我在基于Spring启动(Fineract)的开源核心银行解决方案中声明了以下功能,将每个用户的并发会话数限制为1.我的WebSecurity.java文件如下:
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.sessionRegistry(sessionRegistry());
}
// Work around https://jira.spring.io/browse/SEC-2855
@Bean
public SessionRegistry sessionRegistry() {
SessionRegistry sessionRegistry = new SessionRegistryImpl();
return sessionRegistry;
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("mifos").password("password").roles("USER");
}
// Register HttpSessionEventPublisher
@Bean
public static ServletListenerRegistrationBean httpSessionEventPublisher() {
return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
}
}
SecurityWebApplicationInitializer.java如下:
public class SecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
protected Class<?>[] getRootConfigClasses() {
return new Class[] { WebSecurityConfig.class };
}
}
但是,我仍然能够在打开多个私人浏览器窗口的情况下登录系统。我的假设是问题是SpringSecurityFilterChain没有注册war,或者我正在链接HttpSecurity对象的函数。由于我没有声明自定义登录表单或已定义任何过期的URL页面,因此我必须编辑以下链接中显示的步骤:https://github.com/spring-projects/spring-boot/issues/1537。有关如何诊断此问题的任何线索?提前致谢。