春季安全,表单登录和并发会话 [英] Spring Security, Form Login, and Concurrent Sessions
问题描述
我想从签署不止一次限制用户(强制previous会话过期)。
I am trying to restrict a user from signing more than once (forcing the previous session to expire).
我检查的文件关于这个问题的<一个href=\"http://static.springsource.org/spring-security/site/docs/3.0.x/reference/session-mgmt.html#d0e3816\"相对=nofollow>此处。我已经设置此非常相似的文档,但用户不被同时限制到一个会话。我可以用同一个用户多次(在不同的浏览器)登录,并有持续多个并发会话。
I've checked the documentation on the subject here. I've set this up very similar to the documentation, but users are not being restricted to one session at a time. I can log in multiple times (in different browsers) with the same user and have multiple concurrent sessions going.
下面是什么,我认为是我的安全设置中的相关内容。我使用自定义的UserDetailsService,是UserDetails和AuthenticationFilter实现。
Here are what I believe to be the relevant bits of my security setup. I'm using custom UserDetailsService, UserDetails, and AuthenticationFilter implementations.
<http entry-point-ref="authenticationEntryPoint">
<!-- Make sure everyone can access the login page -->
<intercept-url pattern="/login.do*" filters="none" />
[...]
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<custom-filter position="FORM_LOGIN_FILTER" ref="authenticationFilter" />
<logout logout-url="/logout" logout-success-url="/login.do" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="sha" />
</authentication-provider>
</authentication-manager>
<beans:bean id="userDetailsService" class="[...]">
<beans:property name="userManager" ref="userManager" />
</beans:bean>
<beans:bean id="authenticationFilter" class="[...]">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="eventPublisher">
<beans:bean
class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher" />
</beans:property>
<beans:property name="filterProcessesUrl" value="/security_check" />
<beans:property name="authenticationFailureHandler">
<beans:bean
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.do?login_error=true" />
</beans:bean>
</beans:property>
<beans:property name="sessionAuthenticationStrategy"
ref="sessionAuthenticationStrategy" />
</beans:bean>
<beans:bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.do" />
</beans:bean>
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/login.do?login_error=true!" />
</beans:bean>
<beans:bean id="sessionAuthenticationStrategy"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry"
ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
我也注册 org.springframework.security.web.session.HttpSessionEventPublisher
在我的web.xml文件中的监听器。
I've also registered org.springframework.security.web.session.HttpSessionEventPublisher
as a listener in my web.xml file.
据我所知道的,我根据文档已经配置了这一点。我不知道为什么这是行不通的。难道有事可做的事实,我使用的是基于表单登录?还是我的自定义实现上述?
As far as I can tell, I've configured this according to the documentation. I can't tell why this isn't working. Could it have something to do with the fact that I'm using a form-based login? Or my custom implementations mentioned above?
推荐答案
我想通了。如果重新实现的UserDetails,你必须提供一个哈希code()方法SessionRegistryImpl使用。这不是在文档中提到的。
I figured it out. If you reimplement UserDetails, you must provide a hashCode() method for SessionRegistryImpl to use. This is not mentioned in the documentation.
这篇关于春季安全,表单登录和并发会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!