Spring security 会话管理在spring security中不起作用
My Spring-security.xml:Spring security 会话管理在spring security中不起作用,spring-security,Spring Security,My Spring-security.xml: <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/se
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!-- This is where we configure Spring-Security -->
<security:global-method-security pre-post-annotations="enabled" />
<!-- <security:global-method-security secured-annotations="enabled" /> -->
<security:http auto-config="false" use-expressions="true" access-denied-page="/access-deniad"
entry-point-ref="authenticationEntryPoint">
<security:intercept-url pattern="/RetailEnterpriseSuite/login.do" access="permitAll" requires-channel="https" />
<security:intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" requires-channel="https"/>
<!-- <security:intercept-url pattern="/common" access="hasRole('ROLE_USER')"/> -->
<security:intercept-url pattern="/users" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/*" access="permitAll" requires-channel="any"/>
<security:logout
invalidate-session="true"
logout-success-url="/login.html"
logout-url=""/>
<!--
Querying the SessionRegistry for currently authenticated users and their sessions
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/session-mgmt.html#list-authenticated-principals
-->
<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
<security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>
<security:custom-filter ref="singleEntryFilter" after="FORM_LOGIN_FILTER"/>
<security:session-management session-authentication-strategy-ref="sas"/>
</security:http>
<bean id="singleEntryFilter" class="com.stc.res.filter.SingleEntryFilter"
p:redirectURI="/login.html">
<property name="guardURI">
<list>
<!-- <value>/index.html</value> -->
<value>/index.html</value>
<!-- <value>/index.html</value>
<value>/index.html</value>
<value>/index.html</value>
<value>/index.html</value> -->
</list>
</property>
</bean>
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:sessionAuthenticationStrategy-ref="sas"
p:authenticationManager-ref="authenticationManager"
p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler"/>
<!-- We just actually need to set the default failure url here -->
<bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/loginfailed" />
<!-- We just actually need to set the default target url here -->
<bean id= "customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<property name="redirectStrategy" ref="customSuccessRedirStrategy" />
</bean>
<!-- <bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
p:redirectStrategy-ref="customSuccessRedirStrategy" /> -->
<bean id= "customSuccessRedirStrategy" class=" com.stc.res.customeredirection.CustomSuccessRedirection"> </bean>
<!-- The AuthenticationEntryPoint is responsible for redirecting the user to a particular page, like a login page,
whenever the server sends back a response requiring authentication -->
<!-- See Spring-Security Reference 5.4.1 for more info -->
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/login.html"/>
<!-- Declare an authentication-manager to use a custom userDetailsService -->
<!-- It's important to set the alias here because it's used by the authenticationFilter -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="userservice">
<security:password-encoder ref="passwordEncoder">
<security:salt-source ref="saltSource"/>
</security:password-encoder>
</security:authentication-provider>
<security:authentication-provider user-service-ref="jdbcUserService"/>
</security:authentication-manager>
<bean id="userservice" class="com.stc.res.service.UserLoginService" >
<property name="usrlogindao" ref="userLogindao"/>
</bean>
<bean id="userLogindao" class = "com.stc.res.dao.UserLoginDao" />
<bean id="jdbcUserService" class="com.stc.res.service.JdbcUserService">
<property name="customJdbcDao" ref="custjdbcDao"/>
</bean>
<bean id="custjdbcDao" class= "com.stc.res.dao.CustomJdbcDaoImpl">
<property name="dataSource" ref="dataSource"/>
</bean>
<bean id="jdbcAdminUserService" class="com.stc.res.controller.JdbcAdminUserService">
<property name="dataSource" ref="dataSource"/>
<property name="authenticationManager" ref="authenticationManager"/>
</bean>
<!-- Use a Sha encoder since the user's passwords are stored as Md5 in the database -->
<bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" id="passwordEncoder"/>
<bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="saltSource">
<property name="userPropertyToUse" value="username"/>
</bean>
<!-- <security:bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.PersistentTokenBasedRememberMeServices">
<property name="tokenRepository" ref="jdbcTokenRepository" />
<property name="userDetailsService" ref="userservice" />
<property name="key" value="springRocks" />
<property name="alwaysRemember" value="false" />
</security:bean>
Uses a database table to maintain a set of persistent login data
<security:bean id="jdbcTokenRepository" class="org.springframework.security.ui.rememberme.JdbcTokenRepositoryImpl">
<property name="createTableOnStartup" value="false" />
<property name="dataSource" ref="dataSource" />
</security:bean>
-->
<!-- An in-memory list of users. No need to access an external database layer.
See Spring Security 3.1 Reference 5.2.1 In-Memory Authentication -->
<!-- john's password is admin, while jane;s password is user -->
<!-- Filter required by concurrent session handling package
The ConcurrentSessionFilter requires two properties, sessionRegistry, which generally points to an
instance of SessionRegistryImpl, and expiredUrl, which points to the page to display when a session has expired.
See: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/session-mgmt.html#list-authenticated-principals -->
<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"
p:sessionRegistry-ref="sessionRegistry"
p:expiredUrl="/login.html" />
<!-- Defines a concrete concurrent control strategy
Checks whether the user in question should be allowed to proceed, by comparing the number of
sessions they already have active with the configured maximumSessions value. The SessionRegistry
is used as the source of data on authenticated users and session data.
See: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.html-->
<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"
p:maximumSessions="1" error-if-maximum-exceeded="true" >
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>
<!-- Maintains a registry of SessionInformation instances
See: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/core/session/SessionRegistry.html -->
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
</beans>
/index.html
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<display-name>MycustomFilter</display-name>
<filter-name>MycustomFilter</filter-name>
<filter-class>com.stc.res.filter.MycustomFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>MycustomFilter</filter-name>
<url-pattern>/MycustomFilter</url-pattern>
</filter-mapping>
listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
要求
错误
org.springframework.web.context.ContextLoaderListener
MycustomFilter
MycustomFilter
com.stc.res.filter.MycustomFilter
MycustomFilter
/MycustomFilter
听众>
org.springframework.security.web.session.HttpSessionEventPublisher
请让我知道这个代码的错误在哪里,并请指导我。我是春天安全的新手。甚至用户也可以从不同的浏览器登录,而无需注销 您是否尝试过官方文档中的这个片段(防止多次登录):
....
<security:http ... >
....
<security:session-management>
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>
</security:http>