我有以下弹簧安全配置。在首次成功登录和注销后添加会话管理属性时,我无法再次登录。它将我重定向到authentication-failure-url。如果我删除它,它工作正常。我可以成功地重新加入。我在会话管理方面做错了什么?
<http auto-config='false' use-expressions="true">
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<logout logout-success-url="/login.xhtml" invalidate-session="true" delete-cookies="JSESSIONID"/>
<form-login login-page="/login.xhtml"
login-processing-url="/j_spring_security_check"
default-target-url="/pages/index.xhtml"
always-use-default-target="true"
authentication-failure-url="/login.xhtml?error=true"/>
<custom-filter before="FORM_LOGIN_FILTER" ref="customAjaxControlFilter" />
<session-management invalid-session-url="/login.xhtml">
<concurrency-control error-if-maximum-exceeded="true" max-sessions="1" expired-url="/login.xhtml"/>
</session-management>
</http>
答案 0 :(得分:1)
确保已将侦听器添加到web.xml文件。必须确保在会话被销毁时通知Spring Security会话注册表。没有它,会话信息将不会从注册表中删除。
<listener>
<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
</listener>