问题
Our application used to have only one possibility to log in: username and password. Once a new user logged into the application, their session would appear in Spring Security's SessionRegistry.
Now I'm implementing SAML support with the help of Spring SAML. I oriented the setup heavily towards the sample application's configuration. It all works fine. However I noticed that users that log in via SAML don't get their session added to the SessionRegistry.
The usual context file for form based authentication contains the following:
<session-management
invalid-session-url="/login"
session-fixation-protection="newSession"
session-authentication-error-url="/login?invalid_session=1">
<concurrency-control
max-sessions="1"
error-if-maximum-exceeded="false"
session-registry-alias="springSessionRegistry"/>
</session-management>
In my http element for the SAML configuration I added the same. This created a new SessionRegistry but it did not contain anything. I also tried
<concurrency-control session-registry-ref="springSessionRegistry"/>
but this did not contain any SAML authenticated sessions either.
So how can I access SAML sessions?
回答1:
The problem is that bean definition parsers of Spring Security only automatically link beans created based on the session-management and concurrency-control to the authentication processors included in core Spring Security modules. This means, that SAMLProcessingFilter.setSessionAuthenticationStrategy() isn't called.
You should be able to get it working by declaring the samlWebSSOProcessingFilter bean in the following way (which refers to the concurrency bean automatically created by the concurrency-control element):
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
<property name="sessionAuthenticationStrategy" ref="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy#0"/>
</bean>
回答2:
As I said in my comment of Vladimir's answer, my problem was that I was adding only a ConcurrentSessionControlAuthenticationStrategy to the samlWebSSOProcessingFilter, and because of that, the new logged users were not registered in the SessionRegistry of Spring Security.
To fix that, I created a CompositeSessionAuthenticationStrategy like this:
@Bean
public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter();
samlWebSSOProcessingFilter.setAuthenticationManager(authenticationManager());
samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(customAuthenticationSuccessHandler);
samlWebSSOProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
samlWebSSOProcessingFilter.setSessionAuthenticationStrategy(authStrategy());
return samlWebSSOProcessingFilter;
}
/**
* @return the strategy for the SAML authentication: ConcurrentSessionControl (max 1 session per user)
* + RegisterSessionAuthStrat (otherwise, the session of the users are not tracked when they authenticate with SAML)
*
* @author Cyril Gambis
* @date 27 juil. 2020
*/
private CompositeSessionAuthenticationStrategy authStrategy() {
List<SessionAuthenticationStrategy> strategies = new ArrayList<>();
ConcurrentSessionControlAuthenticationStrategy concurrentStrategy = new ConcurrentSessionControlAuthenticationStrategy(this.sessionRegistry);
concurrentStrategy.setExceptionIfMaximumExceeded(false);
RegisterSessionAuthenticationStrategy registerStrategy = new RegisterSessionAuthenticationStrategy(this.sessionRegistry);
strategies.add(concurrentStrategy);
strategies.add(registerStrategy);
CompositeSessionAuthenticationStrategy compositeStrategy = new CompositeSessionAuthenticationStrategy(strategies);
return compositeStrategy;
}
Now, the new users are correctly registered.
来源:https://stackoverflow.com/questions/28609047/saml-authenticated-users-dont-appear-in-spring-securitys-sessionregistry