如何限制每个用户仅一个会话并阻止随后的登录尝试? [英] How to limit only one session per user and block the subsequent login attempt?

问题描述

并发控制的默认行为是使原始会话到期.但是，我想通过显示消息用户已登录"来阻止使用相同凭据登录的第二个用户.我该怎么做?

The default behavior of concurrency control is to expire the original session. However, I would like to block the second user which is logging in with the same credentials with displaying message "User has already logged in". How can I accomplish this ?

以下是spring-security.xml的配置:

Below is the configuration of spring-security.xml:

<http auto-config="false" use-expressions="true">
    <intercept-url pattern="/login*" access="permitAll"
        requires-channel="https" />
    <intercept-url pattern="/userHasLoggedIn" access="permitAll"
        requires-channel="https" />
    <intercept-url pattern="/j_spring_security_*" access="permitAll"
        requires-channel="https" />
    <intercept-url pattern="/session*" access="permitAll"
        requires-channel="https" />
    <form-login login-page="/login" authentication-failure-url="/loginFailed" />
    <intercept-url pattern="/**" access="isAuthenticated()"
        requires-channel="https" />
    <session-management invalid-session-url="/sessionExpired" session-authentication-error-url="/loginAlready">
        <concurrency-control error-if-maximum-exceeded="false" expired-url="/userHasLoggedIn" max-sessions="1"/>
    </session-management>
    <logout delete-cookies="JSESSIONID" />
</http>

(已更新)我最终的Spring安全配置:

(Updated) My final spring security configuration:

<http auto-config="false" use-expressions="true">
        <intercept-url pattern="/login*" access="permitAll"
            requires-channel="https" />
        <form-login default-target-url="/home" login-page="/login" authentication-failure-url="/loginFailed" />
        <intercept-url pattern="/**" access="isFullyAuthenticated()"
            requires-channel="https" />
        <session-management session-authentication-error-url="/loginFailed">
            <concurrency-control expired-url="/loginFailed" error-if-maximum-exceeded="true" max-sessions="1"/>
        </session-management>
        <logout delete-cookies="JSESSIONID" />
    </http>

推荐答案

解决方案是

通常，您宁愿阻止第二次登录，在这种情况下， 可以使用

Often you would prefer to prevent a second login, in which case you can use

<http>
  ...
  <session-management>
      <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
  </session-management>
</http>

第二次登录将被拒绝. 拒绝"是指 用户将被发送到authentication-failure-url 使用基于表单的登录.如果第二次身份验证需要 通过另一种非交互机制放置，例如 记住我"，则会将未经授权"(402)错误发送给 客户.相反，如果您要使用错误页面，则可以添加 属性session-authentication-error-url到 session-management元素.

The second login will then be rejected. By "rejected", we mean that the user will be sent to the authentication-failure-url if form-based login is being used. If the second authentication takes place through another non-interactive mechanism, such as "remember-me", an "unauthorized" (402) error will be sent to the client. If instead you want to use an error page, you can add the attribute session-authentication-error-url to the session-management element.

因此，基本上将error-if-maximum-exceeded设置为"true"并从<concurrency-control>中删除expired-url属性.

So basically set error-if-maximum-exceeded to "true" and remove expired-url attribute from <concurrency-control>.

这篇关于如何限制每个用户仅一个会话并阻止随后的登录尝试?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！