问题
I want to define the path of the session cookie, which is set from spring security, in order to allow multiple logins from the web-app. E.g:
http://localhost:8080/myApp/context1/login
http://localhost:8080/myApp/context2/login
http://localhost:8080/myApp/context3/login
...
Basically this is possible by overwriting LoginUrlAuthenticationEntryPoint, SimpleUrlAuthenticationFailureHandler, SimpleUrlAuthenticationSuccessHandler, SimpleUrlLogoutSuccessHandler. However I cannot find a handler, which is responsible for setting the cookie context-path, which I need to overwrite from:
/myApp
to the apropriate equivalent:
/myApp/context1
This is needed, in order to allow parallel logins to these Apps.
Q: How to change the cookie's path for session cookie (HttpSession) dynamically for tomcat?
回答1:
Ok... this time I think I have found what you are looking for. Look at this answer
I think you can do it in grails creating a filter
回答2:
Your application container is responsible for sending session cookies to clients. Inside Spring Security code you will only see lines like this:
HttpSession session = request.getSession();
There is no session-cookie-creation logic inside Spring Security source code. That's why there are no interfaces to implement or configuration attributes to provide custom paths.
To specify path that will be assigned to any session cookies created by your web application you can put:
<web-app>
<session-config>
<cookie-config>
<path></path>
</cookie-config>
</session-config>
</web-app>
in your web.xml descriptor.
However you want to have many sessions in one web application. Why don't you deploy new application for each user context? It's the most logical approach.
Edit: I'm afraid you want to achieve something that can be easily done without tinkering with session. Your problem looks more like authorization and not authentication. Maybe you need to use roles for each context? Or access control lists?
回答3:
By default bean rememberMeServices of type org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices is responsable for setting the cookie
回答4:
Extend InlineExplodedTomcatServer
package myapp
import org.grails.plugins.tomcat.InlineExplodedTomcatServer
import org.grails.plugins.tomcat.TomcatLoader
import grails.util.GrailsNameUtils
import org.apache.catalina.connector.Connector
import org.apache.catalina.startup.Tomcat
import org.apache.coyote.http11.Http11NioProtocol
import org.codehaus.groovy.grails.lifecycle.ShutdownOperations
import org.codehaus.groovy.grails.plugins.PluginManagerHolder
import org.codehaus.groovy.grails.plugins.GrailsPluginUtils
import static grails.build.logging.GrailsConsole.instance as CONSOLE
import org.apache.tomcat.util.scan.StandardJarScanner
import org.springframework.util.ReflectionUtils
class MyappInlineExplodedTomcatServer extends InlineExplodedTomcatServer {
MyappInlineExplodedTomcatServer(String basedir, String webXml, String contextPath, ClassLoader classLoader) {
super(basedir, webXml, contextPath, classLoader)
context.setSessionCookieDomain(System.getProperty('mydomain.com'))
context.setSessionCookiePath('/mypath')
}
}
Extend tomcat server factory
package myapp
import grails.web.container.EmbeddableServer
import org.grails.plugins.tomcat.TomcatServerFactory
class MyappServerFactory extends TomcatServerFactory {
EmbeddableServer createInline(String basedir, String webXml, String contextPath, ClassLoader classLoader) {
new MyappInlineExplodedTomcatServer(basedir, webXml, contextPath, classLoader)
}
}
In events.groovy set the server factory
eventRunAppStart = {
System.setProperty 'grails.server.factory','myapp.MyappServerFactory'
}
}
Obviosly this configuration is applyed only when running with grails "run-app" and not when you deploy on tomcat or other server. On tomcat you have to configure it in tomcat configurations files
回答5:
Please refer default behavior of successfulAuthentication in spring security.
Update(pointer from comment): on successful authentication in the 2 point, spring security "Invokes the configured SessionAuthenticationStrategy to handle any session-related behaviour". So, try implementing custom SessionControlStrategy extending framework provided classes for your application, see if it fulfills your need.
Framework provided strategy classes are ConcurrentSessionControlStrategy, NullAuthenticatedSessionStrategy, SessionFixationProtectionStrategy
To control cookie creation logic after successful authentication and its values:
1) Choose Remember me services for your application
for example:
TokenBasedRememberMeServices or PersistentTokenBasedRememberMeServices
2) Create a custom class MyAppTokenBasedRemenberMeServices extending the chosen Class for example: TokenBasedRememberMeServices
3) Override the method protected void setCookie(String[] tokens, int maxAge, HttpServletRequest request, HttpServletResponse response). Its responsible for creating a cookie and adds the created cookie to the response (This way you can control any cookie value for e.g. context-path value). This method resides in Class: AbstractRememberMeServices
4) Map newly created custom class for rememberMeServices
I hope this helps!
来源:https://stackoverflow.com/questions/13659734/spring-security-context-path-resolver