所以用户登录- >关闭浏览器- >打开浏览器再一次- >出现错误:春季安全重定向时,此主体最大会话数超过
HTTP Status 401 - Authentication Failed: Maximum sessions of 1 for this principal exceeded
我需要的是捕捉到这一事件会话无效,删除所有会话该用户并重定向到正常的登录页面
春季安全配置:
<http auto-config="true" use-expressions="true">
<session-management session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
</session-management>
<intercept-url pattern="/login" access="hasRole('ROLE_ANONYMOUS')" requires-channel="any"/>
<!--<custom-filter after="CONCURRENT_SESSION_FILTER" ref="sessionExpiration" /> -->
<!-- .... -->
</http>
<beans:bean id="sessionExpiration" class="com.test.security.SessionExpirationFilter">
<beans:property name="expiredUrl">
<beans:value>/login</beans:value>
</beans:property>
</beans:bean>
我试图执行一些过滤器,但它总是显示会话为空:
public class SessionExpirationFilter implements Filter, InitializingBean {
private String expiredUrl;
public void destroy() {
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
String path = httpRequest.getServletPath();
HttpSession session = httpRequest.getSession(false);
System.out.println(session);
if (session == null && !httpRequest.isRequestedSessionIdValid()) {
SecurityContextHolder.getContext().setAuthentication(null);
String targetUrl = httpRequest.getContextPath()
+ expiredUrl;
httpResponse.sendRedirect(httpResponse.encodeRedirectURL(targetUrl));
return;
}
chain.doFilter(request, response);
}
public void setExpiredUrl(String expiredUrl) {
this.expiredUrl = expiredUrl;
}
}
我已经设置'错误如果利用最大exceeded'为'FALSE'。当我尝试多次登录时,最新的会话将会使以前的会话失效。但是,*如果我必须保持第一次会话,并且不允许在第一次登出完成之前再次登录,该怎么办?*您是否知道如何实现这一点? – OO7 2015-05-14 09:19:55
@ OO7您需要将该属性设置为'true',那么第二个会话将不被允许 'error-if-maximum-exceeded =“true”' – 2016-09-28 07:06:33