1

我正在通过 Spring Security 实现对并发会话的控制。

但是,当我通过具有用户的 Chrome 登录系统并在具有相同用户的 FireFox 上登录系统时,不会显示错误消息。我的控制台也不例外。

我的 web.xml :

<!-- ... -->

<listener>
  <listener-class>
    org.springframework.security.web.session.HttpSessionEventPublisher
  </listener-class>
</listener>

<!-- .... -->

我的 security.xml :

  <-- .... -->

   <security:http auto-config="true" use-expressions="true">

    <security:intercept-url pattern="/**" access="isAuthenticated()" />

    <security:form-login login-page="/login" default-target-url="/home" 
                         authentication-failure-url="/login?logout=true" 
                         authentication-success-handler-ref="authenticationSuccessHandler"
                         authentication-failure-handler-ref="authenticationFailureHandler"/>


    <security:logout logout-url="/j_spring_security_logout" invalidate-session="true" success-handler-ref="logoutHandler"/>


    <security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>
    <security:session-management session-authentication-strategy-ref="concurrentSessionManager" session-authentication-error-url="/login?msg=SessionError"/>


</security:http>


<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="sessionAuthenticationStrategy" ref="concurrentSessionManager"/>
</bean>

<!-- Authentication Manager -->
<security:authentication-manager alias="authenticationManager">
    <!-- Custom Authentication provider -->
    <security:authentication-provider ref="hemisphereAuthenticationProvider"/>
</security:authentication-manager>

<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />  


<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <property name="sessionRegistry" ref="sessionRegistry"/>
    <property name="expiredUrl" value="/login?msg=SessionError" />
</bean> 

<bean id="concurrentSessionManager" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <property name="maximumSessions" value="1"/>
    <property name="exceptionIfMaximumExceeded" value="true" />
    <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>

<bean id="hemisphereAuthenticationProvider" class="security.HemisphereAuthenticationProvider">
    <property name="userDetailsService" ref="userDetailService"/>
</bean>

<bean id="authenticationSuccessHandler" class="security.HemisphereAuthenticationSuccessHandler">
    <property name="defaultTargetUrl" value="/home" />
    <property name="alwaysUseDefaultTargetUrl" value="no" />
</bean>

<bean id="authenticationFailureHandler" class="security.HemisphereAuthenticationFailureHandler">
    <property name="defaultFailureUrl" value="/login" />
</bean>

<bean id="logoutHandler" class="security.HemisphereLogoutHandler"/>

我究竟做错了什么?

感谢您的关注!

4

0 回答 0