- 浏览: 1543466 次
- 性别:
- 来自: 北京
文章分类
- 全部博客 (225)
- JAVA (27)
- Spring (49)
- Linux (51)
- JavaScript (8)
- Scrum (23)
- IDE (2)
- JSON (2)
- Solr (0)
- Webharvest (0)
- Hibernate (8)
- 杂谈 (3)
- Windows 7 (4)
- 持续集成 (23)
- tomcat (3)
- Android (1)
- SpringSecurity (11)
- Maven (9)
- jotm (3)
- C3P0 (1)
- Active Directory (2)
- cas (1)
- JQuery (2)
- ajax (1)
- plsql (2)
- nginx (4)
- apache (1)
- thrift (7)
- python (3)
- oracle (4)
- php (2)
- redis (1)
- fedora (1)
- windows7 (0)
- SVN (1)
- NFS (1)
- SAMBA (1)
- Atomikos (1)
- apache-poi (1)
- mysql (2)
- vncserver (1)
- mac (2)
- firefox (1)
- JIRA (1)
- p6spy (1)
- git (1)
- github (1)
- gitlab (1)
- gogs (1)
- Druid (1)
- MyBatis (1)
- docker (8)
- zabbix (1)
最新评论
-
lialatd:
您好,我用您的方法通过java api往jira系统中添加is ...
JIRA REST API ---- JAVA -
sprcen945:
可以了,是因为没加intercept-url 的拦截, 尼玛, ...
SpringSecurity3.X--Cas client 配置 -
sprcen945:
请问为什么我配了security.xml后切入点不起作用(之前 ...
SpringSecurity3.X--Cas client 配置 -
linxingyul:
根据楼主的代码 继承了WebMvcConfigurationS ...
SpringMVC4零配置--Web上下文配置【MvcConfig】 -
java_老头:
MvcConfig.java的FilterType.ANNOT ...
SpringMVC4零配置--Web上下文配置【MvcConfig】
SpringSecurity3.X--Cas client 配置之配置session-management遇到的问题
- 博客分类:
- SpringSecurity
- Spring
关于“SpringSecurity3.X--Cas client 配置”可以参看SpringSecurity3.X--Cas client 配置
直接说问题吧,就是希望同一时间相同的用户只能有一个访问系统,我理所当然的想到了session-management,在使用SpringSecurity2.x时,直接配置如下即可:
<sec:http entry-point-ref="casProcessingFilterEntryPoint" access-denied-page="/access/denied.do" access-decision-manager-ref="accessDecisionManager" auto-config="false"> ………………………… <sec:concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="false" expired-url="/access/same_login.do" /> </sec:http>
也就是说,相同的用户在第二次登录后,那么第一次登录就会失效,需要重新获取认证。
在使用SpringSecurity3.X时,我尝试配置如下:
<http entry-point-ref="casEntryPoint" access-decision-manager-ref="accessDecisionManager" access-denied-page="/access/denied.do" auto-config="false"> ………………………… <session-management> <concurrency-control max-sessions="1" expired-url="/access/same_login.do" error-if-maximum-exceeded="false" /> </session-management> <custom-filter position="CAS_FILTER" ref="casFilter" /> <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" /> <custom-filter ref="singleLogoutFilter" before="CAS_FILTER" /> </http>
结果发现并没有起作用,查看了一下源码,基本上搞清楚了原因,下面是session管理相关的时序图:
从图中可以看出,验证的关键就是ConcurrentSessionControlStrategy
CasAuthenticationFilter继承于AbstractAuthenticationProcessingFilter,可是后者默认使用的不是ConcurrentSessionControlStrategy,而是NullAuthenticatedSessionStrategy,该类什么都没做,所以,上面的配置根本不会起作用,
那么要想使session-management真正起作用,我们该如何做呢?
