Max Concurrent会话不适用于同一浏览器

时间:2012-11-15 10:23:46

标签: spring spring-security

我已将最大会话数配置为1并设置error-if-maximum-exceeded=true 我注意到两个问题:

如果已配置session-authentication-error-url,则{p> 1- authentication-failure-handler-ref不起作用,authentication-failure-handler-ref优先,然后您必须在那里处理SessionAuthenticationException并制作所需的逻辑。< / p>

2-如果我在chrome中打开会话并尝试登录firefox我得到SessionAuthenticationException但是如果我尝试再次登录chrome(已经有一个开放的会话)我登录成功并且没有得到SessionAuthenticationException 如果他已经过身份验证,我应该阻止用户查看登录页面吗? 如果这是正确的,请告知如何做到这一点。

我通常按如下方式检查经过身份验证的用户:

if(!SecurityContextHolder.getContext().getAuthentication().getPrincipal().equals("anonymousUser")){
  // logged in user
}

这是我目前的配置:

1- web.xml:

    <filter>
      <filter-name>springSecurityFilterChain</filter-name>
       <filter-class>
            org.springframework.web.filter.DelegatingFilterProxy
       </filter-class>
    </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>ERROR</dispatcher>
  </filter-mapping>

  <listener>
      <listener-class>
      org.springframework.security.web.session.HttpSessionEventPublisher
      </listener-class>
  </listener>

2- applicationSecurity.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:p="http://www.springframework.org/schema/p" 
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-3.1.xsd
        http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context-3.1.xsd">

    <bean id="passwordEncoder"
        class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
        <constructor-arg value="256"/>
    </bean>

    <bean id="saltSource"
        class="org.springframework.security.authentication.dao.ReflectionSaltSource">
        <property name="userPropertyToUse" value="username" />
    </bean>

    <bean id="customUserDetailsService"
        class="com.myapp.faces.web.services.CustomUserDetailsService" />

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider user-service-ref="customUserDetailsService">
            <security:password-encoder ref="passwordEncoder">
                <security:salt-source ref="saltSource" />
            </security:password-encoder>
        </security:authentication-provider>
    </security:authentication-manager>

    <bean id="loginSuccessHandler" class="com.myapp.faces.web.services.LoginSuccessHandler">
       <property name="defaultTargetUrl" value="/dashboard"/>
    </bean>

    <bean id="loginFailureHandler" class="com.myapp.faces.web.services.LoginFailureHandler" />

    <security:http use-expressions="true"  auto-config="true" >


        <security:intercept-url pattern="/j_spring_security_check" access="permitAll" />

        <security:intercept-url pattern="/faces/javax.faces.resource/**" access="permitAll"/>
        <security:intercept-url pattern="/xmlhttp/**" access="permitAll" />
        <security:intercept-url pattern="/resources/**" access="permitAll" />

        <security:intercept-url pattern="**/faces/javax.faces.resource/**" access="permitAll" />
        <security:intercept-url pattern="**/xmlhttp/**" access="permitAll" />
        <security:intercept-url pattern="**/resources/**" access="permitAll" />

        <security:intercept-url pattern="/login" access="permitAll"/>       

        <security:intercept-url pattern="/**" access="isAuthenticated()" />     


        <security:form-login                
            login-processing-url="/j_spring_security_check"         
            login-page="/login"
            authentication-failure-handler-ref="loginFailureHandler"
            authentication-success-handler-ref="loginSuccessHandler" />

        <security:logout  />

        <security:session-management session-authentication-error-url="/login?error=3">
          <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
        </security:session-management>

    </security:http>

</beans>

1 个答案:

答案 0 :(得分:1)

我个人这样做。

    @RequestMapping(method=RequestMethod.GET)
    public String login(Authentication authentication)
    {
        if((authentication != null) && authentication.isAuthenticated())
        {
            return "redirect:dashboard";
        }
        return viewResolver.getView(ViewConstants.LOGIN_PAGE);
    }

上述方法用于请求登录页面。

我不认为有一种方法可以仅使用配置来实现。我可能错了。

编辑:

选中此link