1、在配置文件中增加 一个listen
<listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener>
2、FilterChainProxy 增加 ConcurrentSessionFilter
,这个Filter 要两个属性 sessionRegistry(需要SessionRegistryImpl实例expiredUrl过滤失败时跳转的url)
<http> <custom-filter position="FORM_LOGIN_FILTER" ref="loginFilter" /> <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrentSessionFilter" /> <!-- 防止同一用户多次登录,使第二次登录失 --> <session-management session-authentication-strategy-ref="concurrentSessionControlStrategy" /> </http> <!-- Login Filter --> <beans:bean id="loginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> <beans:property name="sessionAuthenticationStrategy" ref="concurrentSessionControlStrategy" /> <beans:property name="authenticationManager" ref="authenticationManager" /> <beans:property name="authenticationSuccessHandler" ref="loginAuthenticationSuccessHandler" /> <beans:property name="authenticationFailureHandler" ref="loginAuthenticationFailureHandler" /> </beans:bean> <beans:bean id="concurrentSessionFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> <beans:property name="sessionRegistry" ref="sessionRegistry" /> <beans:property name="expiredUrl" value="/admin/login" /> <beans:property name="logoutHandlers"> <beans:list> <beans:ref bean="logoutHandler" /> </beans:list> </beans:property> </beans:bean> <beans:bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" /> <!-- the flowing settings for session management --> <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> <beans:bean id="concurrentSessionControlStrategy" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <beans:property name="maximumSessions" value="1" /> <beans:property name="migrateSessionAttributes" value="true" /> <beans:property name="exceptionIfMaximumExceeded" value="false" /> </beans:bean>
3、代码 AbstractAuthenticationProcessingFilter 在方法dofilter()根据属性 concurrentSessionControlStrategy的方法onAuthentication
在ConcurrentSessionFilter Filter 中做具体是通过还是不过的验证
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; HttpSession session = request.getSession(false); if (session != null) { SessionInformation info = sessionRegistry.getSessionInformation(session.getId()); if (info != null) { if (info.isExpired()) { // Expired - abort processing doLogout(request, response); String targetUrl = determineExpiredUrl(request, info); if (targetUrl != null) { redirectStrategy.sendRedirect(request, response, targetUrl); return; } else { response.getWriter().print("This session has been expired (possibly due to multiple concurrent " + "logins being attempted as the same user)."); response.flushBuffer(); } return; } else { // Non-expired - update last request date/time sessionRegistry.refreshLastRequest(info.getSessionId()); } } } chain.doFilter(request, response); }
相关推荐
实现会话控制,权限控制,免登陆的spring security完整项目 博文链接:https://abc08010051.iteye.com/blog/1995886
<session-management> 元素 B.1.8.1. session-fixation-protection B.1.9. <concurrent-control> 元素 B.1.9.1. max-sessions 属性 B.1.9.2. expired-url 属性 B.1.9.3. error-if-maximum-exceeded ...
<session-management> 元素 B.1.8.1. session-fixation-protection B.1.9. <concurrent-control> 元素 B.1.9.1. max-sessions 属性 B.1.9.2. expired-url 属性 B.1.9.3. error-if-maximum-exceeded 属性 ...
Spring Security 参考 1 第一部分前言 15 1.入门 16 2.介绍 17 2.1什么是Spring Security? 17 2.2历史 19 2.3版本编号 20 2.4获得Spring安全 21 2.4.1使用Maven 21 Maven仓库 21 Spring框架 22 2.4.2 Gradle 23 ...
51.3. Configuring Management-specific SSL 51.4. Customizing the Management Server Address 51.5. Disabling HTTP Endpoints 52. Monitoring and Management over JMX 52.1. Customizing MBean Names 52.2. ...
<session-management> 元素 B.1.8.1. session-fixation-protection B.1.9. <concurrent-control>元素 B.1.9.1. max-sessions属性 B.1.9.2. expired-url属性 B.1.9.3. error-if-maximum-exceeded属性 B.1.9.4....
当您想通过Spring Security扩展Firebase的身份验证机制以无缝创建和使用受保护的rest API时,此Spring Boot Starter非常适合此类情况。 组态 请确保全局添加以下环境变量或项目特定的运行配置环境变量GOOGLE_...
Java Management Extensions (JMX) 配置JMX教程 处理JVM NIO Bug Rewrite模块 Inversion of Control and Dependency Injection Frameworks Jetty XML IOC 如何使用Spring来配置Jetty 如何使用XBean来配置Jetty ...
springSecurity springmvc_HandlerInterceptorAdapter swagger uuid 灰度发布 全国60岁以上的老人进行了这样一次问卷调查:你最后悔什么? 第一名:年轻时不够努力,导致一事无成(75%) 第二名:年轻的时候选错了职业...
ASP.NET 2.0 Security FAQs Asp.net 2.0功能体验,细节之Web控件(一) 隐藏控件 Asp.net 2.0功能体验,总体设计思想 Asp.net 2.0 WebPart使用经验点滴 革新:.NET 2.0的自定义配置文件体系初探 关于如何在ASP.NET ...
com.kingdee.bos.transaction.springframework.transaction.interceptor com.kingdee.bos.transaction.springframework.transaction.jta com.kingdee.bos.transaction.springframework.transaction.support ...
两个例子,无状态SessionBean可会话Bean必须实现SessionBean,获取系统属性,初始化JNDI,取得Home对象的引用,创建EJB对象,计算利息等;在有状态SessionBean中,用累加器,以对话状态存储起来,创建EJB对象,并将...
两个例子,无状态SessionBean可会话Bean必须实现SessionBean,获取系统属性,初始化JNDI,取得Home对象的引用,创建EJB对象,计算利息等;在有状态SessionBean中,用累加器,以对话状态存储起来,创建EJB对象,并将...