Spring security 无法在不同浏览器中限制多次登录

我试图限制一个用户同时使用相同的loginid登录到两个不同的浏览器。这就是安全上下文。我不确定我在这里做错了什么

有人能帮忙吗。谢谢

<security:http auto-config="false" lowercase-comparisons="false" entry-point-ref="loginUrlAuthenticationEntryPoint">
    <security:custom-filter position="FORM_LOGIN_FILTER" ref="formLoginFilter" />
    <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />

    <security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/invalidlogin.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/accessdenied.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/logout.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/**.jsp" access="ROLE_GENERIC,ROLE_USER,ROLE_ADMIN" />
    <security:intercept-url pattern="/**.html" access="ROLE_GENERIC,ROLE_USER,ROLE_ADMIN" />
    <security:intercept-url pattern="/**.do" access="ROLE_GENERIC,ROLE_USER,ROLE_ADMIN" />
    <security:intercept-url pattern="/**" filters="none" />

    <security:logout logout-success-url="/logout.jsp" invalidate-session="true" />

    <security:session-management>
        <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
    </security:session-management>
</security:http>

<bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <property name="loginFormUrl" value="/login.jsp" />
</bean>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="myAuthenticationProvider" />
</security:authentication-manager>

<bean id="formLoginFilter" class="com.company.security.myMapUsernamePasswordAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
    <property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
</bean>

<bean id="authenticationSuccessHandler" class="com.company.security.AuthenticationSuccessHandlerImpl">
    <property name="defaultTargetUrl" value="/main.do" />
    <property name="alwaysUseDefaultTargetUrl" value="true" />
</bean>

<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <property name="defaultFailureUrl" value="/invalidlogin.jsp" />
</bean>

<bean id="myAuthenticationProvider" class="com.company.security.CustomUserDetailsService">
</bean>

<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <property name="sessionRegistry" ref="sessionRegistry" />
    <property name="expiredUrl" value="/sessionexpired.jsp" />
</bean>

<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

---

为此，我使用ConcurrentSessionControl策略

根据他们的文件：

当在身份验证后调用时，它将通过比较用户已处于活动状态的会话数与配置的maximumSessions值来检查是否应允许相关用户继续

要使用它，首先从配置中删除以下行：

<security:session-management>
    <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>

然后添加以下内容：

<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <beans:property name="maximumSessions" value="1" />
    <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
 </beans:bean>

然后将此bean添加到您的登录筛选器：

<bean id="formLoginFilter" class="com.company.security.myMapUsernamePasswordAuthenticationFilter">
    <property name="sessionAuthenticationStrategy" ref="sas"/>
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
    <property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
</bean>

那就应该成功了