Spring Security的在线用户

Question

我正在使用Spring Security,我想知道哪些用户目前在线.我首先尝试使用SessionRegistryImpl和的方法<session-management session-authentication-strategy-ref="..." ... />,但我想这个List存储在内存中我想避免它(它将是一个巨大的网站,很多用户将在同一时间在线,List可以变得巨大).如果我错了,请纠正我.

我尝试的第二种方法是使用一个监听器和HttpSessionListener接口以及一个自定义AuthenticationManager并在数据库中存储"is online flag".基本上,标志在authenticate(...)我的身份验证管理器的方法中设置为true,并在sessionDestroyed(...)我的会话侦听器的方法中设置为false .

web.xml中:

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
         http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         version="2.5">

    <display-name>Test</display-name>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/security.xml</param-value>
    </context-param>

    <!-- Security -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <listener>
        <listener-class>my.package.SessionListener</listener-class>
    </listener>

    <servlet>
        <servlet-name>test</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>test</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <session-config>
        <session-timeout>1</session-timeout>
    </session-config>
</web-app>

Spring安全配置:

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    <beans:bean id="authenticationManager" class="my.package.security.AuthenticationManager" />

    <http disable-url-rewriting="true" authentication-manager-ref="authenticationManager">
        <!--<intercept-url pattern="/" access="ROLE_ANONYMOUS" />-->
        <intercept-url pattern="/login*" access="ROLE_ANONYMOUS" />
        <intercept-url pattern="/favicon.ico" access="ROLE_ANONYMOUS" />
        <intercept-url pattern="/*" access="ROLE_USER" />
        <form-login login-processing-url="/authorize" login-page="/login" authentication-failure-url="/login-failed" />
        <logout logout-url="/logout" logout-success-url="/login" />
        <remember-me data-source-ref="dataSource" />
    </http>
</beans:beans>

my.package.SessionListener:

public class SessionListener implements HttpSessionListener
{
    public void sessionCreated(HttpSessionEvent httpSessionEvent)
    {

    }

    public void sessionDestroyed(HttpSessionEvent httpSessionEvent)
    {
        UserJpaDao userDao = WebApplicationContextUtils.getWebApplicationContext(httpSessionEvent.getSession().getServletContext()).getBean(UserJpaDao.class);

        Authentication a = SecurityContextHolder.getContext().getAuthentication();
        if(a != null)
        {
            User loggedInUser = userDao.findByAlias(a.getName());

            if(loggedInUser != null)
            {
                loggedInUser.setOnline(false);
                userDao.save(loggedInUser);
            }
        }
    }
}

my.package.security.AuthenticationManager:

public class AuthenticationManager implements org.springframework.security.authentication.AuthenticationManager
{
    @Autowired
    UserJpaDao userDao;

    public Authentication authenticate(Authentication authentication) throws AuthenticationException
    {
        User loggedInUser = null;
        Collection<? extends GrantedAuthority> grantedAuthorities = null;

        ...

        loggedInUser = userDao.findByAlias(authentication.getName());
        if(loggedInUser != null)
        {
            // Verify password etc.
            loggedInUser.setOnline(true);
            userDao.save(loggedInUser);
        }
        else
        {
            loggedInUser = null;
            throw new BadCredentialsException("Unknown username");
        }

        return new UsernamePasswordAuthenticationToken(loggedInUser, authentication.getCredentials(), grantedAuthorities);
    }
}

sessionCreated并sessionDestroyed正确触发,但SecurityContextHolder.getContext().getAuthentication();始终为null.

更新:几乎一切都运作良好.唯一的问题是当会话由于超时而到期时,SecurityContextHolder.getContext().getAuthentication()在sessionDestroyed(...)方法中返回null .手动触发注销时,它可以正常工作.

有人能帮我吗？非常感谢任何提示.

谢谢

Answer 1

您不能使用它SecurityContextHolder来获取您的Principal,SessionListener因为它仅在请求的上下文中有效.

您需要的所有信息都在会话本身中

例:

@Override
public void sessionDestroyed(HttpSessionEvent se) {
    HttpSession session = se.getSession();
    SecurityContext context = (SecurityContext)session.getAttribute("SPRING_SECURITY_CONTEXT");
    Authentication authentication = context.getAuthentication();
    Object principal = authentication.getPrincipal();

    // Your code goes here

}