Spring security Spring安全性处理并发异常_Spring Security

Spring security Spring安全性处理并发异常

spring-security

Spring security Spring安全性处理并发异常,spring-security,Spring Security,我使用的是SpringSecurity 3.0.7。下面是我的安全配置文件： <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="ht

我使用的是SpringSecurity 3.0.7。下面是我的安全配置文件：

    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<http auto-config="false" use-expressions="true"
    access-denied-page="/nazir/auth/denied"
    entry-point-ref="authenticationEntryPoint">
    <intercept-url pattern="/nazir/auth/login" access="permitAll"/>
    <intercept-url pattern="/nazir/main/admin" access="hasRole('ROLE_ADMIN')"/>
    <intercept-url pattern="/nazir/main/common" access="hasRole('ROLE_USER')"/>

    <logout invalidate-session="true" logout-url="/nazir/auth/logout"
    logout-success-url="/nazir/auth/login"/>
    <custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
    <custom-filter ref="concurrencyFilter"    position="CONCURRENT_SESSION_FILTER"/>
    <session-management session-authentication-strategy-ref="sas"/>
</http>

<beans:bean id="authenticationFilter"
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <beans:property name="sessionAuthenticationStrategy" ref="sas"/>
    <beans:property name="authenticationManager" ref="authenticationManager"/>
    <beans:property name="authenticationFailureHandler" ref="customAuthenticationFailureHandler"/>
    <beans:property name="authenticationSuccessHandler" ref="customAuthenticationSuccessHandler"/>
</beans:bean>
<beans:bean id="customAuthenticationFailureHandler1"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <beans:property name="defaultFailureUrl" value="/nazir/auth/login"/> 
</beans:bean>
<beans:bean id="customAuthenticationSuccessHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
    <beans:property name="defaultTargetUrl" value="/nazir/main/common" />
</beans:bean>
<beans:bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:property name="loginFormUrl" value="/nazir/auth/login"/>
</beans:bean>

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="userDetailsService">
        <password-encoder ref="passwordEncoder"/>
    </authentication-provider> 
</authentication-manager> 

<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
        id="passwordEncoder"/>

<user-service id="userDetailsService">
    <user name="username" password="ee11cbb19052e40b07aac0ca060c23ee"
        authorities="ROLE_USER, ROLE_ADMIN" />
    <user name="test" password="21232f297a57a5a743894a0e4a801fc3"
        authorities="ROLE_USER" /> 
</user-service> 

<beans:bean id="concurrencyFilter"
    class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <beans:property name="sessionRegistry" ref="sessionRegistry"/>
    <beans:property name="expiredUrl" value="/nazir/auth/session-expired" />
</beans:bean> 

<beans:bean id="sas"      
    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <beans:property name="maximumSessions" value="1" />
    <beans:property name="exceptionIfMaximumExceeded" value="true" />
    <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</beans:bean>

<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />  

<beans:bean id="customAuthenticationFailureHandler" 
        class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler" >
    <beans:property name="exceptionMappings">
        <beans:props>
            <beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/nazir/auth/login?error=resetPassword</beans:prop>
            <beans:prop key="org.springframework.security.authentication.BadCredentialsException">/nazir/auth/login?error=BadCredentials</beans:prop>
            <beans:prop key="org.springframework.security.authentication.AccountExpiredException">/nazir/auth/login?error=AccountExpired</beans:prop>
            <beans:prop key="org.springframework.security.authentication.AccountStatusException">/nazir/auth/login?error=AccountStatus</beans:prop>
            <beans:prop key="org.springframework.security.authentication.AuthenticationCredentialsNotFoundException">/nazir/auth/login?error=AuthenticationCredentialsNotFound</beans:prop>
            <beans:prop key="org.springframework.security.authentication.AuthenticationServiceException">/nazir/auth/login?error=AuthenticationService</beans:prop>
            <beans:prop key="org.springframework.security.authentication.DisabledException">/nazir/auth/login?error=Disabled</beans:prop>
            <beans:prop key="org.springframework.security.authentication.InsufficientAuthenticationException">/nazir/auth/login?error=InsufficientAuthentication</beans:prop>
            <beans:prop key="org.springframework.security.authentication.LockedException">/nazir/auth/login?error=Locked</beans:prop>
            <beans:prop key="org.springframework.security.authentication.ProviderNotFoundException">/nazir/auth/login?error=ProviderNotFound</beans:prop>
            <beans:prop key="org.springframework.security.authentication.SessionAuthenticationException">/nazir/auth/login?error=SessionAuthenticationException</beans:prop>
        </beans:props>
    </beans:property>
</beans:bean>


/nazir/auth/login？错误=重置密码
/nazir/auth/login？错误=BadCredentials
/nazir/auth/login？错误=AccountExpired
/nazir/auth/login？错误=AccountStatus
/nazir/auth/login？错误=AuthenticationCredentialsNotFound
/nazir/auth/login？错误=AuthenticationService
/nazir/auth/login？错误=已禁用
/nazir/auth/login？错误=身份验证不足
/nazir/auth/login？错误=已锁定
/nazir/auth/login？错误=ProviderNotFound
/nazir/auth/login？错误=SessionAuthenticationException

问题（帮助）：如何通过我的

customAuthenticationFailureHandler

过滤器路由SessionAuthenticationException？在上面的场景中，除了SessionAuthenticationException（正在通过401路由）之外，所有异常都得到了很好的处理。如果我使用

org.springframework.security.web.authentication.SimpleRuThenticationFailureHandler

而不是

org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler

问候,，

Nazir已解决…我在我的

customAuthenticationFailureHandlerbean配置中添加了以下属性：
已解决…我在customAuthenticationFailureHandler
bean配置中添加了以下属性：
你能解释清楚一点吗“当我没有使用customAuthenticationFailureHandler时，它通过customAuthenticationFailureHandler正确路由！“抱歉，我让您的通信等待响应的时间有点太长；我已更新了我的问题。已解决…我在customAuthenticationFailureHandler bean配置中添加了以下属性：您能解释清楚一点吗？”当我没有使用customAuthenticationFailureHandler时，它被正确地路由到customAuthenticationFailureHandler！“抱歉，我让您的通信等待响应的时间有点太长；我已更新了我的问题。已解决…我在customAuthenticationFailureHandler bean配置中添加了以下属性：