Upgrading to grails 4, sessionRegistry.getAllPrincipal() is always empty.
The original spring bean in resources.groovy were
sessionRegistry(SessionRegistryImpl)
concurrentSessionFilter(ConcurrentSessionFilter){
sessionRegistry = sessionRegistry
expiredUrl = '/login'
}
As this was no longer working I tried updating resources.groovy to
sessionRegistry(SessionRegistryImpl)
registerSessionAuthenticationStrategy(RegisterSessionAuthenticationStrategy, ref(sessionRegistry))
sessionFixationProtectionStrategy(SessionFixationProtectionStrategy)
concurrentSessionControlAuthenticationStrategy(ConcurrentSessionControlAuthenticationStrategy, ref(sessionRegistry)){
maximumSessions=1
exceptionIfMaximumExceeded=true
}
compositeSessionAuthenticationStrategy(CompositeSessionAuthenticationStrategy,
[ref(registerSessionAuthenticationStrategy),ref(sessionFixationProtectionStrategy),ref(concurrentSessionControlAuthenticationStrategy)])
All of those beans are from the org.springframework.security.web.authentication.session package.
I've added names to grails.plugin.springsecurity.providerNames as well
The DaoAuthenticationProvider is extended by a custom auth provider. Login and logout works fine, but the principals never get registered in the upgraded app. Do I need register them manually (sessionRegistry.registerNewSession())?
There are old answers that say to use grails install-templates and then edit the web.xml in src/templates/war. However in grails 4, install-templates didn't generate war/web.xml
I tried adding it a /WEB-INF/web.xml, but still no luck.
I think you're missing the sessionAuthenticationStragegy bean definition, try removing the compositeSessionAuthenticationStrategy line and replace it with:
sessionAuthenticationStrategy(CompositeSessionAuthenticationStrategy, [ref('concurrentSessionControlAuthenticationStrategy'), ref('sessionFixationProtectionStrategy'), ref('registerSessionAuthenticationStrategy')])
This is the only difference I see between your code and mine, which is working with Grails 4.