Spring SessionRegistry security script only
Can anyone provide a real working piece of code on how not to get an empty SessionRegistry object in Spring Security using only java configuration (no XML whatsoever).
I am using Spring Security v4.0.1.RELEASE
And what I am trying to do:
- Implemented hashCode () and equals () methods in UserDetails with Apache Commons Lang:
@Override
public int hashCode() {
return HashCodeBuilder.reflectionHashCode(this, "password", "id", "role", "description", "registrationDate", "enabled");
}
@Override
public boolean equals(Object obj) {
return EqualsBuilder.reflectionEquals(this, obj, "password", "id", "role", "description", "registrationDate", "enabled");
}
- Included HttpSessionEventPublisher :
public class AppSecurityInitializer extends
AbstractSecurityWebApplicationInitializer {
@Override
protected boolean enableHttpSessionEventPublisher() {
return true;
}
}
- Beans defined in security config class:
@Bean
public SessionRegistry getSessionRegistry() {
return new SessionRegistryImpl();
}
@Bean
public SessionAuthenticationStrategy getSessionAuthStrategy(SessionRegistry sessionRegistry) {
ConcurrentSessionControlAuthenticationStrategy controlAuthenticationStrategy =
new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry);
return controlAuthenticationStrategy;
}
- Install http protection :
httpSecurity
.formLogin().loginPage("/login")
.defaultSuccessUrl("/", true)
.successHandler(new LoginSuccessHandler())
.and()
.sessionManagement()
.sessionAuthenticationStrategy(sessionAuthenticationStrategy).maximumSessions(1).maxSessionsPreventsLogin(true)
.and().and()
.csrf().disable();
return httpSecurity;
The code works, it prevents me from logging in with the same username, but when I get the SessionRegistry in the controller class, it is always empty.
+3
source to share