Java 在spring security 3.1上限制为1后会话仍处于活动状态
因此,我使用了SpringSecurity3.1,并将并发性设置为max sessions=1和exceptionifmaximumextered=“true”,它工作正常。当我尝试使用第二个浏览器登录时,它会给我一个异常 现在,我希望当我使用第二个浏览器登录时,它允许我登录并过期/关闭上一个会话(第一个浏览器)。我将“ExceptionIFMaximumExcepended”更改为false,它只允许我使用第二个浏览器登录,但当我转到第一个浏览器时,我仍然能够在不同的页面上移动 我有以下文件 LoginController.javaJava 在spring security 3.1上限制为1后会话仍处于活动状态,java,spring,spring-security,spring-session,Java,Spring,Spring Security,Spring Session,因此,我使用了SpringSecurity3.1,并将并发性设置为max sessions=1和exceptionifmaximumextered=“true”,它工作正常。当我尝试使用第二个浏览器登录时,它会给我一个异常 现在,我希望当我使用第二个浏览器登录时,它允许我登录并过期/关闭上一个会话(第一个浏览器)。我将“ExceptionIFMaximumExcepended”更改为false,它只允许我使用第二个浏览器登录,但当我转到第一个浏览器时,我仍然能够在不同的页面上移动 我有以下文件
...
@Inject
@Qualifier("sas")
private SessionAuthenticationStrategy sessionAuthenticationStrategy;
...
@RequestMapping
public String show(Map<String, Object> model, HttpServletRequest request, HttpServletResponse response)
{
// clear any session data before asking for login credentials
HttpSession session = request.getSession(false);
if (session != null)
session.invalidate();
...
try{
...
sessionAuthenticationStrategy.onAuthentication(result, request, response);
...}catch(Exception ex){...}
}
看起来它会使上一个会话(浏览器1)过期,但当我转到浏览器1时,它就像什么都没发生一样工作(我曾经尝试过调试,但会话没有说任何关于过期的内容)
登录前端是自定义的(我甚至不确定非自定义的是什么样子!)
大部分(如果不是全部的话)配置都是通过xml文件完成的
谢谢
<http use-expressions="true">
<access-denied-handler error-page="/login.page" />
<intercept-url pattern="/login.page" access="permitAll" />
<intercept-url pattern="/*.page" access="isAuthenticated()" />
<intercept-url pattern="/*.json" access="isAuthenticated()" />
<form-login login-page="/login.page" authentication-failure-url="/login.page" />
<logout logout-url="/logout" logout-success-url="/login.page" invalidate-session="true" />
<session-management session-authentication-strategy-ref="sas" />
<session-management>
<concurrency-control expired-url="/login.page?expired" />
</session-management>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref='ApplicationAuthenticationProvider'>
<password-encoder hash="sha-256" />
</authentication-provider>
</authentication-manager>
<beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:constructor-arg name="expiredUrl" value="/login.page?expired" />
</beans:bean>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<beans:bean id="sessionFixation" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
<beans:property name="migrateSessionAttributes" value="false" />
</beans:bean>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
<beans:property name="exceptionIfMaximumExceeded" value="false" />
<beans:property name="alwaysCreateSession" value="true" />
<beans:property name="migrateSessionAttributes" value="false" />
</beans:bean>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
<!-- Session Information Proxy -->
<bean id="SessionModel" class="com.objectwave.session.SessionModelImpl" scope="session">
<!-- this next element effects the proxying of the surrounding bean -->
<aop:scoped-proxy proxy-target-class="false" />
</bean>
sessionAuthenticationStrategy.onAuthentication(result, request, response);