Spring安全并发控制不起作用

时间:2014-11-10 12:01:17

标签: java spring-security

我尝试在Spring security 3.2中实现并发控制。 我使用form-login进行身份验证。 这是我的security.xml

    <beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
          http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<http access-denied-page="/login.html" create-session="ifRequired">

    <intercept-url pattern="/settings.html" access="ROLE_USER"/>
    <intercept-url pattern="/history.html" access="ROLE_USER"/>

    <form-login login-page="/"
                authentication-failure-url="/error.do"
                default-target-url="/logged.do"
                always-use-default-target="true"
                login-processing-url="/j_spring_security_check"/>

    <logout logout-url="/j_spring_security_logout" logout-success-url="/index.html" invalidate-session="true"/>   

    <session-management session-authentication-strategy-ref="sas"/>

    <custom-filter ref="accessFilter" after="FORM_LOGIN_FILTER" />
    <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
    <custom-filter before="FORM_LOGIN_FILTER" ref="myAuthFilter" />
</http>

<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

<beans:bean id="accessFilter" class="ua.com.site.http.filter.PlayerAccessFilter" />

<beans:bean id="passwordUserDetailService" class="ua.com.site.web.security.cristal.PasswordUserDetailService">
    <beans:property name="playerDao" ref="playerDao"/>
</beans:bean>

<beans:bean id="tokenUserDetailsService" class="ua.com.site.web.security.cristal.TokenUserDetailService">
    <beans:property name="playerDao" ref="playerDao"/>
</beans:bean>

<beans:bean id="passwordAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <beans:property name="passwordEncoder">
        <beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
    </beans:property>
    <beans:property name="userDetailsService" ref="passwordUserDetailService" />
</beans:bean>

<beans:bean id="tokenAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <beans:property name="passwordEncoder">
        <beans:bean class="org.springframework.security.authentication.encoding.PlaintextPasswordEncoder" />
    </beans:property>
    <beans:property name="userDetailsService" ref="tokenUserDetailsService" />
</beans:bean>

<authentication-manager alias="authenticationManager">
    <authentication-provider ref="passwordAuthenticationProvider" />
    <authentication-provider ref="tokenAuthenticationProvider" />
</authentication-manager>

<beans:bean id="concurrentSessionController" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
    <beans:property name="maximumSessions" value="1" />
</beans:bean>


<beans:bean id="concurrencyFilter"
   class="org.springframework.security.web.session.ConcurrentSessionFilter">
  <beans:property name="sessionRegistry" ref="sessionRegistry" />
  <beans:property name="expiredUrl" value="/expired.html" />
</beans:bean>

<beans:bean id="myAuthFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
  <beans:property name="sessionAuthenticationStrategy" ref="sas" />
  <beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>

<beans:bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
  <beans:constructor-arg>
    <beans:list>
      <beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
        <beans:constructor-arg ref="sessionRegistry"/>
        <beans:property name="maximumSessions" value="1" />
        <beans:property name="exceptionIfMaximumExceeded" value="true" />
      </beans:bean>
      <beans:bean class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
      </beans:bean>
      <beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
        <beans:constructor-arg ref="sessionRegistry"/>
      </beans:bean>
    </beans:list>
  </beans:constructor-arg>
</beans:bean>

听众

<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>

包含在我的web.xml中。

我strat app,在不同的浏览器中运行,登录两个,但我有2个活动。似乎并发控制并不起作用。

如何使用form-login实现并发控制?

在之前的版本中我只使用了

<session-management>
        <concurrency-control max-sessions="1" expired-url="/expired.html" error-if-maximum-exceeded="false" session-registry-ref="sessionRegistry" />
    </session-management>

感谢您的任何建议。

1 个答案:

答案 0 :(得分:1)

SessionRegistry使用UserDetails的equals()/ hashCode()来查找同一用户的会话。我有自定义UserDetails,所以我必须实现这些方法并恢复以前的配置。