问题情景:
我正在尝试使用带有Java配置的Spring Security v3.2.3来配置会话管理,以便将maximumSessions设置为1并将maxSessionsPreventsLogin设置为true,例如。
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true);
这意味着如果有人登录并且在不同的浏览器中再次使用相同的登录,则登录的原始用户仍然登录并且第二个登录 试图登录的人被拒绝。
代码问题:
我试图遵循Javadoc中的示例和提示 - 但我的代码的主要问题是,当您运行我的示例代码(见下文)时,您可以登录一次,然后注销 - 但是如果您尝试再次登录,您将被阻止,因为Spring Security尚未识别您已注销。
我将其跟踪到Spring类 SessionRegistryImpl - 当您登录时,调用方法 registerNewSession ,但是当您注销时,方法 removeSessionInformation < / em>未被调用 - 导致无法再次登录。
我知道没有调用 removeSessionInformation 方法,因为它应该由默认情况下未设置的特定类型的侦听器触发。要设置它 - 在 AbstractSecurityWebApplicationInitializer 的子类中 - 必须覆盖方法 enableHttpSessionEventPublisher 并返回true。此方法的Javadoc指出“如果会话管理指定了最大会话数,则应该为true”。执行此操作似乎没有任何区别,Logout仍然不会触发对 SessionRegistryImpl 中 removeSessionInformation 方法的调用。
我尝试过但没有成功的唯一另一件事是将 @Order 注释添加到各种类中,如Javadoc的Caveat部分为 AbstractSecurityWebApplicationInitializer 类所建议的那样。这没有任何区别。
代码是否缺少或出现问题或Spring Security存在问题?
我正在使用Java 1.7.0_51和Tomcat 7.0.53。
以下是我使用的代码,JPS和使用了libs的pom.xml。我试图将这个例子简化为最简单的形式。
该示例允许您登录,查看带有注销按钮的欢迎页面,然后单击注销按钮。
MessageSecurityWebApplicationInitializer类:
package com.test.config;
import org.springframework.security.web.context.*;
public class MessageSecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
@Override
protected boolean enableHttpSessionEventPublisher() {
return true;
}
}
MvcConfig课程:
package com.test.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("home");
}
}
WebAppInitializer类:
package com.test.config;
import org.springframework.web.filter.CharacterEncodingFilter;
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
import javax.servlet.Filter;
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer{
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[] { WebSecurityConfig.class, MvcConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class<?>[] { WebConfig.class };
}
@Override
protected String[] getServletMappings() {
return new String[] { "/" };
}
@Override
protected Filter[] getServletFilters() {
CharacterEncodingFilter characterEncodingFilter = new CharacterEncodingFilter();
characterEncodingFilter.setEncoding("UTF-8");
return new Filter[] { characterEncodingFilter};
}
}
WebConfig类:
package com.test.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter;
import org.springframework.web.servlet.view.JstlView;
import org.springframework.web.servlet.view.UrlBasedViewResolver;
@Configuration
@EnableWebMvc
@ComponentScan(basePackages = {"com.test.web.controller"})
public class WebConfig {
@Bean
public UrlBasedViewResolver setupViewResolver() {
UrlBasedViewResolver resolver = new UrlBasedViewResolver();
resolver.setPrefix("/WEB-INF/jsp/");
resolver.setSuffix(".jsp");
resolver.setViewClass(JstlView.class);
return resolver;
}
@Bean
public RequestMappingHandlerAdapter setupPageCache() {
RequestMappingHandlerAdapter adapter = new RequestMappingHandlerAdapter();
adapter.setCacheSeconds(0);
return adapter;
}
}
WebSecurityConfig类:
package com.test.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
.logoutSuccessUrl("/login?logout")
.permitAll()
.and()
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
CommonController类:
package com.test.web.controller;
import javax.servlet.http.HttpServletRequest;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class CommonController {
@RequestMapping(value="/login", method=RequestMethod.GET)
public String viewLoginPage(HttpServletRequest request, Model model) {
return "login";
}
}
的login.jsp:
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Test</title>
</head>
<body id="loginPage">
<div id="loginWrapper">
<div id="loginForm">
<noscript>
<div>
<spring:message code="login.javascript_disabled" text="JavaScript is not enabled on your browser." />
</div>
</noscript>
<c:url value="/login" var="loginUrl"/>
<form action="${loginUrl}" method="post">
<c:if test="${param.error != null}">
<p>
Invalid username and password.
</p>
</c:if>
<c:if test="${param.logout != null}">
<p>
You have logged out.
</p>
</c:if>
<p>
<label for="username">Username</label>
<input type="text" id="username" name="username"/>
</p>
<p>
<label for="password">Password</label>
<input type="password" id="password" name="password"/>
</p>
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
<button type="submit" class="btn">Log in</button>
</form>
</div>
</div>
</body>
</html>
针对home.jsp:
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<!DOCTYPE HTML>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Spring Security Example</title>
</head>
<body>
<h1>Welcome!</h1>
<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}"
method="post">
<input type="submit" value="Log out"/>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</body>
</html>
的pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.testing.automation</groupId>
<artifactId>test-simple</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>test-simple</name>
<packaging>war</packaging>
<description>Test for single session.</description>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>javax.servlet.jsp.jstl</groupId>
<artifactId>javax.servlet.jsp.jstl-api</artifactId>
<version>1.2.1</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
<dependency>
<groupId>taglibs</groupId>
<artifactId>standard</artifactId>
<version>1.1.2</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.3.3</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-eclipse-plugin</artifactId>
<version>2.9</version>
<configuration>
<wtpversion>2.0</wtpversion>
<wtpContextName>mmtest</wtpContextName>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.0</version>
<configuration>
<source>1.7</source>
<target>1.7</target>
</configuration>
</plugin>
</plugins>
</build>
</project>
答案 0 :(得分:1)
我能够通过遵循 WebSecurityConfig.java
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl;
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true).sessionRegistry(sessionRegistry());
@Bean
public SessionRegistry sessionRegistry() {
SessionRegistry sessionRegistry = new SessionRegistryImpl();
return sessionRegistry;
}
答案 1 :(得分:0)
我在使用Spring Security时遇到了类似的问题(配置是使用编程配置 - 而不是XML)。
我可以登录,但是当我退出时,invalidateHttpSession()无效。会话没有失效,因为由于某种原因没有调用相应的方法。
通过删除我在引导程序中使用的原始身份验证筛选器来解决此问题。 因此,在使用Spring Security时,声明错误顺序的过滤器可能会导致类似的问题。