使会话弹簧安全无效

时间:2016-06-14 05:13:44

标签: java jsf-2 spring-security

我的Web应用程序使用spring security在登录时对用户进行身份验证。我还有并发控制,以避免用户在不同的机器上登录两次。这工作正常但我的问题是:  如果用户在计算机上登录,则关闭浏览器。然后他重新打开网络应用程序,尝试再次登录,他获得以下消息:“超出此主数的最大会话数为1”。我想在浏览器关闭时使会话无效。我怎么能这样做?

弹簧security.xml文件

       <?xml version="1.0" encoding="UTF-8"?>
          <beans xmlns="http://.   www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/.    XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
                       http://www.springframework.org/schema/beans/spring-beans.xsd
                       http://www.springframework.org/schema/security
                       http://www.springframework.org/schema/security/.  spring-security-3.1.xsd">

  <security:global-method-security
        secured-annotations="enabled" />

  <security:http auto-config="false"
        authentication-manager-ref="authenticationManager" use-expressions="true">
        <!-- Override default login and logout pages -->
        <security:form-login
              authentication-failure-handler-ref="fail"
              authentication-success-handler-ref="success" login-page="/car/login.xhtml"
              default-target-url="/jsf/car/home.xhtml" />
        <security:logout invalidate-session="true"
              logout-url="/j_spring_security_logout" success-handler-ref="customLogoutHandler" delete-cookies="JSESSIONID"/>
        <security:session-management>
              <security:concurrency-control
                    max-sessions="1" error-if-maximum-exceeded="true" />
        </security:session-management>
        <security:intercept-url pattern="/jsf/**"
              access="isAuthenticated()" />
        <security:intercept-url pattern="/run**"
              access="isAuthenticated()" />
        <security:intercept-url pattern="/pages/login.xhtml"
              access="permitAll" />
  </security:http>

  <bean id="success" class="com.car.LoginSuccess" />

  <bean id="fail" class="com.car.LoginFailed">
        <property name="defaultFailureUrl" value="/?login_error=true" />
  </bean>
  <bean id="passwordEncoder"
        class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />

  <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider
              user-service-ref="userDetailsService">
              <security:password-encoder ref="passwordEncoder"
                    hash="sha" />
        </security:authentication-provider>
  </security:authentication-manager>

    public class FilterToGetTimeOut extends OncePerRequestFilter {

@Override
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException {
    try {
        if(request.getRequestURI().equals("/") || request.getRequestURI().equals("/car/login.xhtml")){
            if(request.getSession().getAttribute("login") != null && (Boolean)request.getSession().getAttribute("login") == true){
                response.sendRedirect("/jsf/car/home.xhtml");     //After login page
            }
        } else if(request.getSession().getAttribute("login") == null && !request.getRequestURI().equals("/j_spring_security_logout")){
            response.sendRedirect(request.getContextPath()+"/?timeout=true");   //If timeout is true send session timeout error message to JSP
        }
        filterChain.doFilter(request, response);
    } catch (Exception e) {
        //Log Exception

    }
}

1 个答案:

答案 0 :(得分:5)

"/" (首页)请求和 logout 请求添加以下代码。

@Controller
public class LoginController {

    @RequestMapping(value = "/", method = RequestMethod.GET)
    public ModelAndView loadApp(HttpServletRequest request) {
        HttpSession session= request.getSession(false);
        SecurityContextHolder.clearContext();
        if(session != null) {
            session.invalidate();
        }

        return new ModelAndView("/car/login");
    }
}

使用此过滤器How to get session time out message using Spring security