会话管理在Spring安全性中不起作用

时间:2013-03-18 09:53:34

标签: spring-security

My Spring-security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:p="http://www.springframework.org/schema/p" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/security 

            http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <!-- This is where we configure Spring-Security  -->

    <security:global-method-security pre-post-annotations="enabled" />
    <!-- <security:global-method-security secured-annotations="enabled" /> -->

    <security:http auto-config="false" use-expressions="true" access-denied-page="/access-deniad" 
            entry-point-ref="authenticationEntryPoint">
        <security:intercept-url pattern="/RetailEnterpriseSuite/login.do" access="permitAll"  requires-channel="https" />
        <security:intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" requires-channel="https"/>
        <!-- <security:intercept-url pattern="/common" access="hasRole('ROLE_USER')"/> -->
        <security:intercept-url pattern="/users" access="hasRole('ROLE_USER')"/>
        <security:intercept-url pattern="/*" access="permitAll" requires-channel="any"/>

        <security:logout 
                invalidate-session="true" 
                logout-success-url="/login.html" 
                logout-url=""/>

        <!-- 
            Querying the SessionRegistry for currently authenticated users and their sessions
            http://static.springsource.org/spring-security/site/docs/3.1.x/reference/session-mgmt.html#list-authenticated-principals 
        -->
        <security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
        <security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>
        <security:custom-filter ref="singleEntryFilter" after="FORM_LOGIN_FILTER"/>
        <security:session-management session-authentication-strategy-ref="sas"/>
    </security:http>



    <bean id="singleEntryFilter" class="com.stc.res.filter.SingleEntryFilter" 
            p:redirectURI="/login.html">
            <property name="guardURI">
                <list>
                    <!-- <value>/index.html</value> -->
                    <value>/index.html</value>
                    <!-- <value>/index.html</value>
                    <value>/index.html</value>
                    <value>/index.html</value>
                    <value>/index.html</value> -->
                </list>
            </property>
    </bean>
    <bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
        p:sessionAuthenticationStrategy-ref="sas"
        p:authenticationManager-ref="authenticationManager" 
        p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
        p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler"/>

    <!-- We just actually need to set the default failure url here -->
    <bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
        p:defaultFailureUrl="/loginfailed" />

     <!-- We just actually need to set the default target url here -->

     <bean id= "customAuthenticationSuccessHandler"  class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
        <property name="redirectStrategy" ref="customSuccessRedirStrategy" />
     </bean>
    <!-- <bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
         p:redirectStrategy-ref="customSuccessRedirStrategy" /> -->

    <bean id= "customSuccessRedirStrategy"  class=" com.stc.res.customeredirection.CustomSuccessRedirection"> </bean>   



    <!-- The AuthenticationEntryPoint is responsible for redirecting the user to a particular page, like a login page,
            whenever the server sends back a response requiring authentication -->
    <!-- See Spring-Security Reference 5.4.1 for more info -->
    <bean id="authenticationEntryPoint"  class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
        p:loginFormUrl="/login.html"/>

    <!-- Declare an authentication-manager to use a custom userDetailsService -->
    <!-- It's important to set the alias here because it's used by the authenticationFilter -->
    <security:authentication-manager alias="authenticationManager">
       <security:authentication-provider user-service-ref="userservice">
        <security:password-encoder ref="passwordEncoder">
                  <security:salt-source ref="saltSource"/>
        </security:password-encoder>
        </security:authentication-provider>
         <security:authentication-provider user-service-ref="jdbcUserService"/> 
    </security:authentication-manager>

    <bean id="userservice"  class="com.stc.res.service.UserLoginService" >
        <property name="usrlogindao" ref="userLogindao"/>
    </bean> 

    <bean id="userLogindao" class = "com.stc.res.dao.UserLoginDao" />

    <bean id="jdbcUserService" class="com.stc.res.service.JdbcUserService">
        <property name="customJdbcDao" ref="custjdbcDao"/>
    </bean>

    <bean id="custjdbcDao"  class= "com.stc.res.dao.CustomJdbcDaoImpl">
        <property name="dataSource" ref="dataSource"/>
    </bean>


    <bean id="jdbcAdminUserService" class="com.stc.res.controller.JdbcAdminUserService">
        <property name="dataSource" ref="dataSource"/>
        <property name="authenticationManager" ref="authenticationManager"/>
    </bean>


    <!-- Use a Sha  encoder since the user's passwords are stored as Md5 in the database -->
    <bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" id="passwordEncoder"/>
    <bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="saltSource">
            <property name="userPropertyToUse" value="username"/>
    </bean>

    <!-- <security:bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.PersistentTokenBasedRememberMeServices"> 
        <property name="tokenRepository" ref="jdbcTokenRepository" /> 
        <property name="userDetailsService" ref="userservice" /> 
        <property name="key" value="springRocks" /> 
        <property name="alwaysRemember" value="false" /> 
   </security:bean>

   Uses a database table to maintain a set of persistent login data 
    <security:bean id="jdbcTokenRepository" class="org.springframework.security.ui.rememberme.JdbcTokenRepositoryImpl"> 
        <property name="createTableOnStartup" value="false" /> 
        <property name="dataSource" ref="dataSource" /> 
    </security:bean> 
   -->


     <!-- An in-memory list of users. No need to access an external database layer.
            See Spring Security 3.1 Reference 5.2.1 In-Memory Authentication -->
     <!-- john's password is admin, while jane;s password is user  -->



    <!-- Filter required by concurrent session handling package 
            The ConcurrentSessionFilter requires two properties, sessionRegistry, which generally points to an 
            instance of SessionRegistryImpl, and expiredUrl, which points to the page to display when a session has expired.
            See: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/session-mgmt.html#list-authenticated-principals -->
    <bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"
            p:sessionRegistry-ref="sessionRegistry" 
            p:expiredUrl="/login.html" />

    <!--  Defines a concrete concurrent control strategy 
             Checks whether the user in question should be allowed to proceed, by comparing the number of 
             sessions they already have active with the configured maximumSessions value. The SessionRegistry 
             is used as the source of data on authenticated users and session data.
             See: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.html-->
    <bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"
            p:maximumSessions="1"  error-if-maximum-exceeded="true" >
            <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
    </bean>

    <!-- Maintains a registry of SessionInformation instances
           See: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/core/session/SessionRegistry.html -->
    <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> 

</beans>

我配置了web.xml:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>ERROR</dispatcher>
  </filter-mapping>
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>
  <filter>
    <display-name>MycustomFilter</display-name>
    <filter-name>MycustomFilter</filter-name>
    <filter-class>com.stc.res.filter.MycustomFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>MycustomFilter</filter-name>
    <url-pattern>/MycustomFilter</url-pattern>
  </filter-mapping>

 listener>
    <listener-class>
    org.springframework.security.web.session.HttpSessionEventPublisher
    </listener-class>
  </listener> 

请告诉我此代码中的错误在哪里,请指导我。我是春天安全的新手。即使用户也可以从不同的浏览器登录,无需注销。

1 个答案:

答案 0 :(得分:0)

您是否尝试过官方文档中的此片段(阻止多次登录):

<security:http ... >

    ....

    <security:session-management>
        <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
    </security:session-management>        
</security:http>