Java 在spring security 3.1上限制为1后会话仍处于活动状态

因此，我使用了SpringSecurity3.1，并将并发性设置为max sessions=1和exceptionifmaximumextered=“true”，它工作正常。当我尝试使用第二个浏览器登录时，它会给我一个异常

现在，我希望当我使用第二个浏览器登录时，它允许我登录并过期/关闭上一个会话（第一个浏览器）。我将“ExceptionIFMaximumExcepended”更改为false，它只允许我使用第二个浏览器登录，但当我转到第一个浏览器时，我仍然能够在不同的页面上移动

我有以下文件

LoginController.java

...
@Inject
    @Qualifier("sas")
    private SessionAuthenticationStrategy sessionAuthenticationStrategy;
...

@RequestMapping
    public String show(Map<String, Object> model, HttpServletRequest request, HttpServletResponse response) 
    {
        // clear any session data before asking for login credentials
        HttpSession session = request.getSession(false);
        if (session != null)
            session.invalidate();
...
try{
...
            sessionAuthenticationStrategy.onAuthentication(result, request, response);
...}catch(Exception ex){...}
}

看起来它会使上一个会话（浏览器1）过期，但当我转到浏览器1时，它就像什么都没发生一样工作（我曾经尝试过调试，但会话没有说任何关于过期的内容）

登录前端是自定义的（我甚至不确定非自定义的是什么样子！）

大部分（如果不是全部的话）配置都是通过xml文件完成的

谢谢

<http use-expressions="true">
        <access-denied-handler error-page="/login.page" />
        <intercept-url pattern="/login.page" access="permitAll" />
        <intercept-url pattern="/*.page" access="isAuthenticated()" />
        <intercept-url pattern="/*.json" access="isAuthenticated()" />

        <form-login login-page="/login.page" authentication-failure-url="/login.page" />
        <logout logout-url="/logout" logout-success-url="/login.page" invalidate-session="true" />
        <session-management session-authentication-strategy-ref="sas" />
        <session-management>
            <concurrency-control expired-url="/login.page?expired" />
        </session-management>
        
    </http>

    
    <authentication-manager alias="authenticationManager">

        <authentication-provider user-service-ref='ApplicationAuthenticationProvider'>
            <password-encoder hash="sha-256" />
        </authentication-provider>

    </authentication-manager>
    <beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
        <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
        <beans:constructor-arg name="expiredUrl" value="/login.page?expired" />
    </beans:bean>

    <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
    <beans:bean id="sessionFixation" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
        <beans:property name="migrateSessionAttributes" value="false" />
    </beans:bean>
    
    <beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
        <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
        <beans:property name="maximumSessions" value="1" />
        <beans:property name="exceptionIfMaximumExceeded" value="false" />
        <beans:property name="alwaysCreateSession" value="true" />
        <beans:property name="migrateSessionAttributes" value="false" />
    </beans:bean>

<!-- Creates the Spring Container shared by all Servlets and Filters -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <listener>
        <listener-class>
          org.springframework.security.web.session.HttpSessionEventPublisher
        </listener-class>
    </listener>

<!-- Session Information Proxy -->
    <bean id="SessionModel" class="com.objectwave.session.SessionModelImpl" scope="session">
        <!-- this next element effects the proxying of the surrounding bean -->
        <aop:scoped-proxy proxy-target-class="false" />
    </bean>

sessionAuthenticationStrategy.onAuthentication(result, request, response);