2

我在我的 applicationContext-security.xml

<session-management session-authentication-error-url="/genesis"> 
        <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/genesis?sessionExpired=true"/> 
    </session-management>

这将用户限制为单个会话。但是,我现在要求一个帐户必须允许多个会话,同时仍将所有其他帐户限制为单个会话。

关于如何实现这一目标的任何建议?

4

2 回答 2

2

覆盖默认并发过滤器。为您的特殊用户跳过处理:

public class CustomConcurrentSessionFilter extends ConcurrentSessionFilter {

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
        ServletException {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (!auth.getName().equals("bob")) {
            super.doFilter(req, res, chain);
        }
    }

}

用conf中的自定义过滤器替换默认过滤器:

<security:http ... >
    <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="customConcurrentSessionFilter"/>
</security:http>

<bean id="customConcurrentSessionFilter" class="com.domain.CustomConcurrentSessionFilter"/>
于 2013-01-18T10:34:55.087 回答
0

(我在这里扩展我的评论,为这个问题提供更完整的解决方案。)

只需getMaximumSessionsForThisUser()ConcurrentSessionFilter子类中覆盖(在我使用的下面com.example.CustomConcurrentSessionFilter)和 XML 配置中添加:

  • SessionAuthenticationStrategy豆(带有 id "sas"),
  • <session-management session-authentication-strategy-ref="sas" /><http>,
  • <bean:property name="sessionAuthenticationStrategy" ref="sas" />给你的UsernamePasswordAuthenticationFilter

完整的设置应该类似于docs 中显示的设置:

<http>
  <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
  <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />

  <session-management session-authentication-error-url="/genesis"
      session-authentication-strategy-ref="sas"/>
</http>

<beans:bean id="concurrencyFilter"
   class="com.example.CustomConcurrentSessionFilter">
  <beans:property name="sessionRegistry" ref="sessionRegistry" />
  <beans:property name="expiredUrl" value="/genesis?sessionExpired=true" />
</beans:bean>

<beans:bean id="myAuthFilter"
    class="o.s.s.web.authentication.UsernamePasswordAuthenticationFilter">
  <beans:property name="sessionAuthenticationStrategy" ref="sas" />
  <beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>

<beans:bean id="sas"
    class="o.s.s.web.authentication.session.ConcurrentSessionControlStrategy">
  <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
  <beans:property name="exceptionIfMaximumExceeded" value="true" />
  <beans:property name="maximumSessions" value="1" />
</beans:bean>

<beans:bean id="sessionRegistry"
    class="o.s.s.core.session.SessionRegistryImpl" />
于 2013-03-26T11:45:08.987 回答