0

嗨,我正在尝试使用 spring security3.1 实现并发控制,但它不起作用。我正在使用 FilterChainProxy,所以我不知道如何在其中使用并发控制。我尝试过的代码低于我所缺少的,请帮助我出去?

豆文件

    <?xml version="1.0" encoding="UTF-8"?>

    <beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
        xsi:schemaLocation="
            http://www.springframework.org/schema/beans 
            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/security 
            http://www.springframework.org/schema/security/spring-security-3.1.xsd
        ">

        <!--    Custom code by rajesh -->
        <!-- =================================================================== -->

        <!-- Create sessionRegistry Implementation Bean -->
        <bean id="sessionRegistry"  class="org.springframework.security.core.session.SessionRegistryImpl" />

        <bean name="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
          <property name="sessionRegistry" ref="sessionRegistry"/>
          <property name="expiredUrl" value="/modules/my/login.do"/>
        </bean>



        <bean id="sas" class="com.xxxx.xxx.security.filter.MyConcurrentSessionControlStrategy">
            <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
            <property name="securityImpl" ref="SecurityImpl"/>
        </bean>
        <!-- =================================================================== -->
        <!--     Custom code ended by rajesh -->


        <!-- Create ISecurity Implementation Bean -->
        <bean id="SecurityImpl" class="com.xxxx.xxx.security.impl.SecurityImpl">
            <property name="dao">
                <bean class="com.xxxx.xxx.security.impl.SecurityDAO">
                    <property name="sessionFactory" ref="mySessionFactory" />
                </bean>
            </property>
            <property name="sessionRegistry"  ref="sessionRegistry" />
            <property name="persistentRememberMeTokenRepositoryImpl" >
                <bean
                    class="com.xxxx.xxx.impl.core.security.persisted.tokens.PersistentRememberMeTokenRepositoryImpl">
                    <property name="dao">
                        <bean
                            class="com.xxxx.xxx.impl.core.security.persisted.tokens.PersistentRememberMeTokenDAO">
                            <property name="sessionFactory" ref="mySessionFactory" />
                        </bean>
                    </property>
                </bean>
            </property>
        </bean>

     <bean id="ISecurityImpl"
            class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
            <property name="transactionManager" ref="myTransactionManager" />
            <property name="target" ref="SecurityImpl" />
            <property name="proxyTargetClass" value="false" />
            <property name="transactionAttributes">
                <props>
                    <prop key="set*">PROPAGATION_REQUIRED</prop>
                    <prop key="checkPasswordExpiry">PROPAGATION_REQUIRED</prop>
                    <prop key="expireSessionBySessionId">PROPAGATION_REQUIRED</prop>
                </props>
            </property>
        </bean>

        <bean id="myFilterSecurityInterceptor" class="org.springframework.security.web.FilterChainProxy">
            <security:filter-chain-map request-matcher="ant" >
                <security:filter-chain pattern="/**" 
                    filters="securityContextPersistenceFilter,concurrencyFilter, logoutFilter, usernamePasswordAuthenticationFilter, rememberMeAuthenticationFilter, passwordExpiryFilter , anonymousAuthenticationFilter, accountExpiryFilter, exceptionTranslationFilter, filterSecurityInterceptor" />
            </security:filter-chain-map>
        </bean>
        <bean id="securityContextPersistenceFilter"
            class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />

        <bean id="logoutFilter"
            class="org.springframework.security.web.authentication.logout.LogoutFilter">
            <!-- the post-logout destination -->
            <constructor-arg value="/modules/my/login.do" />
            <constructor-arg>
                <array>
                    <ref bean="myRememberMeService"/>
                    <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
                </array>
            </constructor-arg>
            <property name="filterProcessesUrl" value="/logout_my" />
        </bean>

        <bean id="usernamePasswordAuthenticationFilter"
            class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
            <property name="sessionAuthenticationStrategy" ref="sas" />
            <property name="authenticationManager" ref="myAuthenticationManager" />
            <property name="rememberMeServices" ref="myRememberMeService" />
            <property name="filterProcessesUrl" value="/my_authentication_service"></property>
            <property name="usernameParameter" value="loginid" />
            <property name="passwordParameter" value="password" />
            <property name="authenticationFailureHandler" ref="AuthenticationFailureHandler" />
            <property name="authenticationSuccessHandler" ref="AuthenticationSuccessHandler" />
        </bean>
        <bean id="accountExpiryFilter" class="com.xxxx.xxx.security.filter.MyAccountExpiryFilter">
            <property name="securityImpl" ref="SecurityImpl"/>
            <property name="authenticationFailureHandler" ref="AuthenticationFailureHandler" />
            <property name="authenticationSuccessHandler" ref="AuthenticationSuccessHandler" />
        </bean>
        <bean id="passwordExpiryFilter"
            class="com.xxxx.xxx.security.filter.MyPasswordExpiryFilter">
            <property name="securityImpl" ref="SecurityImpl"/>
            <property name="authenticationFailureHandler" ref="AuthenticationFailureHandler" />
            <property name="authenticationSuccessHandler" ref="AuthenticationSuccessHandler" />
        </bean>

