会话管理不春季安全

Question

我的春天-security.xml文件工作：

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:security="http://www.springframework.org/schema/security" 
    xmlns:p="http://www.springframework.org/schema/p" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
      http://www.springframework.org/schema/security 

      http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 

    <!-- This is where we configure Spring-Security --> 

    <security:global-method-security pre-post-annotations="enabled" /> 
    <!-- <security:global-method-security secured-annotations="enabled" /> --> 

    <security:http auto-config="false" use-expressions="true" access-denied-page="/access-deniad" 
      entry-point-ref="authenticationEntryPoint"> 
     <security:intercept-url pattern="/RetailEnterpriseSuite/login.do" access="permitAll" requires-channel="https" /> 
     <security:intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" requires-channel="https"/> 
     <!-- <security:intercept-url pattern="/common" access="hasRole('ROLE_USER')"/> --> 
     <security:intercept-url pattern="/users" access="hasRole('ROLE_USER')"/> 
     <security:intercept-url pattern="/*" access="permitAll" requires-channel="any"/> 

     <security:logout 
       invalidate-session="true" 
       logout-success-url="/login.html" 
       logout-url=""/> 

     <!-- 
      Querying the SessionRegistry for currently authenticated users and their sessions 
      http://static.springsource.org/spring-security/site/docs/3.1.x/reference/session-mgmt.html#list-authenticated-principals 
     --> 
     <security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/> 
     <security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/> 
     <security:custom-filter ref="singleEntryFilter" after="FORM_LOGIN_FILTER"/> 
     <security:session-management session-authentication-strategy-ref="sas"/> 
    </security:http> 



    <bean id="singleEntryFilter" class="com.stc.res.filter.SingleEntryFilter" 
      p:redirectURI="/login.html"> 
      <property name="guardURI"> 
       <list> 
        <!-- <value>/index.html</value> --> 
        <value>/index.html</value> 
        <!-- <value>/index.html</value> 
        <value>/index.html</value> 
        <value>/index.html</value> 
        <value>/index.html</value> --> 
       </list> 
      </property> 
    </bean> 
    <bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" 
     p:sessionAuthenticationStrategy-ref="sas" 
     p:authenticationManager-ref="authenticationManager" 
     p:authenticationFailureHandler-ref="customAuthenticationFailureHandler" 
     p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler"/> 

    <!-- We just actually need to set the default failure url here --> 
    <bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" 
     p:defaultFailureUrl="/loginfailed" /> 

    <!-- We just actually need to set the default target url here --> 

    <bean id= "customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"> 
     <property name="redirectStrategy" ref="customSuccessRedirStrategy" /> 
    </bean> 
    <!-- <bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler" 
      p:redirectStrategy-ref="customSuccessRedirStrategy" /> --> 

    <bean id= "customSuccessRedirStrategy" class=" com.stc.res.customeredirection.CustomSuccessRedirection"> </bean> 



    <!-- The AuthenticationEntryPoint is responsible for redirecting the user to a particular page, like a login page, 
      whenever the server sends back a response requiring authentication --> 
    <!-- See Spring-Security Reference 5.4.1 for more info --> 
    <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" 
     p:loginFormUrl="/login.html"/> 

    <!-- Declare an authentication-manager to use a custom userDetailsService --> 
    <!-- It's important to set the alias here because it's used by the authenticationFilter --> 
    <security:authentication-manager alias="authenticationManager"> 
     <security:authentication-provider user-service-ref="userservice"> 
     <security:password-encoder ref="passwordEncoder"> 
        <security:salt-source ref="saltSource"/> 
     </security:password-encoder> 
     </security:authentication-provider> 
     <security:authentication-provider user-service-ref="jdbcUserService"/> 
    </security:authentication-manager> 

    <bean id="userservice" class="com.stc.res.service.UserLoginService" > 
     <property name="usrlogindao" ref="userLogindao"/> 
    </bean> 