首先,必须为CasAuthenticationFilter注入一个ConcurrentSessionControlStrategy,
然后,ConcurrentSessionControlStrategy和ConcurrentSessionFilter又需要使用相同的SessionRegistryImpl,所以我们只需要将这些bean显示声明即可。
参看了一下SpringSecurity3.X的官方帮助文件,修改配置如下:
<http entry-point-ref="casEntryPoint" access-decision-manager-ref="accessDecisionManager" access-denied-page="/access/denied.do" auto-config="false"> ………………………… <session-management session-authentication-strategy-ref="sessionAuthenticationStrategy" /> <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" /> <custom-filter position="CAS_FILTER" ref="casFilter" /> <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" /> <custom-filter ref="singleLogoutFilter" before="CAS_FILTER" /> </http> <beans:bean id="sessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <beans:property name="maximumSessions" value="1" /> </beans:bean> <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> <beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> <beans:property name="sessionRegistry" ref="sessionRegistry" /> <beans:property name="expiredUrl" value="/session-expired.htm" /> </beans:bean> <!-- cas 认证过滤器 --> <beans:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter"> <beans:property name="authenticationManager" ref="authenticationManager" /> <beans:property name="authenticationFailureHandler" ref="authenticationFailureHandler" /> <beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" /> <beans:property name="filterProcessesUrl" value="/j_spring_cas_security_check.do" /> <beans:property name="sessionAuthenticationStrategy" ref="sessionAuthenticationStrategy" /> </beans:bean>
ok。
评论
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <!-- 此标签会创建第二种方式中的大多数bean,可配置的选项很多,可以自行查阅 --> <http auto-config="false" entry-point-ref="casEntryPoint" use-expressions="true" access-denied-page="/errorPage/error403.jsp"> <intercept-url pattern="/**/*" access="isAuthenticated()" /> <anonymous enabled="false" /> <session-management session-authentication-strategy-ref="sessionAuthenticationStrategy" /> <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" /> <!-- 无spring时,这些filter都会被定义在web.xml中 --> <custom-filter position="CAS_FILTER" ref="casFilter" /> <!-- <logout logout-url="/j_spring_security_logout" logout-success-url="${cas-server-url}/logout?service=${cas-service-url}"/>--> <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/> <custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/> </http> <beans:bean id="sessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <beans:property name="maximumSessions" value="1" /> </beans:bean> <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> <beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> <beans:property name="sessionRegistry" ref="sessionRegistry" /> <beans:property name="expiredUrl" value="/j_spring_cas_security_logout" /> </beans:bean> <beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"> <!-- 回调访问的url --> <beans:property name="service" value="${cas-service-url}/j_spring_cas_security_check"/> <!-- 根据需要启用此参数,当url传递renew参数并且为true时,无论用户有无认证cookie都会强制进行验证 --> <beans:property name="sendRenew" value="false"/> </beans:bean> <beans:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter"> <beans:property name="authenticationManager" ref="authenticationManager"/> <beans:property name="authenticationFailureHandler" ref="authenticationFailureHandler" /> <beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" /> <beans:property name="filterProcessesUrl" value="/j_spring_cas_security_check" /> <beans:property name="sessionAuthenticationStrategy" ref="sessionAuthenticationStrategy" /> </beans:bean> <!