session之无法使 Spring 3 session 并发控制工作

落叶无声 阅读:17 2024-11-24 20:56:43 评论:0

使用 Spring Security 3.1.0,我似乎无法使用并发 session 控制功能。当我同时使用 IE 和 FireFox(使用我的本地工作站)登录我的系统时,我在 session 注册表中看到我的用户原则两次。我希望并发 session 控制将我注销或抛出异常或做一些表明我多次登录该站点但不允许的事情。

就其值(value)而言,即使指定我的站点使用自定义登录表单,我也无法使用 HTTP 命名空间元素的自动配置来使并发控制工作。我想知道这是否可能是因为我的身份验证是通过 LDAP 提供的...?

这是我的安全配置。

<?xml version="1.0" encoding="UTF-8"?> 
<beans:beans xmlns="http://www.springframework.org/schema/security" 
 xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 xsi:schemaLocation="http://www.springframework.org/schema/beans 
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
           http://www.springframework.org/schema/security 
           http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 
 
 <http auto-config="false" use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint"> 
     <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" /> 
     <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter"/> 
     <session-management session-authentication-strategy-ref="sas"/> 
  <intercept-url pattern="/" access="permitAll" /> 
  <intercept-url pattern="/css/**" access="permitAll" /> 
  <intercept-url pattern="/images/**" access="permitAll" /> 
  <intercept-url pattern="/js/**" access="permitAll" /> 
  <intercept-url pattern="/public/**" access="permitAll" /> 
  <intercept-url pattern="/home/**" access="permitAll" /> 
  <intercept-url pattern="/admin/user/**" access="hasRole('AUTH_MANAGE_USERS')" /> 
  <intercept-url pattern="/admin/group/**" access="hasRole('AUTH_MANAGE_USERS')" /> 
  <intercept-url pattern="/**" access="isAuthenticated()" /> 
  <access-denied-handler error-page="/403.html"/> 
  <logout invalidate-session="true" logout-success-url="/public/home.do"/> 
 </http> 
 
    <beans:bean id="authenticationProcessingFilterEntryPoint" 
          class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> 
        <beans:property name="loginFormUrl" value="/public/login.do"/> 
        <beans:property name="forceHttps" value="false"/> 
    </beans:bean> 
 
  <beans:bean id="concurrencyFilter" 
       class="org.springframework.security.web.session.ConcurrentSessionFilter"> 
     <beans:property name="sessionRegistry" ref="sessionRegistry" /> 
     <beans:property name="expiredUrl" value="/expired.html" /> 
   </beans:bean> 
 
   <beans:bean id="myAuthFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> 
     <beans:property name="sessionAuthenticationStrategy" ref="sas" /> 
     <beans:property name="authenticationManager" ref="authenticationManager" /> 
   </beans:bean> 
 
   <beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> 
     <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> 
     <beans:property name="maximumSessions" value="1" /> 
     <beans:property name="exceptionIfMaximumExceeded" value="true"/> 
   </beans:bean> 
 
 <authentication-manager alias="authenticationManager"> 
  <authentication-provider ref='ldapProvider' /> 
  <authentication-provider ref="externalUserLdapProvider"/> 
 </authentication-manager> 
 
 <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> 
 
 <beans:bean id="securityContext"  
  class="org.springframework.security.core.context.SecurityContextHolder" factory-method="getContext"/> 
 
 <beans:bean id="ldapProvider" 
  class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> 
  <beans:constructor-arg ref="bindAuthenticator" /> 
  <beans:constructor-arg ref="userService" /> 
  <beans:property name="userDetailsContextMapper" ref="permissionedUserContextMapper" /> 
 </beans:bean> 
 
 <beans:bean id="permissionedUserContextMapper" 
  class="...service.impl.PermissionedUserContextMapperImpl" > 
  <beans:property name="userDao" ref="userDao"/> 
 </beans:bean>   
 
 <!-- LDAP via AD--> 
 <beans:bean id="bindAuthenticator" 
  class="org.springframework.security.ldap.authentication.BindAuthenticator"> 
  <beans:constructor-arg ref="contextSource" /> 
  <beans:property name="userSearch" ref="userSearch" /> 
 </beans:bean> 
 
 <beans:bean id="userSearch" 
  class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> 
  <beans:constructor-arg> 
   <beans:value></beans:value> 
  </beans:constructor-arg> 
  <beans:constructor-arg> 
   <beans:value>(sAMAccountName={0})</beans:value> 
  </beans:constructor-arg> 
  <beans:constructor-arg ref="contextSource" /> 
  <beans:property name="searchSubtree"> 
   <beans:value>true</beans:value> 
  </beans:property> 
 </beans:bean> 
 
 <beans:bean id="contextSource" 
  class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> 
  <beans:constructor-arg 
   value="ldap://omitted" /> 
  <beans:property name="userDn" 
   value="ommitted" /> 
  <beans:property name="password" value="omitted" /> 
 </beans:bean> 
 
 <!--  Second LDAP Authenticator (Apache DS) --> 
    <beans:bean id="externalUserLdapProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> 
        <beans:constructor-arg ref="externalUserBindAuthenticator"/> 
  <beans:constructor-arg ref="userService" /> 
  <beans:property name="userDetailsContextMapper" ref="permissionedUserContextMapper" /> 
    </beans:bean> 
 
 <beans:bean id="externalUserBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator"> 
  <beans:constructor-arg ref="externalUserContextSource" /> 
  <beans:property name="userDnPatterns"> 
   <beans:list> 
    <beans:value>cn={0},ou=Users</beans:value> 
   </beans:list> 
  </beans:property> 
 </beans:bean> 
 
 <beans:bean id="externalUserContextSource"  
   class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> 
     <beans:constructor-arg value="ldap://omitted"/> 
 </beans:bean> 
 
</beans:beans> 

如果用户记录超过 1 个 session ,我是否缺少一些应该告诉并发控制策略停止的属性?我知道同一用户正在记录多个 session ——因为我在 session 注册表中看到了重复的原则。

非常感谢任何/所有回复!提前致谢!

请您参考如下方法:

SessionRegistry 使用 UserDetailsequals()/hashCode() 来查找同一用户的 session 。如果您有自定义 UserDetails,它可能没有实现。


标签:Spring
声明

1.本站遵循行业规范,任何转载的稿件都会明确标注作者和来源;2.本站的原创文章,请转载时务必注明文章作者和来源,不尊重原创的行为我们将追究责任;3.作者投稿可能会经我们编辑修改或补充。

关注我们

一个IT知识分享的公众号