关于“SpringSecurity3.X--Cas client 配置”可以参看SpringSecurity3.X--Cas client 配置
直接说问题吧,就是希望同一时间相同的用户只能有一个访问系统,我理所当然的想到了session-management,在使用SpringSecurity2.x时,直接配置如下即可:
<sec:http entry-point-ref="casProcessingFilterEntryPoint" access-denied-page="/access/denied.do" access-decision-manager-ref="accessDecisionManager" auto-config="false"> ………………………… <sec:concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="false" expired-url="/access/same_login.do" /> </sec:http>
也就是说,相同的用户在第二次登录后,那么第一次登录就会失效,需要重新获取认证。
在使用SpringSecurity3.X时,我尝试配置如下:
<http entry-point-ref="casEntryPoint" access-decision-manager-ref="accessDecisionManager" access-denied-page="/access/denied.do" auto-config="false"> ………………………… <session-management> <concurrency-control max-sessions="1" expired-url="/access/same_login.do" error-if-maximum-exceeded="false" /> </session-management> <custom-filter position="CAS_FILTER" ref="casFilter" /> <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" /> <custom-filter ref="singleLogoutFilter" before="CAS_FILTER" /> </http>
结果发现并没有起作用,查看了一下源码,基本上搞清楚了原因,下面是session管理相关的时序图:
从图中可以看出,验证的关键就是ConcurrentSessionControlStrategy
CasAuthenticationFilter继承于AbstractAuthenticationProcessingFilter,可是后者默认使用的不是ConcurrentSessionControlStrategy,而是NullAuthenticatedSessionStrategy,该类什么都没做,所以,上面的配置根本不会起作用,
那么要想使session-management真正起作用,我们该如何做呢?
首先,必须为CasAuthenticationFilter注入一个ConcurrentSessionControlStrategy,
然后,ConcurrentSessionControlStrategy和ConcurrentSessionFilter又需要使用相同的SessionRegistryImpl,所以我们只需要将这些bean显示声明即可。
参看了一下SpringSecurity3.X的官方帮助文件,修改配置如下:
<http entry-point-ref="casEntryPoint" access-decision-manager-ref="accessDecisionManager" access-denied-page="/access/denied.do" auto-config="false"> ………………………… <session-management session-authentication-strategy-ref="sessionAuthenticationStrategy" /> <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" /> <custom-filter position="CAS_FILTER" ref="casFilter" /> <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" /> <custom-filter ref="singleLogoutFilter" before="CAS_FILTER" /> </http> <beans:bean id="sessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <beans:property name="maximumSessions" value="1" /> </beans:bean> <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> <beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> <beans:property name="sessionRegistry" ref="sessionRegistry" /> <beans:property name="expiredUrl" value="/session-expired.htm" /> </beans:bean> <!-- cas 认证过滤器 --> <beans:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter"> <beans:property name="authenticationManager" ref="authenticationManager" /> <beans:property name="authenticationFailureHandler" ref="authenticationFailureHandler" /> <beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" /> <beans:property name="filterProcessesUrl" value="/j_spring_cas_security_check.do" /> <beans:property name="sessionAuthenticationStrategy" ref="sessionAuthenticationStrategy" /> </beans:bean>
ok。