无法在不同浏览器中限制多次登录

时间:2012-03-14 02:50:35

标签: spring-security

我试图限制用户登录到2个不同的浏览器,同时使用相同的loginid。这是安全上下文。我不确定我在这里做错了什么。

有人可以提供帮助吗?感谢。

<security:http auto-config="false" lowercase-comparisons="false" entry-point-ref="loginUrlAuthenticationEntryPoint">
    <security:custom-filter position="FORM_LOGIN_FILTER" ref="formLoginFilter" />
    <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />

    <security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/invalidlogin.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/accessdenied.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/logout.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/**.jsp" access="ROLE_GENERIC,ROLE_USER,ROLE_ADMIN" />
    <security:intercept-url pattern="/**.html" access="ROLE_GENERIC,ROLE_USER,ROLE_ADMIN" />
    <security:intercept-url pattern="/**.do" access="ROLE_GENERIC,ROLE_USER,ROLE_ADMIN" />
    <security:intercept-url pattern="/**" filters="none" />

    <security:logout logout-success-url="/logout.jsp" invalidate-session="true" />

    <security:session-management>
        <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
    </security:session-management>
</security:http>

<bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <property name="loginFormUrl" value="/login.jsp" />
</bean>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="myAuthenticationProvider" />
</security:authentication-manager>

<bean id="formLoginFilter" class="com.company.security.myMapUsernamePasswordAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
    <property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
</bean>

<bean id="authenticationSuccessHandler" class="com.company.security.AuthenticationSuccessHandlerImpl">
    <property name="defaultTargetUrl" value="/main.do" />
    <property name="alwaysUseDefaultTargetUrl" value="true" />
</bean>

<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <property name="defaultFailureUrl" value="/invalidlogin.jsp" />
</bean>

<bean id="myAuthenticationProvider" class="com.company.security.CustomUserDetailsService">
</bean>

<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <property name="sessionRegistry" ref="sessionRegistry" />
    <property name="expiredUrl" value="/sessionexpired.jsp" />
</bean>

<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

1 个答案:

答案 0 :(得分:0)

我为此使用了ConcurrentSessionControlStrategy。

http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.html

从他们的文件:

  

在身份验证后调用时,它将检查是否应该允许相关用户继续,将已经激活的会话数与已配置的maximumSessions值进行比较

要使用它,首先从配置中删除以下行:

<security:session-management>
    <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>

然后添加以下内容:

<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <beans:property name="maximumSessions" value="1" />
    <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
 </beans:bean>

然后将此bean添加到您的登录过滤器:

<bean id="formLoginFilter" class="com.company.security.myMapUsernamePasswordAuthenticationFilter">
    <property name="sessionAuthenticationStrategy" ref="sas"/>
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
    <property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
</bean>

这应该可以做到!