使会话弹簧安全性无效
Posted
技术标签:
【中文标题】使会话弹簧安全性无效【英文标题】:Invalidate session spring security 【发布时间】:2016-10-14 16:19:12 【问题描述】:我的 Web 应用程序使用 Spring Security 在登录时对用户进行身份验证。我也有并发控制以避免用户在不同的机器上登录两次。这工作正常,但我的问题是: 如果用户在机器上登录,则关闭浏览器。然后他重新打开 Web 应用程序,尝试再次登录,他收到以下消息 'Maximum sessions of 1 for this principal exceeded' 。我想在浏览器关闭时使会话无效。我该怎么做?
Spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://. www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/. XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/. spring-security-3.1.xsd">
<security:global-method-security
secured-annotations="enabled" />
<security:http auto-config="false"
authentication-manager-ref="authenticationManager" use-expressions="true">
<!-- Override default login and logout pages -->
<security:form-login
authentication-failure-handler-ref="fail"
authentication-success-handler-ref="success" login-page="/car/login.xhtml"
default-target-url="/jsf/car/home.xhtml" />
<security:logout invalidate-session="true"
logout-url="/j_spring_security_logout" success-handler-ref="customLogoutHandler" delete-cookies="JSESSIONID"/>
<security:session-management>
<security:concurrency-control
max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>
<security:intercept-url pattern="/jsf/**"
access="isAuthenticated()" />
<security:intercept-url pattern="/run**"
access="isAuthenticated()" />
<security:intercept-url pattern="/pages/login.xhtml"
access="permitAll" />
</security:http>
<bean id="success" class="com.car.LoginSuccess" />
<bean id="fail" class="com.car.LoginFailed">
<property name="defaultFailureUrl" value="/?login_error=true" />
</bean>
<bean id="passwordEncoder"
class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
user-service-ref="userDetailsService">
<security:password-encoder ref="passwordEncoder"
hash="sha" />
</security:authentication-provider>
</security:authentication-manager>
public class FilterToGetTimeOut extends OncePerRequestFilter
@Override
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException
try
if(request.getRequestURI().equals("/") || request.getRequestURI().equals("/car/login.xhtml"))
if(request.getSession().getAttribute("login") != null && (Boolean)request.getSession().getAttribute("login") == true)
response.sendRedirect("/jsf/car/home.xhtml"); //After login page
else if(request.getSession().getAttribute("login") == null && !request.getRequestURI().equals("/j_spring_security_logout"))
response.sendRedirect(request.getContextPath()+"/?timeout=true"); //If timeout is true send session timeout error message to JSP
filterChain.doFilter(request, response);
catch (Exception e)
//Log Exception
【问题讨论】:
你能显示 spring-security.xml 吗? 查看编辑后的帖子。并发控制运行良好。我认为关闭浏览器的问题与 xml 文件无关。为"/"(首页)请求和logout请求添加以下代码。
@Controller
public class LoginController
@RequestMapping(value = "/", method = RequestMethod.GET)
public ModelAndView loadApp(HttpServletRequest request)
HttpSession session= request.getSession(false);
SecurityContextHolder.clearContext();
if(session != null)
session.invalidate();
return new ModelAndView("/car/login");
使用此过滤器How to get session time out message using Spring security
【讨论】:
@RequestMapping(value = "/", method = RequestMethod.GET)...在这个请求方法中 能否请您提供完整的课程以及附加代码?谢谢 如果你还是不明白,给我看看你的登录控制器类..我会自己修改 我没有登录控制器。我有一个 loginSuccess.java 和 LoginFailure.java 你对这个答案投了反对票吗?我可以知道原因吗??以上是关于使会话弹簧安全性无效的主要内容,如果未能解决你的问题,请参考以下文章