失效会话弹簧安全

我的Web应用程序使用spring安全性在登录时对用户进行身份验证。我也有并发控制，以避免用户在不同的机器上登录两次。这工作正常，但我的问题是：如果用户在一台机器上登录，然后关闭浏览器。然后他重新打开Web应用程序，尝试再次登录，他得到以下消息“超出此主体的最大会话数为1”。我想让浏览器关闭的会话无效。我怎样才能做到这一点？失效会话弹簧安全

弹簧security.xml文件

 <?xml version="1.0" encoding="UTF-8"?> 
      <beans xmlns="http://. www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/. XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
         http://www.springframework.org/schema/beans/spring-beans.xsd 
         http://www.springframework.org/schema/security 
         http://www.springframework.org/schema/security/. spring-security-3.1.xsd"> 

    <security:global-method-security 
     secured-annotations="enabled" /> 

    <security:http auto-config="false" 
     authentication-manager-ref="authenticationManager" use-expressions="true"> 
     <!-- Override default login and logout pages --> 
     <security:form-login 
       authentication-failure-handler-ref="fail" 
       authentication-success-handler-ref="success" login-page="/car/login.xhtml" 
       default-target-url="/jsf/car/home.xhtml" /> 
     <security:logout invalidate-session="true" 
       logout-url="/j_spring_security_logout" success-handler-ref="customLogoutHandler" delete-cookies="JSESSIONID"/> 
     <security:session-management> 
       <security:concurrency-control 
        max-sessions="1" error-if-maximum-exceeded="true" /> 
     </security:session-management> 
     <security:intercept-url pattern="/jsf/**" 
       access="isAuthenticated()" /> 
     <security:intercept-url pattern="/run**" 
       access="isAuthenticated()" /> 
     <security:intercept-url pattern="/pages/login.xhtml" 
       access="permitAll" /> 
    </security:http> 

    <bean id="success" class="com.car.LoginSuccess" /> 

    <bean id="fail" class="com.car.LoginFailed"> 
     <property name="defaultFailureUrl" value="/?login_error=true" /> 
    </bean> 
    <bean id="passwordEncoder" 
     class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" /> 

    <security:authentication-manager alias="authenticationManager"> 
     <security:authentication-provider 
       user-service-ref="userDetailsService"> 
       <security:password-encoder ref="passwordEncoder" 
        hash="sha" /> 
     </security:authentication-provider> 
    </security:authentication-manager>

public class FilterToGetTimeOut extends OncePerRequestFilter { 

@Override 
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException { 
    try { 
     if(request.getRequestURI().equals("/") || request.getRequestURI().equals("/car/login.xhtml")){ 
      if(request.getSession().getAttribute("login") != null && (Boolean)request.getSession().getAttribute("login") == true){ 
       response.sendRedirect("/jsf/car/home.xhtml");  //After login page 
      } 
     } else if(request.getSession().getAttribute("login") == null && !request.getRequestURI().equals("/j_spring_security_logout")){ 
      response.sendRedirect(request.getContextPath()+"/?timeout=true"); //If timeout is true send session timeout error message to JSP 
     } 
     filterChain.doFilter(request, response); 
    } catch (Exception e) { 
     //Log Exception 

    } 
}

来源

2016-06-14 Alina

你能告诉弹簧security.xml文件？ –

查看编辑后。并发控制效果很好。我不认为关闭浏览器问题与xml文件有关。 – Alina

...试试吧..add invalid-session-url –

添加以下代码"/"（第一页）请求和logout请求。

@Controller 
public class LoginController { 

    @RequestMapping(value = "/", method = RequestMethod.GET) 
    public ModelAndView loadApp(HttpServletRequest request) { 
     HttpSession session= request.getSession(false); 
     SecurityContextHolder.clearContext(); 
     if(session != null) { 
      session.invalidate(); 
     } 

     return new ModelAndView("/car/login"); 
    } 
}

使用此过滤器How to get session time out message using Spring security

来源

2016-06-16 07:23:07

时，我没有明白您的意思。在哪里准确添加？ – Alina

@RequestMapping（value =“/”，method = RequestMethod.GET）...在这个请求方法 –

CAn您请给我提供完整的类和附加代码吗？谢谢 – Alina

失效会话弹簧安全

回答

相关问题