0

您好我正在使用 Spring Security 3.0.5 和 Spring Framework 3.0.6。我已经按照文档配置了并发。它不工作。我从浏览器会话登录到应用程序,然后尝试从同一浏览器中的另一个选项卡再次登录 - 它让我登录而不是拒绝尝试。

这是我的安全配置文件:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<http auto-config="false" use-expressions="true"
    access-denied-page="/jsp/accessDenied.jsp" 
    entry-point-ref="authenticationEntryPoint">
    <intercept-url pattern="/login.jsp" filters="none" />
        <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
    <logout invalidate-session="true" logout-url="/logout.htm"
            logout-success-url="/login.jsp?loggedout=true"/>
        <custom-filter ref="authenticationFilter" 
            position="FORM_LOGIN_FILTER"/>
        <custom-filter ref="concurrencyFilter" 
            position="CONCURRENT_SESSION_FILTER"/>
        <session-management session-authentication-strategy-ref="sas"/> 
</http>

<beans:bean id="authenticationFilter" 
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
       <beans:property name="sessionAuthenticationStrategy" ref="sas"/>
        <beans:property name="authenticationManager" ref="authenticationManager"/>
        <beans:property name="authenticationFailureHandler" ref="customAuthenticationFailureHandler"/>
        <beans:property name="authenticationSuccessHandler" ref="customAuthenticationSuccessHandler"/> 
</beans:bean>
<beans:bean id="customAuthenticationFailureHandler"
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <beans:property name="defaultFailureUrl" value="/login.jsp?authfailed=true"/>
</beans:bean>    
<beans:bean id="customAuthenticationSuccessHandler"
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
        <beans:property name="defaultTargetUrl" value="/index.jsp" />
</beans:bean>
<beans:bean id="authenticationEntryPoint"  
    class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">   
    <beans:property name="loginFormUrl" value="/login.jsp"/> 
</beans:bean>

<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService">
        <password-encoder ref="passwordEncoder"/>
    </authentication-provider>
</authentication-manager>
<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
        id="passwordEncoder"/>
<user-service id="userDetailsService">
        <user name="username" password="ee11cbb19052e40b07aac0ca060c23ee"
            authorities="ROLE_USER, ROLE_ADMIN" />
        <user name="test" password="21232f297a57a5a743894a0e4a801fc3"
            authorities="ROLE_USER" />
</user-service>
<beans:bean id="concurrencyFilter" 
    class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <beans:property name="sessionRegistry" ref="sessionRegistry"/>    
    <beans:property name="expiredUrl" value="/login.jsp?loggedout=true" />
</beans:bean>
<beans:bean id="sas" 
    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <beans:property name="maximumSessions" value="1" />    
    <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</beans:bean>
<beans:bean id="sessionRegistry" 
    class="org.springframework.security.core.session.SessionRegistryImpl" /> 

这是我的 web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>Spring security web application (series)</display-name>
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/applicationContext-security.xml
    </param-value>
</context-param>

<!--
    - Loads the root application context of this web app at startup. - The
    application context is then available via -
    WebApplicationContextUtils.getWebApplicationContext(servletContext).
-->
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
    <listener>
    <listener-class>
        org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
     <servlet-name>springsecuritywebapp</servlet-name>
     <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>springsecuritywebapp</servlet-name>
    <url-pattern>*.htm</url-pattern>
</servlet-mapping>

<welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>

问候, 纳齐尔

4

1 回答 1

0

添加<beans:property name="exceptionIfMaximumExceeded" value="true" />org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategybean 定义。如果超出允许的会话,它将抛出异常。

这会产生副作用。假设用户登录浏览器并关闭清除会话数据的浏览器。然后用户必须等待服务器中的会话过期才能再次登录。除非您有明确的要求,否则我更喜欢您现有的配置。

于 2012-04-10T03:15:45.147 回答