[英]How to get serialized tomcat HttpSession to repopulate spring SessionRegistry
I do the following: 我执行以下操作:
HttpSessionSecurityContextRepository.readSecurityContextFromSession
with the stored Session-Information (it is a UsernamePasswordAuthenticationToken containing an Authentication object containing the Principal etc. thus getting the custom User object seems possible) 与存储的会话信息(它是一个UsernamePasswordAuthenticationToken,包含一个包含Principal等的Authentication对象,因此获得自定义User对象似乎是可能的)
However, when trying to list the logged-in users using the SessionRegistry
via 但是,当尝试通过以下方式使用
SessionRegistry
列出登录用户时:
for (Object principal : sessionRegistry.getAllPrincipals()) {
MyCustomUser myCustomUser = (MyCustomUser) principal;
ClientQueryDetails client = clientQuery.getDetails(myCustomUser
.getClientId()).get();
List<SessionInformation> sessions = sessionRegistry.getAllSessions(
principal, false);
for (SessionInformation sessionInformation : sessions) {
result.add(new SessionInfo(client.getName(), myCustomUser
.getUsername(), sessionInformation.getSessionId(),
sessionInformation.getLastRequest()));
}
}
as I normally do to visualize the users/sessions currently active, it is empty . 正如我通常用来可视化当前活动的用户/会话那样,它为空 。
Why does Spring not add those Principals to the SessionRegistry in this moment? 为什么Spring此时不将这些主体添加到SessionRegistry中? Can/Should I do it somehow manually?
我可以/应该以某种方式手动进行吗?
I've read https://github.com/spring-projects/spring-security/issues/2062 which sounds like doing so would be a bad idea. 我已经阅读了https://github.com/spring-projects/spring-security/issues/2062 ,听起来像是个坏主意。
Also related seems Getting logged in users with sessionRegistry not work when manually authenticate 似乎也相关,手动进行身份验证时,使用sessionRegistry登录的用户无法正常工作
I've also found http://forum.spring.io/forum/spring-projects/web/71503-spring-not-restoring-persistent-sessions-to-session-registry 我还找到了http://forum.spring.io/forum/spring-projects/web/71503-spring-not-restoring-persistent-sessions-to-session-registry
So to summarize my questions: 所以总结一下我的问题:
SessionRegistry
? SessionRegistry
呢? SessionRegistry
in order to display all active Sessions to the user (ie the logged-in users) the correct way to do so? SessionRegistry
以便向用户( SessionRegistry
登录的用户)显示所有活动会话是否是正确的方式? EDIT Yes, this is definitely the purpose of the SessionRegisty: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#list-authenticated-principals Should I add the Principal
s manually to the SessionRegistry? 我应该将
Principal
手动添加到SessionRegistry吗? EDIT https://github.com/spring-projects/spring-security/issues/2062 provides different ways of manually readding sessions to the SessionRegistry, however it seems there are some caveats in doing so. 编辑 https://github.com/spring-projects/spring-security/issues/2062提供了将会话手动读取到SessionRegistry的不同方法,但是这样做似乎有些警告。
Where and how exactely is the Session from sessions.ser being deserialized into and where does spring obtain it? 在哪里以及如何exactely从sessions.ser会话被反序列化为以及哪里春天获得它? Or in other words, how does the session-information get from the sessions.ser file into the
SecurityContext
of spring? 换句话说,会话信息如何从sessions.ser文件获取到spring的
SecurityContext
中? Especially how is it "handed over" from tomcat to spring? 特别是它是如何从雄猫“移交给”春天的?
My solution to the problem of not seeing Sessions in the SessionRegistry but having valid Sessions (ie logged-in users) is, to simply delete the SESSIONS.ser File on Server restart . 对于在SessionRegistry中看不到Session却具有有效Session(即已登录用户)的问题,我的解决方法是在服务器重启时简单地删除SESSIONS.ser文件 。
As a consequence, all users have to login again, and the SessionRegistry is populated accordingly. 结果,所有用户都必须再次登录,并相应地填充SessionRegistry。 Since I have no pressing need to keep the sessions alive this is a good solution for me.
由于我没有迫切需要保持会议持续进行,因此这对我来说是一个很好的解决方案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.