使會話春季安全性無效
[英]Invalidate session spring security
問題描述
我的Web應用程序使用Spring Security在登錄時對用戶進行身份驗證。 我還具有並發控制,以避免用戶在不同的計算機上登錄兩次。 這工作正常,但我的問題是:如果用戶在計算機上登錄,則關閉瀏覽器。 然后他重新打開Web應用程序,嘗試再次登錄,他得到以下消息“超出此主體的最大會話數為1”。 我想使瀏覽器關閉的會話無效。 我怎樣才能做到這一點?
Spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://. www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/. XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/. spring-security-3.1.xsd">
<security:global-method-security
secured-annotations="enabled" />
<security:http auto-config="false"
authentication-manager-ref="authenticationManager" use-expressions="true">
<!-- Override default login and logout pages -->
<security:form-login
authentication-failure-handler-ref="fail"
authentication-success-handler-ref="success" login-page="/car/login.xhtml"
default-target-url="/jsf/car/home.xhtml" />
<security:logout invalidate-session="true"
logout-url="/j_spring_security_logout" success-handler-ref="customLogoutHandler" delete-cookies="JSESSIONID"/>
<security:session-management>
<security:concurrency-control
max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>
<security:intercept-url pattern="/jsf/**"
access="isAuthenticated()" />
<security:intercept-url pattern="/run**"
access="isAuthenticated()" />
<security:intercept-url pattern="/pages/login.xhtml"
access="permitAll" />
</security:http>
<bean id="success" class="com.car.LoginSuccess" />
<bean id="fail" class="com.car.LoginFailed">
<property name="defaultFailureUrl" value="/?login_error=true" />
</bean>
<bean id="passwordEncoder"
class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
user-service-ref="userDetailsService">
<security:password-encoder ref="passwordEncoder"
hash="sha" />
</security:authentication-provider>
</security:authentication-manager>
public class FilterToGetTimeOut extends OncePerRequestFilter {
@Override
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException {
try {
if(request.getRequestURI().equals("/") || request.getRequestURI().equals("/car/login.xhtml")){
if(request.getSession().getAttribute("login") != null && (Boolean)request.getSession().getAttribute("login") == true){
response.sendRedirect("/jsf/car/home.xhtml"); //After login page
}
} else if(request.getSession().getAttribute("login") == null && !request.getRequestURI().equals("/j_spring_security_logout")){
response.sendRedirect(request.getContextPath()+"/?timeout=true"); //If timeout is true send session timeout error message to JSP
}
filterChain.doFilter(request, response);
} catch (Exception e) {
//Log Exception
}
}
1 個解決方案
解決方案1
5 2016-06-16 07:23:07
為"/" (第一頁)請求和logout請求添加以下代碼。
@Controller
public class LoginController {
@RequestMapping(value = "/", method = RequestMethod.GET)
public ModelAndView loadApp(HttpServletRequest request) {
HttpSession session= request.getSession(false);
SecurityContextHolder.clearContext();
if(session != null) {
session.invalidate();
}
return new ModelAndView("/car/login");
}
}
如果Spring Security中存在會話會話,則使第一次登錄會話無效
[英]Invalidate first login session in case of concucrrent session in Spring security
Spring啟動安全性,Oauth2注銷,使會話無效,以便在授權服務器中完成身份驗證和批准周期
[英]Spring boot Security, Oauth2 logout, invalidate session in order to go through the authentication and approval cycle in the authorization server
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.