春季安全,表单登录和并发会话 [英] Spring Security, Form Login, and Concurrent Sessions

查看:120
本文介绍了春季安全,表单登录和并发会话的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我想从签署不止一次限制用户(强制previous会话过期)。

I am trying to restrict a user from signing more than once (forcing the previous session to expire).

我检查的文件关于这个问题的<一个href=\"http://static.springsource.org/spring-security/site/docs/3.0.x/reference/session-mgmt.html#d0e3816\"相对=nofollow>此处。我已经设置此非常相似的文档,但用户不被同时限制到一个会话。我可以用同一个用户多次(在不同的浏览器)登录,并有持续多个并发会话。

I've checked the documentation on the subject here. I've set this up very similar to the documentation, but users are not being restricted to one session at a time. I can log in multiple times (in different browsers) with the same user and have multiple concurrent sessions going.

下面是什么,我认为是我的安全设置中的相关内容。我使用自定义的UserDetailsS​​ervice,是UserDetails和AuthenticationFilter实现。

Here are what I believe to be the relevant bits of my security setup. I'm using custom UserDetailsService, UserDetails, and AuthenticationFilter implementations.


    <http entry-point-ref="authenticationEntryPoint">
        <!-- Make sure everyone can access the login page -->
        <intercept-url pattern="/login.do*" filters="none" />

        [...]

        <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
        <custom-filter position="FORM_LOGIN_FILTER" ref="authenticationFilter" />

        <logout logout-url="/logout" logout-success-url="/login.do" />
    </http>

    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="userDetailsService">
            <password-encoder hash="sha" />
        </authentication-provider>
    </authentication-manager>

    <beans:bean id="userDetailsService" class="[...]">
        <beans:property name="userManager" ref="userManager" />
    </beans:bean>

    <beans:bean id="authenticationFilter" class="[...]">
        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="eventPublisher">
            <beans:bean
                class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher" />
        </beans:property>
        <beans:property name="filterProcessesUrl" value="/security_check" />
        <beans:property name="authenticationFailureHandler">
            <beans:bean
                class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
                <beans:property name="defaultFailureUrl" value="/login.do?login_error=true" />
            </beans:bean>
        </beans:property>
        <beans:property name="sessionAuthenticationStrategy"
            ref="sessionAuthenticationStrategy" />
    </beans:bean>

    <beans:bean id="authenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/login.do" />
    </beans:bean>

    <beans:bean id="concurrencyFilter"
        class="org.springframework.security.web.session.ConcurrentSessionFilter">
        <beans:property name="sessionRegistry" ref="sessionRegistry" />
        <beans:property name="expiredUrl" value="/login.do?login_error=true!" />
    </beans:bean>

    <beans:bean id="sessionAuthenticationStrategy"
        class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
        <beans:constructor-arg name="sessionRegistry"
            ref="sessionRegistry" />
        <beans:property name="maximumSessions" value="1" />
    </beans:bean>

    <beans:bean id="sessionRegistry"
        class="org.springframework.security.core.session.SessionRegistryImpl" />

我也注册 org.springframework.security.web.session.HttpSessionEventPublisher 在我的web.xml文件中的监听器。

I've also registered org.springframework.security.web.session.HttpSessionEventPublisher as a listener in my web.xml file.

据我所知道的,我根据文档已经配置了这一点。我不知道为什么这是行不通的。难道有事可做的事实,我使用的是基于表单登录?还是我的自定义实现上述?

As far as I can tell, I've configured this according to the documentation. I can't tell why this isn't working. Could it have something to do with the fact that I'm using a form-based login? Or my custom implementations mentioned above?

推荐答案

我想通了。如果重新实现的UserDetails,你必须提供一个哈希code()方法SessionRegistryImpl使用。这不是在文档中提到的。

I figured it out. If you reimplement UserDetails, you must provide a hashCode() method for SessionRegistryImpl to use. This is not mentioned in the documentation.

这篇关于春季安全,表单登录和并发会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