Spring Session -- Spring Security Integration Spring Security 集成
官网:https://spring.io/projects/spring-session
Samples:https://docs.spring.io/spring-session/reference/samples.html#samples
指引
- Spring Session – HttpSession Integration HttpSession集成
- Spring Session – WebSocket Integration WebSocket 集成
- Spring Session – WebSession Integration WebSession 集成
- Spring Session – Spring Security Integration Spring Security 集成
Spring Security Integration Spring Security 集成
Spring Security Remember-me Support Spring Security 记住我支持
提供与 Spring Security 的 Remember-me 身份验证的集成支持:
- 更改会话过期时长
- 确保会话 cookie 在 Integer.MAX_VALUE 过期
Java 配置
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
// ... additional configuration ...
.rememberMe((rememberMe) -> rememberMe
.rememberMeServices(rememberMeServices())
);
}
@Bean
public SpringSessionRememberMeServices rememberMeServices() {
SpringSessionRememberMeServices rememberMeServices =
new SpringSessionRememberMeServices();
// optionally customize
rememberMeServices.setAlwaysRemember(true);
return rememberMeServices;
}
XML 配置
<security:http>
<!-- ... -->
<security:form-login />
<security:remember-me services-ref="rememberMeServices"/>
<security:intercept-url pattern="/**" access="permitAll()"/>
</security:http>
<bean id="rememberMeServices"
class="org.springframework.session.security.web.authentication.SpringSessionRememberMeServices"
p:alwaysRemember="true"/>
Spring Security Concurrent Session Control Spring Security 并发会话控制
允许限制单个用户可以同时拥有的活动会话数,但与默认的 Spring Security 支持不同,这也适用于集群环境。通过提供 Spring Security 接口 SessionRegistry 的自定义实现来实现。当使用 Java 配置 DSL 时,可通过以下接口 SessionRegistry
SessionManagementConfigurer
配置来实现
Java 配置
@Configuration
public class SecurityConfiguration<S extends Session> {
@Autowired
private FindByIndexNameSessionRepository<S> sessionRepository;
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
// other config goes here...
.sessionManagement((sessionManagement) -> sessionManagement
.maximumSessions(2)
.sessionRegistry(sessionRegistry())
)
.build();
}
@Bean
public SpringSessionBackedSessionRegistry<S> sessionRegistry() {
return new SpringSessionBackedSessionRegistry<>(this.sessionRepository);
}
}
XML 配置
<security:http>
<!-- other config goes here... -->
<security:session-management>
<security:concurrency-control max-sessions="2" session-registry-ref="sessionRegistry"/>
</security:session-management>
</security:http>
<bean id="sessionRegistry"
class="org.springframework.session.security.SpringSessionBackedSessionRegistry">
<constructor-arg ref="sessionRepository"/>
</bean>
Limitations 限制
Spring Session 对 Spring Security 的 SessionRegistry 接口的实现不支持 getAllPrincipals() 方法,Spring Session 无法检索此信息。只影响访问 SessionRegistry 本身的应用程序