    <bean id="userLogindao" class = "com.stc.res.dao.UserLoginDao" /> 

    <bean id="jdbcUserService" class="com.stc.res.service.JdbcUserService"> 
     <property name="customJdbcDao" ref="custjdbcDao"/> 
    </bean> 

    <bean id="custjdbcDao" class= "com.stc.res.dao.CustomJdbcDaoImpl"> 
     <property name="dataSource" ref="dataSource"/> 
    </bean> 


    <bean id="jdbcAdminUserService" class="com.stc.res.controller.JdbcAdminUserService"> 
     <property name="dataSource" ref="dataSource"/> 
     <property name="authenticationManager" ref="authenticationManager"/> 
    </bean> 


    <!-- Use a Sha encoder since the user's passwords are stored as Md5 in the database --> 
    <bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" id="passwordEncoder"/> 
    <bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="saltSource"> 
      <property name="userPropertyToUse" value="username"/> 
    </bean> 

    <!-- <security:bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.PersistentTokenBasedRememberMeServices"> 
     <property name="tokenRepository" ref="jdbcTokenRepository" /> 
     <property name="userDetailsService" ref="userservice" /> 
     <property name="key" value="springRocks" /> 
     <property name="alwaysRemember" value="false" /> 
    </security:bean> 

    Uses a database table to maintain a set of persistent login data 
    <security:bean id="jdbcTokenRepository" class="org.springframework.security.ui.rememberme.JdbcTokenRepositoryImpl"> 
     <property name="createTableOnStartup" value="false" /> 
     <property name="dataSource" ref="dataSource" /> 
    </security:bean> 
    --> 


    <!-- An in-memory list of users. No need to access an external database layer. 
      See Spring Security 3.1 Reference 5.2.1 In-Memory Authentication --> 
    <!-- john's password is admin, while jane;s password is user --> 



    <!-- Filter required by concurrent session handling package 
      The ConcurrentSessionFilter requires two properties, sessionRegistry, which generally points to an 
      instance of SessionRegistryImpl, and expiredUrl, which points to the page to display when a session has expired. 
      See: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/session-mgmt.html#list-authenticated-principals --> 
    <bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter" 
      p:sessionRegistry-ref="sessionRegistry" 
      p:expiredUrl="/login.html" /> 

    <!-- Defines a concrete concurrent control strategy 
      Checks whether the user in question should be allowed to proceed, by comparing the number of 
      sessions they already have active with the configured maximumSessions value. The SessionRegistry 
      is used as the source of data on authenticated users and session data. 
      See: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.html--> 
    <bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy" 
      p:maximumSessions="1" error-if-maximum-exceeded="true" > 
      <constructor-arg name="sessionRegistry" ref="sessionRegistry" /> 
    </bean> 

    <!-- Maintains a registry of SessionInformation instances 
      See: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/core/session/SessionRegistry.html --> 
    <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> 

</beans> 

和我配置了在web.xml：

<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
    </filter> 
    <filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
    <dispatcher>REQUEST</dispatcher> 
    <dispatcher>ERROR</dispatcher> 
    </filter-mapping> 
    <listener> 
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
    </listener> 
    <filter> 
    <display-name>MycustomFilter</display-name> 
    <filter-name>MycustomFilter</filter-name> 
    <filter-class>com.stc.res.filter.MycustomFilter</filter-class> 
    </filter> 
    <filter-mapping> 
    <filter-name>MycustomFilter</filter-name> 
    <url-pattern>/MycustomFilter</url-pattern> 
    </filter-mapping> 

listener> 
    <listener-class> 
    org.springframework.security.web.session.HttpSessionEventPublisher 
    </listener-class> 
    </listener> 

请让我知道是错这个代码，请指导我。我是春季安全新手。即使用户也可以从不同的浏览器登录，而无需注销。

Answer 1

你有没有从官方文档试过这个片段（防止多次登录）：

<security:http ... > 

    .... 

    <security:session-management> 
     <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" /> 
    </security:session-management>   
</security:http>