问题描述
我们的应用程序过去只有一种登录方式:用户名和密码.一旦新用户登录应用程序,他们的会话将出现在 Spring Security 的 SessionRegistry
中.
Our application used to have only one possibility to log in: username and password. Once a new user logged into the application, their session would appear in Spring Security's SessionRegistry
.
现在我正在 Spring SAML 的帮助下实现 SAML 支持.我将设置主要面向 示例应用程序的配置.一切正常.但是我注意到通过 SAML 登录的用户不会将他们的会话添加到 SessionRegistry
.
Now I'm implementing SAML support with the help of Spring SAML. I oriented the setup heavily towards the sample application's configuration. It all works fine. However I noticed that users that log in via SAML don't get their session added to the SessionRegistry
.
基于表单的身份验证的常用上下文文件包含以下内容:
The usual context file for form based authentication contains the following:
<session-management
invalid-session-url="/login"
session-fixation-protection="newSession"
session-authentication-error-url="/login?invalid_session=1">
<concurrency-control
max-sessions="1"
error-if-maximum-exceeded="false"
session-registry-alias="springSessionRegistry"/>
</session-management>
在用于 SAML 配置的 http
元素中,我添加了相同的内容.这创建了一个新的 SessionRegistry
但它不包含任何内容.我也试过
In my http
element for the SAML configuration I added the same. This created a new SessionRegistry
but it did not contain anything. I also tried
<concurrency-control session-registry-ref="springSessionRegistry"/>
但这也不包含任何经过 SAML 身份验证的会话.
but this did not contain any SAML authenticated sessions either.
那么我如何访问 SAML 会话?
So how can I access SAML sessions?
推荐答案
问题是 Spring Security 的 bean 定义解析器只自动链接基于 session-management
和 concurrency 创建的 bean-control
包含在核心 Spring Security 模块中的身份验证处理器.这意味着,不会调用 SAMLProcessingFilter.setSessionAuthenticationStrategy()
.
The problem is that bean definition parsers of Spring Security only automatically link beans created based on the session-management
and concurrency-control
to the authentication processors included in core Spring Security modules. This means, that SAMLProcessingFilter.setSessionAuthenticationStrategy()
isn't called.
您应该能够通过以下方式声明 samlWebSSOProcessingFilter
bean 来使其工作(它指的是由 concurrency-control
元素自动创建的并发 bean):
You should be able to get it working by declaring the samlWebSSOProcessingFilter
bean in the following way (which refers to the concurrency bean automatically created by the concurrency-control
element):
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
<property name="sessionAuthenticationStrategy" ref="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy#0"/>
</bean>
这篇关于SAML 认证用户不会出现在 Spring Security 的 SessionRegistry 中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!