        <bean id="AuthenticationFailureHandlerImpl"
            class="com.xxxx.xxx.security.impl.AuthenticationFailureHandlerImpl">
            <property name="dao">
                <bean class="com.xxxx.xxx.security.impl.SecurityDAO">
                    <property name="sessionFactory" ref="mySessionFactory" />
                </bean>
            </property>
            <property name="defaultFailureUrl" value="/modules/my/login.do?error=1" />
        </bean>

        <bean id="AuthenticationFailureHandler"
            class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
            <property name="transactionManager" ref="myTransactionManager" />
            <property name="target" ref="AuthenticationFailureHandlerImpl" />
            <property name="proxyTargetClass" value="true" />
            <property name="transactionAttributes">
                <props>
                    <prop key="onAuthenticationFailure">PROPAGATION_REQUIRED</prop>
                </props>
            </property>
        </bean>

        <bean id="AuthenticationSuccessHandlerImpl"
            class="com.xxxx.xxx.security.impl.AuthenticationSuccessHandler">
            <property name="dao">
                <bean class="com.xxxx.xxx.security.impl.SecurityDAO">
                    <property name="sessionFactory" ref="mySessionFactory" />
                </bean>
            </property>
            <property name="targetUrlParameter" value="redirect-to"></property>
        </bean>

        <bean id="AuthenticationSuccessHandler"
            class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
            <property name="transactionManager" ref="myTransactionManager" />
            <property name="target" ref="AuthenticationSuccessHandlerImpl" />
            <property name="proxyTargetClass" value="true" />
            <property name="transactionAttributes">
                <props>
                    <prop key="onAuthenticationSuccess">PROPAGATION_REQUIRED</prop>
                </props>
            </property>
        </bean>

        <bean id="rememberMeAuthenticationFilter"
            class="com.xxxx.xxx.security.filter.MyRememberMeAuthenticationFilter">
            <property name="rememberMeServices" ref="myRememberMeService" />
            <property name="authenticationManager" ref="myAuthenticationManager" />
            <property name="securityImpl" ref="SecurityImpl"/>
        </bean>

        <bean id="anonymousAuthenticationFilter"
            class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
            <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS" />
            <property name="key" value="XXXXXXXX" />
        </bean>
        <bean id="exceptionTranslationFilter"
            class="org.springframework.security.web.access.ExceptionTranslationFilter">
            <property name="authenticationEntryPoint">
                <bean
                    class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
                    <property name="loginFormUrl" value="/modules/my/login.do" />
                </bean>
            </property>
            <property name="accessDeniedHandler" ref="AccessDeniedHandler" />
        </bean>

        <bean id="AccessDeniedHandlerImpl" class="com.xxxx.xxx.security.impl.AccessDeniedHandlerImpl">
            <property name="dao">
                <bean class="com.xxxx.xxx.security.impl.SecurityDAO">
                    <property name="sessionFactory" ref="mySessionFactory" />
                </bean>
            </property>
            <property name="errorPage" value="/modules/errors/accessDenied.do" />
        </bean>

        <bean id="AccessDeniedHandler"
            class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
            <property name="transactionManager" ref="myTransactionManager" />
            <property name="target" ref="AccessDeniedHandlerImpl" />
            <property name="proxyTargetClass" value="true" />
            <property name="transactionAttributes">
                <props>
                    <prop key="handle">PROPAGATION_REQUIRED</prop>
                </props>
            </property>
        </bean>


        <bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
            <property name="authenticationManager" ref="myAuthenticationManager" />
            <property name="accessDecisionManager" ref="myAffirmativeBasedAccessDecisionManager" />
            <property name="securityMetadataSource">
                <security:filter-security-metadata-source
                    use-expressions="true" lowercase-comparisons="true">
                    <!-- Core Actions -->
                    <security:intercept-url pattern="/modules/my/login.do"
                        access="permitAll" />
                    <security:intercept-url pattern="/modules/my/credentialExpired.do"
                        access="hasRole('ROLE_ANONYMOUS')" />
                    <security:intercept-url pattern="/modules/my/*"
                        access="hasRole('ROLE_ADMIN')" />
                </security:filter-security-metadata-source>
            </property>
        </bean>

        <bean class="org.springframework.security.access.vote.AffirmativeBased"
            id="myAffirmativeBasedAccessDecisionManager">
            <property name="decisionVoters">
                <list>
                    <bean id="webExpressionVoter"
                        class="org.springframework.security.web.access.expression.WebExpressionVoter">
                        <property name="expressionHandler" ref="MyWebSecurityExpressionHandler" />
                    </bean>
                    <bean class="org.springframework.security.access.vote.RoleVoter" />
                    <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
                </list>
            </property>
        </bean>

        <bean id="MyWebSecurityExpressionHandler"
            class="com.xxxx.xxx.security.spring.web.MyWebSecurityExpressionHandler">
            <property name="iSecurity" ref="SecurityImpl" />
            <property name="roleHierarchy">
                <bean
                    class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
                    <property name="hierarchy">
                        <value>
                            ROLE_MY > ROLE_ADMIN
                            ROLE_ADMIN > ROLE_USER
                            ROLE_USER > ROLE_PORTAL_USER
                            ROLE_PORTAL_USER > ROLE_GUEST
                            ROLE_GUEST > ROLE_ANONYMOUS
                        </value>
                    </property>
                </bean>
            </property>
        </bean>


