如何使用Spring Security获取Grails中所有当前已登录用户的列表(包括记住我的cookie) [英] how to obtain a list of all currently logged-in users (including rememberme cookies) in grails with spring security

问题描述

我正在构建一个grails应用程序，该应用程序具有spring-security-core 1.2.7.3插件以及spring-security-ui 0.2插件，并希望获取当前已登录的所有用户的列表(即具有当前活动的会话).用户可以通过登录控制器(daoAuthenticationProvider)登录，也可以通过RememberMe cookie自动登录. 我使用ConcurrentSessionControlStrategy创建了sessionRegistry，实现了以下代码:

I'm building a grails app that has the spring-security-core 1.2.7.3 plugin as well as spring-security-ui 0.2 plugin, and would like to obtain a list of ALL the users that are currently logged in (ie have a currently active session). Users can login either through a login controller (daoAuthenticationProvider) or automatically through a rememberMe cookie. I have implemented the code below, using ConcurrentSessionControlStrategy to create a sessionRegistry:

在/conf/spring/resources.groovy中:

in /conf/spring/resources.groovy:

import org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy
import org.springframework.security.web.session.ConcurrentSessionFilter
import org.springframework.security.core.session.SessionRegistryImpl
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy

beans = {
userDetailsService(lablore.MyUserDetailsService)

    sessionRegistry(SessionRegistryImpl)

    sessionAuthenticationStrategy(ConcurrentSessionControlStrategy, sessionRegistry) {
        maximumSessions = -1
    }

    concurrentSessionFilter(ConcurrentSessionFilter){
        sessionRegistry = sessionRegistry
        expiredUrl = '/login/concurrentSession'
    }

}

在/plugins/spring-security-core/conf/DefaultSecurityConfig.groovy

In /plugins/spring-security-core/conf/DefaultSecurityConfig.groovy

useHttpSessionEventPublisher = true

在控制器中:

controller{
    def sessionRegistry

    action(){
        def loggedInUsers = sessionRegistry.getAllPrincipals()
    }
}

它适用于 -通过登录页面登录的用户 -通过注销"链接注销的用户 -会话用户过期 但是，它对于使用RememberMe cookie自动进行身份验证的用户不起作用.它没有看到他们有一个新创建的会话. 如果我理解正确，这是因为与运行会话注册的ConcurrentSessionFilter相比，RememberMeAuthenticationFilter在过滤器链中更进一步"?或者，我弄乱了我的配置....

It works well for -users that login through the login page -users that logout through a 'logout' link -users who's session expires HOWEVER, it does NOT work for users that authenticate automatically with a rememberMe cookie. It doesn't see that they have a newly created session. If I understand correctly, this is because the RememberMeAuthenticationFilter is 'further up' in the filter chain compared to the ConcurrentSessionFilter, which is the one running the sessionRegistry? Or, I messed something up with my configurations....

任何有关如何使其正常工作的帮助都将非常有用！

Any help on how to get this to work would be great !

谢谢！

推荐答案

使用改为使用ConcurrentSessionControlAuthenticationStrategy

或者，

您可以实现 HttpSessionListener 具有 HttpSessionEvent 事件)和 HttpSessionEvent event)方法，但是您必须添加您使用的类

You can implement the HttpSessionListener interface which has the sessionCreated(HttpSessionEvent event) and sessionDestroyed(HttpSessionEvent event) methods, But you have to add the class you used

此接口的实现会通知Web应用程序中活动会话列表的更改.要接收通知事件，必须在Web应用程序的部署描述符中配置实现类.

Implementations of this interface are notified of changes to the list of active sessions in a web application. To receive notification events, the implementation class must be configured in the deployment descriptor for the web application.

您可以像这样将实现类添加到部署描述符中(即web.xml文件)

You can either add the implementation class to your deployment descriptor like so(i.e you web.xml file)

<listener>
   <listener-class>com.hazelcast.web.SessionListener</listener-class>
</listener>

或通过在grails中使用 WebXmlConfig 插件

or by using the WebXmlConfig plugin in grails

您的实现类如下所示，另请参见具有Spring Security的在线用户

Your implementation class could look like below, see Online users with Spring Security also

class WebSessionListener implements HttpSessionListener{

     sessionCreated(HttpSessionEvent se){

          //Checked if user has logged in Here  and keep record 
              HttpSession webSession = se.getSession();

     }

     sessionDestroyed(HttpSessionEvent se){

          //Checked if user has logged in Here  and keep record     
            HttpSession webSession = se.getSession();
     }

}

这篇关于如何使用Spring Security获取Grails中所有当前已登录用户的列表(包括记住我的cookie)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！