Spring security 并发控制是可重写的吗
我的applicationContext-security.xml中有Spring security 并发控制是可重写的吗,spring-security,Spring Security,我的applicationContext-security.xml中有 <session-management session-authentication-error-url="/genesis"> <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/genesis?sessionExpired=true"/> </se
<session-management session-authentication-error-url="/genesis">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/genesis?sessionExpired=true"/>
</session-management>
它将用户限制为单个会话。但是,我现在有一个要求,即一个帐户必须允许多个会话,同时仍然将所有其他帐户限制为单个会话
关于如何实现这一点,有什么建议吗?覆盖默认并发过滤器。跳过特殊用户的处理:
public class CustomConcurrentSessionFilter extends ConcurrentSessionFilter {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
ServletException {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (!auth.getName().equals("bob")) {
super.doFilter(req, res, chain);
}
}
}
在配置中用自定义过滤器替换默认过滤器:
<security:http ... >
<security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="customConcurrentSessionFilter"/>
</security:http>
<bean id="customConcurrentSessionFilter" class="com.domain.CustomConcurrentSessionFilter"/>
(我在这里展开我的评论,为这个问题提供更完整的解决方案。)
只需覆盖
ConcurrentSessionFilter
子类(下面我使用了com.example.CustomConcurrentSessionFilter
)中的GetMaximumSessionForThisuser()
)并在XML配置中添加:
bean(id为SessionAuthenticationStrategy
)“sas”
中的
到您的用户名密码身份验证过滤器
感谢您的快速回复。然而,阅读ConcurrentSessionFilter的Javadoc时,我担心跳过执行会错过它所做的一切。从API文档来看,我想做的是在自定义类中覆盖ConcurrentSessionControlStrategy中的GetMaximumSessionForThisUser()方法,并将其注入ConcurrentSessionFilter。关于如何实际配置它有什么想法吗?只需在子类中重写getMaximumSessionsForThisUser()
,并将其添加为SessionAuthenticationStrategy
(“sas”
)bean,并在UsernamePasswordAuthenticationFilter
+1中添加
和
,以重写GetMaximumSessionForthisuser()在CustomSessionAuthenticationStrategyXaerxess中-请原谅我的含糊不清,但您能否给我一个关于如何访问/配置用户名密码身份验证筛选器的示例(或指向参考)请参见以下示例:
<http>
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
<session-management session-authentication-error-url="/genesis"
session-authentication-strategy-ref="sas"/>
</http>
<beans:bean id="concurrencyFilter"
class="com.example.CustomConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/genesis?sessionExpired=true" />
</beans:bean>
<beans:bean id="myAuthFilter"
class="o.s.s.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="sas"
class="o.s.s.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="exceptionIfMaximumExceeded" value="true" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<beans:bean id="sessionRegistry"
class="o.s.s.core.session.SessionRegistryImpl" />