获取 Spring Security 中的所有登录用户 [英] Get all logged users in Spring Security

问题描述

我想获取当前登录我的应用程序的所有用户的列表.我知道，我应该在我的代码中注入 SessionRegistry 来调用 getAllPrincipals() 方法.不幸的是，我总是得到空列表.似乎 SessionRegistry 没有填充，我不知道如何制作.我知道，在 StackOverflow 上也有类似的问题，但我仍然无法解决我的问题.首先我将这段代码添加到我的 web.xml 中:

I would like to get list of all users which are currently logged in my application. I know, that I should inject SessionRegistry in my code to call getAllPrincipals() method. Unfortunatelly, I always get empty list. It seems that SessionRegistry is not populate and I don't know how to make it. I know, that on StackOverflow there are similar questions, but I still have problem with solving my problem. Firstly I add to my web.xml this code:

<listener>
    <listener-class>
        org.springframework.security.web.session.HttpSessionEventPublisher
    </listener-class>
</listener>

据我所知，它允许获取有关会话生命周期(创建、销毁)的信息.就这样.我前进时遇到了大问题.我的安全 bean 文件如下所示:

As I know it allows to get information about lifecycle (create, destroy) of sessions. And that's all. I have big problem with moving forward. My file with security beans is presented below:

<beans:bean id="successAuth" class="pl.fp.microblog.auth.SuccessAuth"/>
<beans:bean id="failureAuth" class="pl.fp.microblog.auth.FailureAuth"/>

<http auto-config="true">
    <intercept-url pattern="/" access="ROLE_USER" />
    <intercept-url pattern="/profile/*" access="ROLE_USER" />
    <form-login 
        login-page="/login"         
        authentication-success-handler-ref="successAuth"
        authentication-failure-handler-ref="failureAuth"
        username-parameter="username"
        password-parameter="password"           
        login-processing-url="/login_processing_url"
    />          
    <security:logout logout-url="/logout_processing_url"/>  
    <session-management>
        <concurrency-control max-sessions="1" session-registry-alias="sessionRegistry"/>
    </session-management>
</http>

<beans:bean id="saltProvider" class="org.springframework.security.authentication.dao.ReflectionSaltSource">
    <beans:property name="userPropertyToUse" value="username"></beans:property>
</beans:bean>

<beans:bean id="userService" class="pl.fp.microblog.auth.UserService">
    <beans:property name="userDAO" ref="userDAO"/>
</beans:bean>

<authentication-manager>
    <security:authentication-provider user-service-ref="userService">
        <password-encoder hash="sha-256">
            <security:salt-source ref="saltProvider"/>
        </password-encoder>         
    </security:authentication-provider>
</authentication-manager>

这里我调用 getAllPrinciples() 方法:

Here I call getAllPrinciples() method:

@Transactional
@Controller
public class SiteController {
    @Autowired
    private UserDAO userDAO;
    @Autowired
    private SessionRegistry sessionRegistry;    

    @RequestMapping(value = "profile/{login}")  
    public String profilePage(@PathVariable String login, HttpServletRequest req) throws SQLException {     
        ...
        sessionRegistry.getAllPrincipals().size()
        ...     
        return "profile";               
    }
}

我尝试将 session-managemenent 代码添加到我的 http、ConcurrentSessionFilter 和类似的东西中，但实际上我不明白.而且文档对我来说太复杂了.有没有人可以帮助我并逐步告诉我下一步该做什么?我应该添加哪些豆类?

I tried to add session-managemenent code into my http, ConcurrentSessionFilter and similar things, but in fact I don't understand it. And the documentation is too complex for me. Does anyone could help me and tell step by step what to do next? Which beans should I add?

推荐答案

我想你已经差不多了.您可能唯一错过的是 session-registry-alias 的使用.通过在 concurrency-control 元素上使用该属性，您可以公开会话注册表，以便可以将其注入到您自己的 bean 中.请参阅参考文档.

I think you are almost there. The only thing you've probably missed is the use of session-registry-alias. By using that attribute on the concurrency-control element you expose the session registry, so that it can be injected to your own beans. See the reference doc.

所以你需要的是:

<http auto-config="true">
...
    <session-management>
        <concurrency-control max-sessions="1" session-registry-alias="sessionRegistry"/>
    </session-management>
</http>

现在您有了对会话注册表的引用，该会话注册表将由上述配置隐式设置的 ConcurrentSessionControlStrategy 填充.要使用它，您只需像往常一样将它注入到您的 bean 中:

Now you have a reference to the session registry that will be populated by the ConcurrentSessionControlStrategy which is set up implicitly by the above configuration. To use it you would just inject it to your bean as normal:

<bean class="YourOwnSessionRegistryAwareBean">
    <property sessionRegistry="sessionRegistry"/>
</bean>

请注意，上述配置还将限制用户可能拥有的并发会话数.如果您不想要这个限制，您将不得不放弃命名空间配置的便利性，因为命名空间架构不允许您将 max-sessions 属性设置为 -1.如果您需要有关如何手动连接必要 bean 的帮助，参考文档给出了 详细说明.

Please note that the above configuration will also restrict the number of concurrent sessions a user may have. If you don't want this restriction, you will have to forgo the convenience of the namespace configuration, because the namespace schema doesn't allow you to set the max-sessions attribute to -1. If you need help on how to wire up the necessary beans manually, the reference doc gives detailed instructions on that.

这篇关于获取 Spring Security 中的所有登录用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！