您好我在Spring Framework 3.0.6中使用Spring Security 3.0.5。我根据文档配置了并发性。它不起作用。我从浏览器会话登录到应用程序,然后尝试从同一浏览器中的另一个选项卡再次登录 - 它允许我登录而不是拒绝尝试。
这是我的安全配置文件:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http auto-config="false" use-expressions="true"
access-denied-page="/jsp/accessDenied.jsp"
entry-point-ref="authenticationEntryPoint">
<intercept-url pattern="/login.jsp" filters="none" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<logout invalidate-session="true" logout-url="/logout.htm"
logout-success-url="/login.jsp?loggedout=true"/>
<custom-filter ref="authenticationFilter"
position="FORM_LOGIN_FILTER"/>
<custom-filter ref="concurrencyFilter"
position="CONCURRENT_SESSION_FILTER"/>
<session-management session-authentication-strategy-ref="sas"/>
</http>
<beans:bean id="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas"/>
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="authenticationFailureHandler" ref="customAuthenticationFailureHandler"/>
<beans:property name="authenticationSuccessHandler" ref="customAuthenticationSuccessHandler"/>
</beans:bean>
<beans:bean id="customAuthenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.jsp?authfailed=true"/>
</beans:bean>
<beans:bean id="customAuthenticationSuccessHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/index.jsp" />
</beans:bean>
<beans:bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.jsp"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
id="passwordEncoder"/>
<user-service id="userDetailsService">
<user name="username" password="ee11cbb19052e40b07aac0ca060c23ee"
authorities="ROLE_USER, ROLE_ADMIN" />
<user name="test" password="21232f297a57a5a743894a0e4a801fc3"
authorities="ROLE_USER" />
</user-service>
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry"/>
<beans:property name="expiredUrl" value="/login.jsp?loggedout=true" />
</beans:bean>
<beans:bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:property name="maximumSessions" value="1" />
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
这是我的web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>Spring security web application (series)</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext-security.xml
</param-value>
</context-param>
<!--
- Loads the root application context of this web app at startup. - The
application context is then available via -
WebApplicationContextUtils.getWebApplicationContext(servletContext).
-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>springsecuritywebapp</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springsecuritywebapp</servlet-name>
<url-pattern>*.htm</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
此致 纳齐尔
答案 0 :(得分:0)
将<beans:property name="exceptionIfMaximumExceeded" value="true" />
添加到org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy
bean定义。如果超出允许的会话,它将抛出异常。
这会产生副作用。假设用户登录浏览器并关闭浏览器以清除会话数据。然后,用户必须等待服务器中的会话到期才能再次登录。除非您有明确的要求,否则我更喜欢您现有的配置。