Spring安全会话创建

时间:2014-02-17 20:46:11

标签: java session java-ee jsf-2 spring-security

如何在每次创建会话时初始化应用程序 因为我面临的问题是 当一个用户登录我的应用程序时,会创建新会话 当另一个用户尝试在同一时间登录时,他看到第一个用户已登录,我需要知道如何为第二个用户初始化App而两个用户之间没有任何冲突 我的班级是

@Component
public class MyHttpSessionEventPublisher extends HttpSessionEventPublisher {

    @Autowired
    LoginBean loginBean;
   @Override
   public void sessionCreated(HttpSessionEvent event) {
      super.sessionCreated(event);
      event.getSession().getId();
    //  loginBean.setLoginDao(null);
      System.out.println("Session id is : "+ event.getSession().getId());
      System.out.println(">>>>>>>>>>>>>>>>>>>>>>> session created <<<<<<<<<<<<<<<<<<<<<<<<<");
   }

   @Override
   public void sessionDestroyed(HttpSessionEvent event) {
      //do something
      super.sessionDestroyed(event);

      System.out.println(">>>>>>>>>>>>>>>>>>>>>>> session destroyed <<<<<<<<<<<<<<<<<<<<<<<<<");
   }

}  

任何帮助请 Web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    version="2.5">
    <context-param>
        <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
        <param-value>client</param-value>
    </context-param>
    <!-- Add Support for Spring -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <listener>
        <listener-class>
            org.springframework.web.context.request.RequestContextListener</listener-class>
    </listener>
    <listener>
        <listener-class>com.sun.faces.config.ConfigureListener</listener-class>
    </listener>

    <!-- This Listener for listening on creating new session -->
    <listener>
        <listener-class>main.com.zc.attSys.security.beans.MyHttpSessionEventPublisher</listener-class>
    </listener>

    <welcome-file-list>
        <welcome-file>index.xhtml</welcome-file>
    </welcome-file-list>
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.jsf</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.faces</url-pattern>
    </servlet-mapping>
    <!-- <context-param> <param-name>primefaces.THEME</param-name> <param-value>none</param-value> 
        </context-param> -->

    <!-- This Part for Spring security Configurations -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>

    <!-- This Part for removing session id from URl 
    <filter>
        <filter-name>URLSessionFilter</filter-name>
        <filter-class>main.com.zc.attSys.security.beans.URLSessionFilter</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>URLSessionFilter</filter-name>
        <url-pattern>/*</url-pattern>

        <dispatcher>REQUEST</dispatcher>

    </filter-mapping>
-->


    <context-param>

        <param-name>contextConfigLocation</param-name>

        <param-value>
              /WEB-INF/applicationContext.xml
            /WEB-INF/applicationContext-security.xml

        </param-value>

    </context-param>
    <session-config>
        <session-timeout>1</session-timeout>

    </session-config>
</web-app>

applicationContext-Security.xml是

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
    xmlns:p="http://www.springframework.org/schema/p"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <context:property-placeholder location="classpath:resources/jdbc.properties" />
    <!-- For Spring auto wiring -->
    <tx:annotation-driven />
    <context:annotation-config />
    <context:component-scan base-package="main.com.zc.attSys" />

    <tx:annotation-driven transaction-manager="hibernateTransactionManager" />

    <http auto-config='true'>
        <!-- <intercept-url pattern="/**" access="ROLE_USER"/> --> 

        <form-login username-parameter="Mail"  password-parameter="Password" 
         login-page="/pages/courseFeedBack/ask/login.xhtml"  
        login-processing-url="/home.xhtml"
         always-use-default-target="true"
         authentication-failure-url="/pages/courseFeedBack/ask/login.xhtml"
        />

    </http>

    <!-- <authentication-manager> <authentication-provider> <user-service> <user 
        name="joseph" password="bagnes" authorities="Admin, User"/> <user name="bernabe" 
        password="jose" authorities="User"/> </user-service> </authentication-provider> 
        </authentication-manager> -->

    <beans:bean id="daoAuthenticationProvider"
        class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <beans:property name="userDetailsService" ref="userDetailsService"></beans:property>

    </beans:bean>

    <beans:bean id="authenticationManager"
        class="org.springframework.security.authentication.ProviderManager">
        <beans:property name="providers">
            <beans:list>
                <beans:ref local="daoAuthenticationProvider" />
            </beans:list>
        </beans:property>
    </beans:bean>

    <authentication-manager>
        <authentication-provider user-service-ref="userDetailsService">

        </authentication-provider>
    </authentication-manager>

</beans:beans>

1 个答案:

答案 0 :(得分:1)

为了允许多个用户同时使用相同的用户名登录,我们可以使用http元素的并发控制功能,请参阅in the docs page 15

<http>
    <session-management>
        <concurrency-control max-sessions=2 />
    </session-management>
</http>

通过将此添加到web.xml来注意常见的陷阱,否则并发登录将不起作用:

<listener>
    <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
</listener> 

有关相关常见问题,请参阅此FAQ