Spring Security基本配置

时间:2011-07-18 20:05:46

标签: spring spring-mvc spring-security configuration

我想通过以下方式使用Spring安全性配置spring MVC应用程序。

  1. 只允许一次并发登录。
  2. 当HTTP会话过期时,用户将被重定向到/security/sessionTimeout.html
  3. 当用户登录成功时,他将被重定向到“/”文件夹。
  4. 当用户退出时,他也会被重定向到“/”。
  5. 我按以下方式配置:

       <security:http>
     <security:form-login login-page="/security/login.html" login-processing-url="/login" authentication-failure-url="/login.jsp?login_error=1" default-target-url="/"/> 
      <security:session-management invalid-session-url="/security/sessionTimeout.html">
            <security:concurrency-control max-sessions="1" />
        </security:session-management>
      <security:logout logout-url="/logout" logout-success-url="/"/>
        </security:http>
    

    我有以下问题:

    1. 我可以在2个不同的浏览器上使用相同的帐户登录(没有并发控制正在运行)
    2. 当我点击退出时,我被重定向到“/security/sessionTimeout.html”而不是“/".
    3. 我遵循了Spring安全参考指南。 我做错了什么?

      更新 这就是我的web.xml的样子。

       <filter>
          <filter-name>springSecurityFilterChain</filter-name>
          <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      </filter>
      <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/*</url-pattern>
      </filter-mapping>
      
      <listener>
        <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
      </listener>
      <listener>
      <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
      </listener>
      <context-param>
          <param-name>contextConfigLocation</param-name>
          <param-value>WEB-INF/springSecurity-servlet.xml</param-value>
      </context-param>
       <display-name>SpringSecurity</display-name>
          <servlet>
          <servlet-name>springSecurity</servlet-name>
          <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
          <load-on-startup>1</load-on-startup>
        </servlet>
        <servlet-mapping>
          <servlet-name>springSecurity</servlet-name>
          <url-pattern>*.html</url-pattern>
        </servlet-mapping>
         <servlet-mapping>
          <servlet-name>springSecurity</servlet-name>
          <url-pattern>*.do</url-pattern>
        </servlet-mapping>
        <servlet-mapping>
          <servlet-name>springSecurity</servlet-name>
          <url-pattern>/index.html</url-pattern>
        </servlet-mapping>
         <welcome-file-list>
          <welcome-file>index.html</welcome-file>
        </welcome-file-list>
      

      更新2 : 只需在调试模式下运行log4j,这就是我点击注销时所得到的:

      DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 1 of 11 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
      DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
      DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:130) - No HttpSession currently exists
          DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:88) - No SecurityContext was available from the HttpSession: null. A new one will be created.
          DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
          DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
          DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
          DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
          DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
          DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
          DEBUG [http-8080-2] (AnonymousAuthenticationFilter.java:67) - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
          DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
          DEBUG [http-8080-2] (SessionManagementFilter.java:87) - Requested session IDD8429BBAAA9561A97E1D2350ED63BC35 is invalid.
          DEBUG [http-8080-2] (SessionManagementFilter.java:90) - Starting new session (if required) and redirecting to '/security/sessionTimeout.html'
      

      感觉我在/index.html上应用了会话管理过滤器,然后没有会话存在。我怎么解决呢?

1 个答案:

答案 0 :(得分:2)

来自the Spring Security documentation

要使用并发会话支持,您需要将以下内容添加到web.xml:

<listener>
  <listener-class>
    org.springframework.security.web.session.HttpSessionEventPublisher
  </listener-class>
</listener> 

你添加了吗?