问题描述
我们的应用程序过去只有一种登录方式:用户名和密码.一旦新用户登录应用程序,他们的会话将出现在 Spring Security 的 SessionRegistry 中.
Our application used to have only one possibility to log in: username and password. Once a new user logged into the application, their session would appear in Spring Security's SessionRegistry.
现在我正在 Spring SAML 的帮助下实现 SAML 支持.我将设置主要面向 示例应用程序的配置.一切正常.但是我注意到通过 SAML 登录的用户不会将他们的会话添加到 SessionRegistry.
Now I'm implementing SAML support with the help of Spring SAML. I oriented the setup heavily towards the sample application's configuration. It all works fine. However I noticed that users that log in via SAML don't get their session added to the SessionRegistry.
基于表单的身份验证的常用上下文文件包含以下内容:
The usual context file for form based authentication contains the following:
<session-management
invalid-session-url="/login"
session-fixation-protection="newSession"
session-authentication-error-url="/login?invalid_session=1">
<concurrency-control
max-sessions="1"
error-if-maximum-exceeded="false"
session-registry-alias="springSessionRegistry"/>
</session-management>
在用于 SAML 配置的 http 元素中,我添加了相同的内容.这创建了一个新的 SessionRegistry 但它不包含任何内容.我也试过
In my http element for the SAML configuration I added the same. This created a new SessionRegistry but it did not contain anything. I also tried
<concurrency-control session-registry-ref="springSessionRegistry"/>
但这也不包含任何经过 SAML 身份验证的会话.
but this did not contain any SAML authenticated sessions either.
那么我如何访问 SAML 会话?
So how can I access SAML sessions?
推荐答案
问题是 Spring Security 的 bean 定义解析器只自动链接基于 session-management 和 concurrency 创建的 bean-control 包含在核心 Spring Security 模块中的身份验证处理器.这意味着,不会调用 SAMLProcessingFilter.setSessionAuthenticationStrategy().
The problem is that bean definition parsers of Spring Security only automatically link beans created based on the session-management and concurrency-control to the authentication processors included in core Spring Security modules. This means, that SAMLProcessingFilter.setSessionAuthenticationStrategy() isn't called.
您应该能够通过以下方式声明 samlWebSSOProcessingFilter bean 来使其工作(它指的是由 concurrency-control 元素自动创建的并发 bean):
You should be able to get it working by declaring the samlWebSSOProcessingFilter bean in the following way (which refers to the concurrency bean automatically created by the concurrency-control element):
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
<property name="sessionAuthenticationStrategy" ref="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy#0"/>
</bean>
这篇关于SAML 认证用户不会出现在 Spring Security 的 SessionRegistry 中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!