[英]Spring 4 - Session Management
Helle everyone, 帮助大家,
i am currently running an enterprise spring web application inside our company deployed on a tomcat 8 server. 我目前在部署在tomcat 8服务器上的公司内运行企业Spring Web应用程序。
Now, some users report that sometimes they can't connect as an login-error is shown on login page. 现在,一些用户报告有时他们无法连接,因为登录页面上显示登录错误。
And well, that's why: 好吧,这就是原因:
my session-configuration is set up like this: 我的session-configuration设置如下:
<session-management>
<concurrency-control max-sessions="5"
error-if-maximum-exceeded="true" expired-url="/login"
session-registry-alias="sessionRegistry"/>
</session-management>
<form-login login-processing-url="/login"
login-page="/login"
authentication-failure-url="/login_error" />
<logout logout-url="/logout" logout-success-url="/login"
invalidate-session="true"/>
the session-timeout is set to 4 hours: session-timeout设置为4小时:
<session-timeout>240</session-timeout>
Now in a worst case, there are 5 sessions with only csrf-token stored server-side with let's say an avg. 现在在最坏的情况下,有5个会话只有csrf-token存储在服务器端,让我们说平均值。 lifetime of 3 hours, blocking the user from connecting again.
寿命为3小时,阻止用户再次连接。
please, can someone tell me that there is a better solution than: 请有人告诉我,有一个更好的解决方案:
max-sessions="biggerNumber"
and Thanks for reading anyway... 并感谢您阅读...
You have 2 possibilities that you can combine: 您有两种可以组合的可能性:
But you have also a more radical way: change the policy in order not to reject the new connection but revoke the oldest one. 但你也有一种更激进的方式:改变策略,以便不拒绝新连接,但撤销最旧的连接。 It is allowed out of the box by spring-security, just remove
error-if-maximum-exceeded="true"
from the concurrency-control
tag: 弹出安全性允许开箱即用,只需从
concurrency-control
标记中删除error-if-maximum-exceeded="true"
:
<session-management>
<concurrency-control max-sessions="5"
expired-url="/login"
session-registry-alias="sessionRegistry"/>
</session-management>
I checked the spring documentation below and tested. 我检查了下面的弹簧文档并进行了测试。
http://docs.spring.io/spring-security/site/docs/current/reference/html/session-mgmt.html#concurrent-sessions http://docs.spring.io/spring-security/site/docs/current/reference/html/session-mgmt.html#concurrent-sessions
It turns out that you have to add this in your web.xml 事实证明,您必须在web.xml中添加它
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
This listener will delete the session connected to principal instance when logging out. 注销时,此侦听器将删除连接到主体实例的会话。 Otherwise, the session is still connected to principal instance even after logging out.
否则,即使在注销后,会话仍然连接到主体实例。 So that's why you'll keep get the error " Maximum sessions of XX for this principal exceeded".
这就是为什么你会继续得到错误“超过此委托人的XX的最大会话数”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.