为什么Spring 3 Security登录只能运行一次,直到服务器重新启动?

时间:2011-10-25 10:00:52

标签: spring spring-security

在部署Spring安全应用程序后第一次登录时,一切都像魅力一样。但是在第一次注销后,我再也无法登录,直到服务重新启动!此外,似乎登录成功,因为我可以看到在hibernate sql-log中加载用户数据。

这里是相关的代码片段: 的applicationContext-security.xml文件:

<global-method-security pre-post-annotations="enabled" />
<http auto-config="true" use-expressions="true" security="none" pattern="/bookmark/add" />

<http auto-config="true"
      use-expressions="true"
      access-denied-page="/user/login"
      disable-url-rewriting="true">
    <intercept-url pattern="/dashboard/**" access="isAuthenticated()" />
    <intercept-url pattern="/user/**" access="permitAll" />
    <intercept-url pattern="/**" access="permitAll" />

    <form-login
            default-target-url="/dashboard"
            login-page="/user/login"
            login-processing-url="/user/doLogin"
            authentication-failure-url="/user/login/error"
            username-parameter="email"
            password-parameter="password" />

    <logout logout-success-url="/user/logout"
            logout-url="/user/doLogout"
            invalidate-session="true"
            delete-cookies="true" />

    <remember-me services-ref="rememberMeServices" key="myfancysalt" />

    <session-management invalid-session-url="/user/login">
        <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
    </session-management>
</http>

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="loginUserDetailsService">
        <password-encoder ref="passwordEncoder" hash="sha-256">
            <salt-source system-wide="myfancysalt" />
        </password-encoder>
    </authentication-provider>
</authentication-manager>

<beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />

<beans:bean id="rememberMeFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
    <beans:property name="rememberMeServices" ref="rememberMeServices"/>
    <beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>

<beans:bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
    <beans:property name="userDetailsService" ref="loginUserDetailsService"/>
    <beans:property name="key" value="myfancysalt"/>
</beans:bean>

<beans:bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
    <beans:property name="key" value="myfancysalt"/>
</beans:bean>

的LoginController:

@RequestMapping(value = "login", method = RequestMethod.GET)
public String login(Principal principal) {
    if (principal != null) { // If user is already logged in, redirect him
        return "redirect:/dashboard";
    }
    return "user/login";
}

@RequestMapping(value = {"login/error", "/user/doLogin"})
public ModelAndView processLogin(Principal principal) {
    if (principal != null) { // If user is already logged in, redirect him
        return new ModelAndView("redirect:/dashboard", null);
    }
    HashMap map = new HashMap();
    map.put("error", true);

    return new ModelAndView("user/login", map);
}

@RequestMapping(value = "logout")
public ModelAndView logout() {
    return new ModelAndView("user/logout");
}

存在web.xml中必要的过滤器。

非常感谢任何帮助!

###编辑###

问题在于并发会话限制。从applicationcontext-security.xml中删除了以下部分后,一切正常。有人能告诉我它有什么问题吗? (我只是从一些howto中复制/粘贴)。

<session-management invalid-session-url="/user/login">
    <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>

1 个答案:

答案 0 :(得分:0)

您可以尝试:

principal == null
在您退出之前

相关问题
最新问题