当我为
org.springframework.security.core.userdetails.UserDetailsService
并使用该语句
sessionRegistry.registerNewSession(user.getUsername(), user);
认证成功后在里面,然后
sessionRegistry.getAllPrincipals();
列表不为空(但当我从应用程序注销时会话仍保留在列表中),否则此列表将为空。如何在 sessionRegistry 中自动进行会话注册(以及用户注销或会话到期期间的注销)?我的弹簧配置如下:
<sec:http auto-config="true" use-expressions="true" access-denied-page="/accessDenied.jsf">
<sec:form-login login-page="/login.jsf" />
<sec:session-management session-authentication-strategy-ref="sas" />
</sec:http>
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<bean id="scr"
class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
<bean id="smf"
class="org.springframework.security.web.session.SessionManagementFilter">
<constructor-arg name="securityContextRepository"
ref="scr" />
<property name="sessionAuthenticationStrategy"
ref="sas" />
</bean>
<bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<constructor-arg name="sessionRegistry"
ref="sessionRegistry" />
<property name="maximumSessions" value="10" />
</bean>