4

并发控制的默认行为是使原始会话过期。但是,我想阻止使用相同凭据登录的第二个用户,并显示消息“用户已登录”。我怎样才能做到这一点?

下面是spring-security.xml的配置:

<http auto-config="false" use-expressions="true">
    <intercept-url pattern="/login*" access="permitAll"
        requires-channel="https" />
    <intercept-url pattern="/userHasLoggedIn" access="permitAll"
        requires-channel="https" />
    <intercept-url pattern="/j_spring_security_*" access="permitAll"
        requires-channel="https" />
    <intercept-url pattern="/session*" access="permitAll"
        requires-channel="https" />
    <form-login login-page="/login" authentication-failure-url="/loginFailed" />
    <intercept-url pattern="/**" access="isAuthenticated()"
        requires-channel="https" />
    <session-management invalid-session-url="/sessionExpired" session-authentication-error-url="/loginAlready">
        <concurrency-control error-if-maximum-exceeded="false" expired-url="/userHasLoggedIn" max-sessions="1"/>
    </session-management>
    <logout delete-cookies="JSESSIONID" />
</http>

(更新)我最终的春季安全配置:

<http auto-config="false" use-expressions="true">
        <intercept-url pattern="/login*" access="permitAll"
            requires-channel="https" />
        <form-login default-target-url="/home" login-page="/login" authentication-failure-url="/loginFailed" />
        <intercept-url pattern="/**" access="isFullyAuthenticated()"
            requires-channel="https" />
        <session-management session-authentication-error-url="/loginFailed">
            <concurrency-control expired-url="/loginFailed" error-if-maximum-exceeded="true" max-sessions="1"/>
        </session-management>
        <logout delete-cookies="JSESSIONID" />
    </http>
4

1 回答 1

11

解决方案在文档中

通常您希望阻止第二次登录,在这种情况下您可以使用

<http>
  ...
  <session-management>
      <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
  </session-management>
</http>

第二次登录将被拒绝。authentication-failure-url通过“拒绝”,我们的意思是如果正在使用基于表单的登录,用户将被发送到。如果通过另一种非交互机制进行第二次身份验证,例如“记住我”,则会向客户端发送“未授权”(402)错误。相反,如果您想使用错误页面,则可以将属性添加session-authentication-error-urlsession-management元素。

所以基本上设置error-if-maximum-exceeded"true"删除expired-url属性<concurrency-control>

于 2012-10-20T08:40:57.700 回答