我正在开发一个Spring-MVC应用程序,我在其中使用Spring-security进行身份验证和授权。在其中一项功能中,我们向用户发送邀请以加入该应用程序。当用户点击电子邮件链接时,我从后端登录用户。
如果有用户已登录,则不会删除旧用户的会话。我已经在XMl中创建了一个newSession,但这也没有帮助。结果是我有2个用户登录了同一个浏览器。任何想法,谢谢。
security-application-context.xml代码:
<security:http pattern="/resources/**" security="none"/>
<security:http create-session="ifRequired" use-expressions="true" auto-config="false" disable-url-rewriting="true">
<security:form-login login-page="/login" username-parameter="j_username" password-parameter="j_password"
login-processing-url="/j_spring_security_check" default-target-url="/canvaslisting"
always-use-default-target="false" authentication-failure-url="/login?error=auth"/>
<security:remember-me key="_spring_security_remember_me" user-service-ref="userDetailsService"
token-validity-seconds="1209600" data-source-ref="dataSource"/>
<security:logout delete-cookies="JSESSIONID" invalidate-session="true" logout-url="/j_spring_security_logout"/>
<security:intercept-url pattern="/**" requires-channel="https"/>
<security:port-mappings>
<security:port-mapping http="80" https="443"/>
</security:port-mappings>
<security:logout logout-url="/logout" logout-success-url="/" success-handler-ref="myLogoutHandler"/>
<security:session-management session-fixation-protection="migrateSession">
<security:concurrency-control session-registry-ref="sessionReg" max-sessions="5" expired-url="/login"/>
</security:session-management>
</security:http>
<beans:bean id="sessionReg" class="org.springframework.security.core.session.SessionRegistryImpl"/>
控制器代码:
@RequestMapping(value = "/activatemembership/{token}")
public String activateMembershipForExistingUser(){
boolean val = this.groupMembersService.activateMembers(token,true);
}
服务层代码:
// Logout is true when clicked from email.
@Override
public boolean activateMembers(String token, boolean logout) {
try {
String[] parts = token.split(TOKEN_SEPARATOR);
String username = parts[0].toLowerCase();
Long groupAccountId = Long.valueOf(parts[2]);
GroupAccount groupAccount = this.groupAccountService.getGroupObjectOnlyById(groupAccountId);
Person person = this.personService.findPersonByUsername(username);
if(logout) {
Person loggedInUser = this.personService.getCurrentlyAuthenticatedUser();
if (!(loggedInUser == null)) {
loggedInUser.setOnlineStatus(null);
this.personService.directPersonUpdate(loggedInUser);
SecurityContextHolder.getContext().setAuthentication(null);
}
}
//Other service layer code
if(logout) {
Collection<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
Authentication authentication = new UsernamePasswordAuthenticationToken(person, null, authorities);
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
有什么想法吗?谢谢。