无法限制多个登录在不同的浏览器

Question

我想限制用户登录到2个不同的浏览器，同一个登录ID在同一时间。这是安全上下文。我不确定我在这里做错了什么。

有人可以帮忙。谢谢。

<security:http auto-config="false" lowercase-comparisons="false" entry-point-ref="loginUrlAuthenticationEntryPoint"> 
    <security:custom-filter position="FORM_LOGIN_FILTER" ref="formLoginFilter" /> 
    <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" /> 

    <security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
    <security:intercept-url pattern="/invalidlogin.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
    <security:intercept-url pattern="/accessdenied.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
    <security:intercept-url pattern="/logout.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
    <security:intercept-url pattern="/**.jsp" access="ROLE_GENERIC,ROLE_USER,ROLE_ADMIN" /> 
    <security:intercept-url pattern="/**.html" access="ROLE_GENERIC,ROLE_USER,ROLE_ADMIN" /> 
    <security:intercept-url pattern="/**.do" access="ROLE_GENERIC,ROLE_USER,ROLE_ADMIN" /> 
    <security:intercept-url pattern="/**" filters="none" /> 

    <security:logout logout-success-url="/logout.jsp" invalidate-session="true" /> 

    <security:session-management> 
     <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" /> 
    </security:session-management> 
</security:http> 

<bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> 
    <property name="loginFormUrl" value="/login.jsp" /> 
</bean> 

<security:authentication-manager alias="authenticationManager"> 
    <security:authentication-provider ref="myAuthenticationProvider" /> 
</security:authentication-manager> 

<bean id="formLoginFilter" class="com.company.security.myMapUsernamePasswordAuthenticationFilter"> 
    <property name="authenticationManager" ref="authenticationManager" /> 
    <property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" /> 
    <property name="authenticationFailureHandler" ref="authenticationFailureHandler" /> 
</bean> 

<bean id="authenticationSuccessHandler" class="com.company.security.AuthenticationSuccessHandlerImpl"> 
    <property name="defaultTargetUrl" value="/main.do" /> 
    <property name="alwaysUseDefaultTargetUrl" value="true" /> 
</bean> 

<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> 
    <property name="defaultFailureUrl" value="/invalidlogin.jsp" /> 
</bean> 

<bean id="myAuthenticationProvider" class="com.company.security.CustomUserDetailsService"> 
</bean> 

<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> 
    <property name="sessionRegistry" ref="sessionRegistry" /> 
    <property name="expiredUrl" value="/sessionexpired.jsp" /> 
</bean> 

<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> 

Answer 1

我使用ConcurrentSessionControlStrategy这一点。

http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.html

从他们的文档：

当调用验证之后，它会检查有问题的用户是否应该被允许继续进行，由比较会话数，他们已经有活跃与配置的maximumSessions值

要使用它，首先从您的配置文件中删除以下行G：

<security:session-management> 
    <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" /> 
</security:session-management> 

然后添加以下内容：

<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> 
    <beans:property name="maximumSessions" value="1" /> 
    <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> 
</beans:bean> 

然后这个bean添加到您的登录过滤器：

<bean id="formLoginFilter" class="com.company.security.myMapUsernamePasswordAuthenticationFilter"> 
    <property name="sessionAuthenticationStrategy" ref="sas"/> 
    <property name="authenticationManager" ref="authenticationManager" /> 
    <property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" /> 
    <property name="authenticationFailureHandler" ref="authenticationFailureHandler" /> 
</bean> 

这应该做的伎俩！