0

Instead of restricting one session per user,it is restricting one session for

whole application.

So if one user is logged in noone can login .

Here is my configuration

<session-management invalid-session-url="/login">
        <concurrency-control error-if-maximum-exceeded="true" max-sessions="1" />
     </session-management>

And i even added listener in web.xml.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    <!-- HTTP security configurations -->
    <http auto-config="true" use-expressions="true">
        <form-login login-processing-url="/resources/j_spring_security_check"
            login-page="/login" default-target-url="/index"
            authentication-success-handler-ref="myAuthenticationSuccessHandler"
            authentication-failure-url="/login?login_error=t" />
        <logout invalidate-session="true"
            logout-url="/resources/j_spring_security_logout" success-handler-ref="myLogoutSuccessHandler"/>
        <!-- Configure these elements to secure URIs in your application -->
        <intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/member/**" access="isAuthenticated()" />
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/**" access="permitAll" />

     <session-management invalid-session-url="/login">
            <concurrency-control error-if-maximum-exceeded="true"
                max-sessions="1" />
        </session-management> 
    </http>

    <!-- Configure Authentication mechanism -->
    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="customDaoAuthenticationProvider">
        </authentication-provider>
    </authentication-manager>

    <beans:bean id="myAuthenticationSuccessHandler" class="com.test.connect.web.login.MyAuthenticationSuccessHandler"/>
    <beans:bean id="myLogoutSuccessHandler" class="com.test.connect.web.login.MyLogoutSuccessHandler"/>

</beans:beans>
4

2 回答 2

1

Based upon the configuration you provided, which includes a custom AuthenticationProvider, and the problem you are having I would guess that you are returning a custom UserDetails implementation that does not properly implement the equals and hashCode methods.

Please ensure that you have properly implemented equals and hashCode on any custom UserDetails implementation as these methods are used to look up if a user contains active sessions.

于 2013-04-29T16:29:07.903 回答
0

Just want to highlight here, make sure the equals and hashCode methods return is true. if the methods is not returning true it will not kill or terminate the existing session.

于 2018-04-20T01:15:33.653 回答