-- cas 认证失败控制器 --> <beans:bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <beans:property name="defaultFailureUrl" value="/common/timeout.jsp" /> </beans:bean> <!-- cas 认证成功控制器 --> <beans:bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"> <beans:property name="alwaysUseDefaultTargetUrl" value="false" /> <!-- <beans:property name="defaultTargetUrl" value="/index.jsp" /> --> </beans:bean> <beans:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"> <beans:property name="loginUrl" value="${cas-server-url}/login"/> <beans:property name="serviceProperties" ref="serviceProperties"/> </beans:bean> <authentication-manager alias="authenticationManager"> <authentication-provider ref="casAuthenticationProvider" /> </authentication-manager> <beans:bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"> <beans:property name="authenticationUserDetailsService"> <beans:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper"> <beans:constructor-arg ref="loginServiceImpl" /> </beans:bean> </beans:property> <beans:property name="serviceProperties" ref="serviceProperties" /> <beans:property name="ticketValidator"> <beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <beans:constructor-arg index="0" value="${cas-server-url}" /> </beans:bean> </beans:property> <beans:property name="key" value="an_id_for_this_auth_provider_only"/> </beans:bean> <beans:bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/> <beans:bean id="requestSingleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <beans:constructor-arg value="${cas-server-url}/logout"/> <beans:constructor-arg> <beans:bean class= "org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/> </beans:constructor-arg> <beans:property name="filterProcessesUrl" value="/j_spring_cas_security_logout"/> </beans:bean> </beans:beans>
发表评论
-
Druid学习笔记
2016-10-07 11:55 2523官方网站:https://github.com/aliba ... -
Spring Cache注解+Redis
2015-01-15 13:36 54528Spring3.1 Cache注解 依赖jar包: ... -
Spring Cache注解+Memcached
2015-01-12 16:11 20504Spring3.1 Cache注解 依赖jar包: ... -
Spring4+Hibernate4+Atomikos3.3多数据源事务管理
2014-09-25 10:46 8431Spring3+后不再对JTOM提供支持,所以可以改用At ... -
SpringMVC4零配置--Web上下文配置【MvcConfig】
2014-09-10 18:22 73505与SpringSecurity的配置类似,spring同样 ... -
SpringMVC4零配置--SpringSecurity相关配置【SpringSecurityConfig】
2014-09-10 18:22 72050SpringSecurity的配置相对来说有些复杂,如果 ... -
SpringMVC4零配置--应用上下文配置【AppConfig】
2014-09-10 18:21 26611从spring3.0开始,Spring将JavaConfi ... -
SpringMVC4零配置--web.xml
2014-09-10 18:21 98772servlet3.0+规范后,允许servlet,filt ... -
SpringMVC4零配置
2014-09-05 19:11 90054基于Servlet3.0规范和SpringMVC4注解式配 ... -
SpringSecurity3.X--SpEL 表达式
2014-07-17 10:03 3036使用 Spring 表达式语言配置访问控制,要实现这一功能 ... -
SpringSecurity3.X--LDAP:AD配置
2014-07-08 17:08 5588前面介绍过基于本地数据库验证的方式,参考http://ha ... -
Thrift--JSClient
2013-09-26 14:45 6023thrift提供了基于jquery--ajax的客户端调用 ... -
Thrift--Spring集成ThriftServlet
2013-09-25 11:42 11165Thrift除了可以通过TCP协议访问,还可以通过HTTP ... -
Thrift转SpringHttpInvoker
2013-09-24 13:26 1810关于在spring中集成Thrift请参看:http://h ... -
Spring集成Thrift--Server AND Client
2013-09-04 20:13 13796Thrift网上有N多教程, ... -
C3P0配置实战
2012-09-04 18:34 51944C3P0: 一个开源的JDBC连接池,它实现了数据源和JN ... -
spring+jotm 多数据源事务管理(三)JNDI+Tomcat
2012-06-07 16:27 5320spring+jotm 多数据源事务管理系列 spr ... -
spring+jotm 多数据源事务管理(二)hibernate
2012-06-07 11:20 2924spring+jotm 多数据源事务管理系列 spr ... -
spring+jotm 多数据源事务管理(一)jdbc
2012-06-07 11:00 5317spring+jotm 多数据源事务管理系列 spr ... -
SpringSecurity3.X--Cas client 配置之配置session-management遇到的问题(2)
2011-10-27 14:19 2167关于“SpringSecurity3.X--Cas clien ...
