SessionInformation到期不会导致用户从系统注销 [英] SessionInformation expiration doesn't lead to user log out from system
本文介绍了SessionInformation到期不会导致用户从系统注销的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
如果管理员要阻止其他用户,我希望能够强制注销该用户.
I want to have ability to force log out another user if admin want to block it.
我已阅读以下答案
如何注销所有登录的用户都使用spring-security?
我写了以下代码:
@Autowired
private SessionRegistry sessionRegistry;
...
private void logout(String name) {
System.out.println(name);
for (Object principal : sessionRegistry.getAllPrincipals()) {
User user = (User) principal;
if (user.getUsername().equals(name)) {
sessionRegistry.getAllSessions(principal, false).stream()
.forEach(i -> i.expireNow());
}
}
}
我为1个管理员和2个用户打开2个浏览器
I open 2 browsers for (1-admin and 2-user)
我都登录了.
管理员点击以阻止用户
在调试中,我进入
if (user.getUsername().equals(name)) {
并查看以下状态:
但是执行此代码后,用户仍然可以登录系统并可以滚动站点.
But after this code execution user still log in in system and can scroll site.
如果重复此操作,sessionRegistry.getAllSessions(principal, false)将返回空列表.
If repeat this operation sessionRegistry.getAllSessions(principal, false)will returns empty list.
春季安全配置:
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
">
<http auto-config="true" pattern="/admin/**" authentication-manager-ref="adminAuthenticationManager">
<access-denied-handler error-page="/403" />
<form-login login-page="/loginAdmin" login-processing-url="/admin/j_spring_security_check_admin"
default-target-url="/admin"
authentication-failure-url="/loginAdminFailed"
authentication-success-handler-ref="authAdminSuccessHandler"/>
<intercept-url pattern="/admin/j_spring_security_check_admin" access="ROLE_ANONYMOUS"/>
<intercept-url pattern="/admin/accounts/**" access="ROLE_SUPERADMIN"/>
<intercept-url pattern="/admin/users/**" access="ROLE_SUPERADMIN"/>
<intercept-url pattern="/admin/terminals/**" access="ROLE_SUPERADMIN, ROLE_TERMINAL_MODERATOR, ROLE_MODERATOR"/>
<intercept-url pattern="/admin/money/**" access="ROLE_FINANSIER, ROLE_SUPERADMIN"/>
<intercept-url pattern="/admin/moderation/**" access="ROLE_SUPERADMIN,ROLE_MODERATOR"/>
<intercept-url pattern="/admin/moderation/pictures"
access="ROLE_SUPERADMIN,ROLE_MODERATOR, ROLE_IMAGE_MODERATOR"/>
<intercept-url pattern="/admin/statistic/**" access="ROLE_SUPERADMIN"/>
<intercept-url pattern="/admin/rules/**" access="ROLE_SUPERADMIN"/>
<intercept-url pattern="/admin/terminals/addImageToTerminal"
access="ROLE_SUPERADMIN, ROLE_TERMINAL_MODERATOR, ROLE_MODERATOR"/>
<intercept-url pattern="/admin/terminals/deleteTerminalImage"
access="ROLE_SUPERADMIN, ROLE_TERMINAL_MODERATOR, ROLE_MODERATOR"/>
<intercept-url pattern="/admin/systemGroupsModeration" access="ROLE_SUPERADMIN"/>
<intercept-url pattern="/admin/adminUsers" access="ROLE_SUPERADMIN"/>
<intercept-url pattern="/admin/contentModeration/**" access="ROLE_SUPERADMIN, ROLE_MODERATOR, ROLE_IMAGE_MODERATOR"/>
<intercept-url pattern="/admin/campaignModeration/**" access="ROLE_SUPERADMIN, ROLE_MODERATOR"/>
<intercept-url pattern="/admin/monitoring" access="ROLE_SUPERADMIN"/>
<logout logout-url="/logout" logout-success-url="/loginAdmin"/>
<port-mappings>
<port-mapping http="${http.port}" https="${https.port}"/>
</port-mappings>
<session-management session-authentication-strategy-ref="sas" invalid-session-url="/invalid-session" />
</http>
<beans:bean id="userSecurityService" class="com.terminal.service.impl.UserSecurityService"/>
<beans:bean id="authSuccessHandler" class="com.terminal.filter.RoleAuthSuccessHandler"/>
<beans:bean id="authAdminSuccessHandler" class="com.terminal.filter.admin.RoleAuthAdminHandler"/>
<beans:bean id="adminSecurityService" class="com.terminal.service.admin.impl.TerminalAdminSecurityServiceImpl"/>
<beans:bean id="webexpressionHandler"
class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"/>
<authentication-manager id="adminAuthenticationManager">
<authentication-provider user-service-ref="adminSecurityService">
<password-encoder ref="encoder"/>
</authentication-provider>
</authentication-manager>
<authentication-manager id="userAuthenticationManager">
<authentication-provider user-service-ref="userSecurityService">
<password-encoder ref="encoder"/>
</authentication-provider>
</authentication-manager>
<authentication-manager id="internalUserAuthenticationManager">
<authentication-provider user-service-ref="userSecurityService">
<password-encoder ref="noopEncoder"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg index="0" value="10"/>
</beans:bean>
