2

我想限制用户的会话数。

这是我使用的示例配置(在此处获取):

<http>
  <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
  <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />

  <session-management session-authentication-strategy-ref="sas"/>
</http>

<beans:bean id="concurrencyFilter"
   class="org.springframework.security.web.session.ConcurrentSessionFilter">
  <beans:property name="sessionRegistry" ref="sessionRegistry" />
  <beans:property name="expiredUrl" value="/session-expired.htm" />
</beans:bean>

<beans:bean id="myAuthFilter" class=
   "org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
  <beans:property name="sessionAuthenticationStrategy" ref="sas" />
  <beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>

<beans:bean id="sas" class=
 "org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
  <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
  <beans:property name="maximumSessions" value="1" />
</beans:bean>

<beans:bean id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" />

我没有收到任何错误,并且可以看到SessionRegistry. 但maximumSessions价值是1,我可以为一个用户创建 2 个会话(为此我使用了不同的浏览器)。

以下属性也没有导致任何异常:<beans:property name="exceptionIfMaximumExceeded" value="true" />. 我还尝试覆盖equals()hashCode()用于 UserDetails 实现(正如这里所建议的那样

maximumSessions为什么我可以使用此值为一个用户登录两次?我应该以其他方式限制会话数吗?任何建议将不胜感激,在此先感谢。

4

1 回答 1

2

My bad, I didn't correctly override equals method with EqualsBuilder. As it's shown here, I had .appendSuper(super.equals(obj)) line before actually needed comparisons, so even the same user details were different. Without this line everything's fine and I can't log in twice.

于 2012-12-09T09:45:23.403 回答