使用Spring Security进行会话管理
[英]Session management using spring security
问题描述
I have created a basic spring security authentication using UserDetailsService and now I am able to validate user. 
我已经使用UserDetailsService创建了一个基本的spring安全认证,现在我可以验证用户了。 However, I don't understand how to achieve below things: 但是,我不明白如何实现以下目标:
- Once a user is logged in, when next request comes how and where do I check if the request is coming from the same logged in user or other logged in user? 用户登录后,下一个请求到达时,如何以及在何处检查该请求是否来自同一登录用户或其他登录用户?
I know the concept of Spring interceptors where I can intercept all incoming request. 我知道Spring拦截器的概念,在这里我可以拦截所有传入的请求。 But is there something in spring security that does this? 但是,在Spring Security中有什么可以做到的吗?
- How can I start a session after logging in and store values in session for that user? 登录后如何启动会话并将该用户的值存储在会话中?
I browsed through existing answers but most of examples are for logging in. 我浏览了现有答案,但是大多数示例都是用于登录的。
I would appreciate if someone can give me examples. 如果有人可以给我例子,我将不胜感激。
EDIT: I think I should use session scoped beans in order to maintain user's session contents rather than manipulating httpsession directly. 编辑:我认为我应该使用会话范围的bean来维护用户的会话内容,而不是直接操作httpsession。
2 个解决方案
解决方案1
1 2019-02-01 04:55:03
At first you need to create an Authentication object using current HttpRequest as below: 首先,您需要使用当前的HttpRequest创建一个Authentication对象,如下所示:
public class SessionService{
public Authentication getSession(HttpServletRequest request) {
HttpSession session=request.getSession();
SecurityContext ctx= (SecurityContext) session.getAttribute("SPRING_SECURITY_CONTEXT");
Authentication auth=ctx.getAuthentication();
return auth;
}
}
Then, you can retrieve the session details from this Authentication object by passing the current HttpRequest as follows: 然后,可以通过传递当前的HttpRequest,从该Authentication对象检索会话详细信息,如下所示:
Authentication auth = sessionService.getSession(request);
The above auth object contains the details that you need. 上面的auth对象包含您需要的详细信息。
解决方案2
0 2016-01-22 10:02:55
I think you really need to spend some time reading the Spring security documentation and over all JSP, servlet and MVC architecture. 我认为您确实需要花一些时间阅读Spring安全文档以及所有JSP,Servlet和MVC架构。 You have several misunderstandings, 你有一些误会,
After authentication, you don't need to start a session it was already there when the request came.
身份验证后,您无需启动请求发出时已经存在的会话。 Remember request.getSession()we get the session from the request and I am really NOT aware of any other way ie instantiating session object and assigning it to request/response.记住request.getSession()我们从请求中获取会话的,我真的不知道有其他方法可以实例化会话对象并将其分配给请求/响应。 After successful authentication spring automatically sets a SPRING_SECURITY_CONTEXT attribute in session and this variable is later used to determine whether user is already authenticated or not (Spring does that for you, you don't need to use this attribute).成功通过身份验证后,spring会在会话中自动设置一个SPRING_SECURITY_CONTEXT属性,以后该变量将用于确定用户是否已通过身份验证(Spring会为您执行此操作,您无需使用此属性)。 In spring security we set an authentication entry point which has information about login page url and FORM_LOGIN_FILTER which has information about login processing url, login success url and login failure url among few other things.Every request whose session doesn't have SPRING_SECURITY_CONTEXT and auth attribute gets redirected to login page url.
在Spring Security中,我们设置了一个身份验证入口点,该入口点包含有关登录页面URL的信息和FORM_LOGIN_FILTER,其中包含有关登录处理URL,登录成功URL和登录失败URL的信息。每个会话的请求都没有SPRING_SECURITY_CONTEXT和auth属性重定向到登录页面URL。
I could give the code directly but it would be great if you read at least few pages of Spring documentation here . 我可以直接给出代码,但是如果您至少在这里阅读Spring文档的几页,那将是很棒的。 Once you understand the concepts and are still not able to solve the problem. 一旦理解了这些概念,仍然无法解决问题。 Edit your question with detailed problem and we will try to fix it. 编辑包含详细问题的问题,我们将尝试解决。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.