相关推荐
- 在Spring Security的XML配置文件中,`<http>`元素下的`<session-management>`用于配置会话管理。例如,可以添加`<concurrency-control>`子元素来设置并发会话策略。 - `<session-management>`还可以配置`...
org.springframework.spring-library-3.0.4.RELEASE.libd org.springframework.test-3.0.4.RELEASE.jar org.springframework.transaction-3.0.4.RELEASE.jar org.springframework.web.portlet-3.0.4.RELEASE.jar ...
赠送jar包:spring-session-data-redis-2.0.4.RELEASE.jar; 赠送原API文档:spring-session-data-redis-2.0.4.RELEASE-javadoc.jar; 赠送源代码:spring-session-data-redis-2.0.4.RELEASE-sources.jar; 赠送...
org.springframework.spring-library-3.1.RELEASE.libd org.springframework.test-3.1.RELEASE.jar org.springframework.transaction-3.1.RELEASE.jar org.springframework.web.portlet-3.1.RELEASE.jar org....
Spring Boot 整合 CAS Client 实现单点登录验证的示例 Spring Boot 整合 CAS Client 是一种流行的解决方案,用于实现单点登录(Single Sign-On,简称 SSO)。在多个应用系统中,用户只需要登录一次就可以访问所有...
包含spring 3.0.5的所有jar文件: org.springframework.aop-3.0.5.RELEASE.jar org.springframework.asm-3.0.5.RELEASE.jar org.springframework.aspects-3.0.5.RELEASE.jar org.springframework.beans-3.0.5.RELEASE...
赠送jar包:spring-session-data-redis-2.0.4.RELEASE.jar; 赠送原API文档:spring-session-data-redis-2.0.4.RELEASE-javadoc.jar; 赠送源代码:spring-session-data-redis-2.0.4.RELEASE-sources.jar; 赠送...
spring-security-core-2.0.5.RELEASE-sources
rg.springframework.asm-3.0.1.RELEASE-A.jar
Error creating bean with name 'org.springframework.web.servlet.handler.SimpleUrlHandlerMapping#0' defined in ServletContext resource [/WEB-INF/springMVC-servlet.xml]: Initialization of bean failed;...
CAS - spring-security-cas-client.jar 1.4.1.7. OpenID - spring-security-openid.jar 1.4.2. 获得源代码 2. Security命名空间配置 2.1. 介绍 2.1.1. 命名空间的设计 2.2. 开始使用安全命名空间配置 2.2.1....
spring-security-core-4.1.0.RELEASE.jar,spring-security-web-4.1.0.RELEASE.jar,spring-security-taglibs-4.1.0.RELEASE.jar,spring-security-config-4.1.0.RELEASE.jar,spring-security-acl-4.1.0.RELEASE....
详细的spring security2.x配置
赠送jar包:spring-session-1.3.5.RELEASE.jar; 赠送原API文档:spring-session-1.3.5.RELEASE-javadoc.jar; 赠送源代码:spring-session-1.3.5.RELEASE-sources.jar; 赠送Maven依赖信息文件:spring-session-...
org.springframework.context-3.1.1.RELEASE.jar java 开发专用
spring-security-cas-client-2.0.4.jar
aopalliance-1.0.jar,org.springframework.aop-3.0.0.RELEASE.jar,org.springframework.jdbc-3.0.0.RELEASEorg.springframework.beans-3.0.0.RELEASE.jar等
本教程将详细讲解如何在Spring Boot 3.x版本中结合Spring Security的最新版实现JWT(JSON Web Token)登录验证。 首先,让我们了解JWT。JWT是一种轻量级的身份认证和授权机制,它以JSON对象的形式在客户端和服务器...
Spring Security是Java领域中一款广泛使用的安全框架,用于...这份中文文档详细介绍了这些概念和配置,是开发者深入学习Spring Security 3.x的强大资源。通过深入阅读和实践,开发者能够构建出坚固且灵活的安全系统。
org.springframework.web-3.0.5.RELEASE.jar