0

我按照下面的示例将弹簧安全性集成到检票口中。 https://github.com/thombergs/wicket-spring-security-example

我更改了 spring-security.xml 文件以配置并发控制,如下所示。

 <beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:jdbc="http://www.springframework.org/schema/jdbc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd 
                    http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
                    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<http use-expressions="true" create-session="never" auto-config="true">

    <!-- <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" 
        /> -->
    <!-- <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" /> -->

    <intercept-url pattern="/" access="permitAll"
        requires-channel="https" />
    <intercept-url pattern="/home" access="permitAll"
        requires-channel="https" />
    <intercept-url pattern="/login" access="permitAll"
        requires-channel="https" />
    <intercept-url pattern="/**/*.png" access="permitAll"
        requires-channel="https" />
    <intercept-url pattern="/**/*.css" access="permitAll"
        requires-channel="https" />
    <intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')"
        requires-channel="https" />
    <intercept-url pattern="/secure/**" access="isAuthenticated()"
        requires-channel="https" />
    <!-- <intercept-url pattern="/**" access="permitAll" requires-channel="https" 
        /> -->
    <!-- the login page is a wicket page mounted in WicketApplication.init() -->

    <form-login login-page="/login" default-target-url='/home'
        always-use-default-target='true' />

    <session-management>
        <concurrency-control max-sessions="1" 
            session-registry-alias="authenticationManager" expired-url="/login"
            error-if-maximum-exceeded="true" session-registry-ref="sessionRegistry" />
    </session-management>

    <!-- <session-management session-authentication-error-url="/login">   <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" /> </session-management> -->
    <!-- <session-management invalid-session-url="/login" /> -->

</http>

<!-- <beans:bean id="myAuthFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> 
    <beans:property name="sessionAuthenticationStrategy" ref="sas" />     <beans:property name="authenticationManager" ref="authenticationManager" /> </beans:bean> -->

<authentication-manager alias="authenticationManager">
    <authentication-provider>
        <user-service>
            <user name="rod" password="koala" authorities="supervisor, teller, user" />
            <user name="dianne" password="emu" authorities="teller, user" />
            <user name="scott" password="wombat" authorities="user" />
            <user name="peter" password="opal" authorities="user" />
        </user-service>
    </authentication-provider>
</authentication-manager>

<beans:bean id="concurrencyFilter"
    class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <beans:property name="sessionRegistry" ref="sessionRegistry" />
    <beans:property name="expiredUrl" value="/login" />
</beans:bean>

<!-- <beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> 
    <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />  <beans:property name="maximumSessions" value="1" /> </beans:bean> -->

<beans:bean id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" autowire="default" />

<!-- This filter is responsible for storing the SecurityContextHolder between 
    requests. Also see SecureWebSession.authenticate(). -->
<beans:bean id="securityContextPersistenceFilter"       class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />

</beans:beans>

web.xml 文件:

    <?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">

<display-name>wicket-spring-security-example</display-name>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        classpath:spring-security.xml
    </param-value>
</context-param>
<listener>
<listener-  class>org.springframework.web.context.ContextLoaderListener</listener- class>
</listener>
<listener>
    <listener-class>
      org.springframework.security.web.session.HttpSessionEventPublisher
    </listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter>
    <filter-name>wicket.wicket-spring-security-example</filter-name>
    <filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
    <init-param>
        <param-name>applicationClassName</param-name>
        <param-value>org.wickedsource.WicketApplication</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>wicket.wicket-spring-security-example</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<session-config>
    <session-timeout>1</session-timeout>
</session-config>
</web-app>

我的问题:

1) 并发控制不适用于上述配置。我可以登录多个浏览器。

2)每个用户单点登录(我的意思是,如果同一用户('x')再次登录,则用户'x'已登录。这里我想使先前登录的会话无效)。我怎样才能做到这一点。

4

1 回答 1

0

1)它可能不起作用,因为示例中的会话管理是由 Wicket 而不是 Spring Security 处理的,因此您必须找到一种方法在 Wicket 中启用它。

2) Wicket Session 类具有方法 replaceSession(),您可以使用该方法在登录时创建新会话。尝试这个。

于 2013-05-26T09:59:19.350 回答