationStrategy){   
      it.constructorArgs = [sessionRegistry] 
      maximumSessions = -1    
     } 

     concurrentSessionFilter(ConcurrentSessionFilter){   
      it.constructorArgs = [sessionRegistry,'/login/concurrentSession']; 
     } 

     licenceCheck(LicenceCheck)   
} 

BootStrap.groovy中：

SpringSecurityUtils.clientRegisterFilter('concurrentSessionFilter', SecurityFilterPosition.CONCURRENT_SESSION_FILTER) 

配置在application.groovy：

// Added by the Spring Security Core plugin: 
grails.plugin.springsecurity.basic.realmName='myApp' 
grails.plugin.springsecurity.successHandler.defaultTargetUrl='/search/' 
grails.plugin.springsecurity.password.algorithm='MD5' 
grails.plugin.springsecurity.password.hash.iterations = 1 
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.myApp.Account' 
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.myApp.AccountAccountGroup' 
grails.plugin.springsecurity.authority.className = 'com.myApp.AccountGroup' 
grails.plugin.springsecurity.authority.nameField = 'role' 
grails.plugin.springsecurity.useSecurityEventListener = true 
grails.plugin.springsecurity.useSessionFixationPrevention = false 
grails.plugin.springsecurity.rejectIfNoRule = false 
grails.plugin.springsecurity.fii.rejectPublicInvocations = false 
grails.plugin.springsecurity.auth.loginFormUrl = '/login/auth' 
grails.plugin.springsecurity.apf.storeLastUsername=true 

grails.plugin.springsecurity.filterChain.filterNames = [ 
    'securityContextPersistenceFilter', 'logoutFilter', 
    'authenticationProcessingFilter', 'concurrentSessionFilter', 
    'rememberMeAuthenticationFilter', 'anonymousAuthenticationFilter', 
    'exceptionTranslationFilter', 'filterInvocationInterceptor' 
] 

全成验证我想算后公开课：

import org.springframework.context.ApplicationListener 
import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent 
import grails.util.Holders 

class LicenceCheck implements ApplicationListener<InteractiveAuthenticationSuccessEvent> { 

void onApplicationEvent(InteractiveAuthenticationSuccessEvent event) { 
     def sessionRegistry = Holders.grailsApplication.mainContext.getBean('sessionRegistry') 
     sessionRegistry.getAllPrincipals() <= list is always empty 
    } 
} 

这是在以前的版本（与非常老的grails）工作。现在身份验证正在工作，但sessionRegistry保持空白。任何想法我失踪？

Regards，grailsfan

Answer 1

我找到了这个问题的解决方案。

问题是，新的ConcurrentSessionControlAuthenticationStrategy（新的ConcurrentSessionControlStrategy）未在sessionRegistry中注册会话。你必须将不同的策略与CompositeSessionAuthenticationStrategy结合起来。

这对我有用： Grails Spring Security max concurrent session