允许Spring security最大会话数
我使用的是SpringSecurity3.1.4,我想将每个用户的会话数限制为1,但如果有人尝试登录,它将关闭旧会话并打开新会话(而不是不允许登录),我该怎么做 编辑: 这是我添加到xmls中的内容: web.xml允许Spring security最大会话数,spring,session,spring-security,Spring,Session,Spring Security,我使用的是SpringSecurity3.1.4,我想将每个用户的会话数限制为1,但如果有人尝试登录,它将关闭旧会话并打开新会话(而不是不允许登录),我该怎么做 编辑: 这是我添加到xmls中的内容: web.xml com.net.filter.session.SessionListener SessionListener扩展了HttpSessionEventPublisher security.xml <security:intercept-url pattern="/**
com.net.filter.session.SessionListener
SessionListener扩展了HttpSessionEventPublisher
security.xml
<security:intercept-url pattern="/**"
access="isAuthenticated()" />
<security:session-management>
<security:concurrency-control
max-sessions="1"/>
</security:session-management>
<security:form-login
authentication-success-handler-ref="playerAuthenticationSuccessHandler" />
<security:logout logout-url="/player/logout"
success-handler-ref="playerLogoutSuccessHandler" delete-cookies="JSESSIONID" />
</security:http>
<bean id="bCryptPasswordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<security:authentication-manager>
<security:authentication-provider
ref="authenticationProvider">
</security:authentication-provider>
</security:authentication-manager>
WARE playerAuthenticationSuccessHandler、authenticationProvider和playerLogoutSuccessHandler扩展了spring默认值 你读了吗?如果启用并发控制,这是默认行为。它实际上不会使旧会话无效,但会将其标记为不可用,直到它正常过期。谢谢,我读了它,但我有一些问题。我试过了,正如您所说,它不会使它无效,是否存在“标记不可用”事件侦听器?有办法注销旧会话吗?它不保留对实际会话的引用,只保留ID,因此不能使其无效。如果再次重复使用相同的ID,则会使会话无效。我尝试了此方案,但效果不如预期:1。首先登录。2.从其他浏览器登录。现在转到第一个浏览器,我仍然可以做我必须登录的事情。作为@LukeTaylor,您描述的行为是默认行为。如果希望引发异常,则在
并发控制
标记中添加error If maximum excelled=“true”
。接下来,如果您想向用户显示一个漂亮的页面,您可以在会话管理
标记上指定会话身份验证错误url
属性。
<security:intercept-url pattern="/**"
access="isAuthenticated()" />
<security:session-management>
<security:concurrency-control
max-sessions="1"/>
</security:session-management>
<security:form-login
authentication-success-handler-ref="playerAuthenticationSuccessHandler" />
<security:logout logout-url="/player/logout"
success-handler-ref="playerLogoutSuccessHandler" delete-cookies="JSESSIONID" />
</security:http>
<bean id="bCryptPasswordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<security:authentication-manager>
<security:authentication-provider
ref="authenticationProvider">
</security:authentication-provider>
</security:authentication-manager>