        <bean id="myAuthenticationManager"
            class="org.springframework.security.authentication.ProviderManager">
            <property name="authenticationEventPublisher" ref="myAuthEventPublisher" />
            <property name="providers">
                <list>
                    <bean
                        class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
                        <property name="userDetailsService" ref="myUserDetailsService" />
                        <property name="passwordEncoder">
                            <bean id="myPasswordEncoder"
                                class="com.xxxx.xxx.security.spring.MyPasswordEncoder">
                                <property name="passwordEncryptor" ref="myPasswordEncryptor"></property>
                            </bean>
                        </property>
                    </bean>
                    <bean
                        class="org.springframework.security.authentication.AnonymousAuthenticationProvider ">
                        <property name="key" value="xxxxxxxxxxxxxx" />
                    </bean>
                    <bean
                        class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
                        <property name="key" value="MY_SECURE_REMME_MY_APP" />
                    </bean>
                </list>
            </property>
        </bean>

        <bean id="myUserDetailsService" class="com.xxxx.xxx.impl.core.users.UserImpl">
            <property name="dao" ref="userDao" />
            <property name="passwordEncryptor" ref="myPasswordEncryptor" />
        </bean>

        <!-- like for example at new user sign-up. -->

        <bean id="myRememberMeService"
            class="com.xxxx.xxx.security.impl.DefaultMyRememberMeServices">
            <property name="tokenRepository">
                <bean
                    class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
                    <property name="transactionManager" ref="myTransactionManager" />
                    <property name="target">
                        <bean
                            class="com.xxxx.xxx.impl.core.security.persisted.tokens.PersistentRememberMeTokenRepositoryImpl">
                            <property name="dao">
                                <bean
                                    class="com.xxxx.xxx.impl.core.security.persisted.tokens.PersistentRememberMeTokenDAO">
                                    <property name="sessionFactory" ref="mySessionFactory" />
                                </bean>
                            </property>
                        </bean>
                    </property>
                    <property name="proxyTargetClass" value="false" />
                    <property name="transactionAttributes">
                        <props>
                            <prop key="*">PROPAGATION_REQUIRED</prop>
                        </props>
                    </property>
                </bean>
            </property>
            <property name="userDetailsService" ref="myUserDetailsService" />
            <property name="key" value="MY_SECURE_REMME_MY_APP" />
            <property name="alwaysRemember" value="false" />
            <property name="useSecureCookie" value="true" />
            <property name="cookieName" value="MY_SECURE_REMME" />
            <property name="parameter" value="MY_REMME" />
            <property name="dao">
                <bean class="com.xxxx.xxx.security.impl.SecurityDAO">
                    <property name="sessionFactory" ref="mySessionFactory" />
                </bean>
            </property>
        </bean>

        <bean id="myPasswordEncryptor" class="com.xxxx.xxx.security.spring.MyPasswordEncryptor" />

        <bean id="myAuthEventPublisher"
            class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher" />
        <bean id="authenticationListener"
            class="org.springframework.security.authentication.event.LoggerListener" />
        <bean id="authorizationListener"
            class="org.springframework.security.access.event.LoggerListener" />

        <bean id="DatabaseConfigImpl" class="com.xxxx.xxx.impl.core.database.config.DatabaseConfigImpl"></bean>
        <bean id="IDatabaseConfig" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
            <property name="target" ref="DatabaseConfigImpl" />
            <property name="proxyTargetClass" value="false"/>
            <property name="transactionAttributes">
                <props>
                    <prop key="add*">PROPAGATION_REQUIRED</prop>
                    <prop key="update*">PROPAGATION_REQUIRED</prop>
                    <prop key="delete*">PROPAGATION_REQUIRED</prop>
                </props>
            </property>
        </bean>
    </beans>

在这个 MyConcurrentSessionControlStrategy 类中,使用自定义实现扩展了 ConcurrentSessionControlStrategy 类。我也在使用自定义过滤器。我还在 web.xml 中添加了 HttpSessionEventPublisher

我的应用程序正在运行。我不知道如何应用并发控制。

4

1 回答 1

0

由于您没有显示 的​​配置usernamePasswordAuthenticationFilter,我的第一个猜测是您忘记通过将 注入ConcurrentSessionControlStrategy该 bean 来添加必要的钩子。在添加您自己的自定义版本的类之前,您应该证明您可以让它与标准类一起使用。参考手册中有一个示例配置。从那里开始,确保它有效,然后尝试添加您的MyConcurrentSessionControlStrategy. 如果没有看到该类的代码,很容易出现错误。

此外,如果您试图描述一个问题,您应该详细解释什么是“不起作用”,即使只是在您认为应该启用时该功能似乎没有启用。调试日志也是有用的信息来源。

于 2013-01-05T14:51:09.423 回答