<beans:bean id="noopEncoder" class="org.springframework.security.crypto.password.NoOpPasswordEncoder"/>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
</beans:beans>
推荐答案
此工作方式:
spring安全配置:
spring security configuration:
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true" pattern="/admin/**" authentication-manager-ref="adminAuthenticationManager">
<access-denied-handler error-page="/403" />
<custom-filter ref="concurrencyFilter" after="SECURITY_CONTEXT_FILTER"/>
<form-login login-page="/loginAdmin" login-processing-url="/admin/j_spring_security_check_admin"
default-target-url="/admin"
authentication-failure-url="/loginAdminFailed"
authentication-success-handler-ref="authAdminSuccessHandler"/>
<intercept-url pattern="/admin/j_spring_security_check_admin" access="ROLE_ANONYMOUS"/>
<intercept-url pattern="/admin/accounts/**" access="ROLE_SUPERADMIN"/>
<intercept-url pattern="/admin/users/**" access="ROLE_SUPERADMIN"/>
<intercept-url pattern="/admin/terminals/**" access="ROLE_SUPERADMIN, ROLE_TERMINAL_MODERATOR, ROLE_MODERATOR"/>
<intercept-url pattern="/admin/money/**" access="ROLE_FINANSIER, ROLE_SUPERADMIN"/>
<intercept-url pattern="/admin/moderation/**" access="ROLE_SUPERADMIN,ROLE_MODERATOR"/>
<intercept-url pattern="/admin/moderation/pictures"
access="ROLE_SUPERADMIN,ROLE_MODERATOR, ROLE_IMAGE_MODERATOR"/>
<intercept-url pattern="/admin/statistic/**" access="ROLE_SUPERADMIN"/>
<intercept-url pattern="/admin/rules/**" access="ROLE_SUPERADMIN"/>
<intercept-url pattern="/admin/terminals/addImageToTerminal"
access="ROLE_SUPERADMIN, ROLE_TERMINAL_MODERATOR, ROLE_MODERATOR"/>
<intercept-url pattern="/admin/terminals/deleteTerminalImage"
access="ROLE_SUPERADMIN, ROLE_TERMINAL_MODERATOR, ROLE_MODERATOR"/>
<intercept-url pattern="/admin/systemGroupsModeration" access="ROLE_SUPERADMIN"/>
<intercept-url pattern="/admin/adminUsers" access="ROLE_SUPERADMIN"/>
<intercept-url pattern="/admin/contentModeration/**" access="ROLE_SUPERADMIN, ROLE_MODERATOR, ROLE_IMAGE_MODERATOR"/>
<intercept-url pattern="/admin/campaignModeration/**" access="ROLE_SUPERADMIN, ROLE_MODERATOR"/>
<intercept-url pattern="/admin/monitoring" access="ROLE_SUPERADMIN"/>
<logout logout-url="/logout" logout-success-url="/loginAdmin"/>
<port-mappings>
<port-mapping http="${http.port}" https="${https.port}"/>
</port-mappings>
<session-management session-authentication-strategy-ref="sas" invalid-session-url="/" />
</http>
<beans:bean id="userSecurityService" class="com.terminal.service.impl.UserSecurityService"/>
<beans:bean id="authSuccessHandler" class="com.terminal.filter.RoleAuthSuccessHandler"/>
<beans:bean id="authAdminSuccessHandler" class="com.terminal.filter.admin.RoleAuthAdminHandler"/>
<beans:bean id="adminSecurityService" class="com.terminal.service.admin.impl.TerminalAdminSecurityServiceImpl"/>
<beans:bean id="webexpressionHandler"
class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"/>
<authentication-manager id="adminAuthenticationManager">
<authentication-provider user-service-ref="adminSecurityService">
<password-encoder ref="encoder"/>
</authentication-provider>
</authentication-manager>
<authentication-manager id="userAuthenticationManager">
<authentication-provider user-service-ref="userSecurityService">
<password-encoder ref="encoder"/>
</authentication-provider>
</authentication-manager>
<authentication-manager id="internalUserAuthenticationManager">
<authentication-provider user-service-ref="userSecurityService">
<password-encoder ref="noopEncoder"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg index="0" value="10"/>
</beans:bean>
<beans:bean id="noopEncoder" class="org.springframework.security.crypto.password.NoOpPasswordEncoder"/>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry"/>
<beans:property name="maximumSessions" value="1" />
<beans:property name="exceptionIfMaximumExceeded" value="true" />
</beans:bean>
<beans:bean class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
</beans:bean>
<beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry"/>
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/" />
</beans:bean>
</beans:beans>
在logout方法内部,我们设置了会话在sessionRegistry内部过期的信息,而concurrencyFilter会读取该信息并终止http会话.
Inside logout method we set information that session is expired inside sessionRegistry and concurrencyFilter read this and expire http session.
我也添加了
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
到web.xml
这篇关于SessionInformation到期不会导致用户从系统注销的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
