Question

我看了Spring-Security的样本，我想使用Spring-boot集成我的应用程序，但我仍然可以同时登录两次或更多，我不知道为什么这是我的SecurityConfig.java ;我正在使用Spring-Boot1.3.2RELEASE和Spring-Security4.0.3RELEASE。

package com.eexcel.branch.config;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
import com.eexcel.common.service.distributor.DistributorService;
@Configuration
@EnableWebSecurity(debug = false)
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig {
    public static String[] ignoreUrls = { "/css/**", "/js/**", "/images/**",
            "/assets/**", "**/favicon.ico" };
    public static String[] anonymousUrls = { "/registe**", "/login**" };
    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
    protected static class ApplicationSecurity extends
            WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                    .antMatchers(ignoreUrls)
                    .permitAll()
                    //
                    .antMatchers(anonymousUrls)
                    .anonymous()
                    //
                    .anyRequest()
                    .authenticated()
                    //
                    .and()
                    //
                    .formLogin()
                    .loginPage("/login")
                    //
                    .and()
                    //
                    .logout()
                    .logoutUrl("/logout")
                    //
                    .and()
                    //
                    .rememberMe()
                    //
                    .and()
                    //
                    .sessionManagement().maximumSessions(1)
                    .maxSessionsPreventsLogin(true)
                    .expiredUrl("/login?expired");
        }
    }
    @Order(Ordered.HIGHEST_PRECEDENCE)
    @Configuration
    protected static class AuthenticationManagerConfiguration extends
            GlobalAuthenticationConfigurerAdapter {
        @Autowired
        private DataSource dataSource;
        @Autowired
        private PasswordEncoder passwordEncoder;
        @Autowired
        private DistributorService userDetailsService;

        @Override
        public void init(AuthenticationManagerBuilder auth) throws Exception {
            auth.userDetailsService(userDetailsService).passwordEncoder(
                    passwordEncoder);
        }
    }
}

Answer 1

你需要覆盖equals和hashCode，以确保SessionRegistryImpl

List<SessionInformation> org.springframework.security.core.session.SessionRegistryImpl.getAllSessions(Object principal, boolean includeExpiredSessions)

可以获得相同Principal的会话，主体只是UserDetails

Spring-boot上的sessionManagement不起作用

1 个答案: