spring security3.2 限制同一用户多次登录
项目使用的是:spring MVC 3.2.2
hibernate4.2
spring Security3.2
查询网上的相关资料说配置
web.xml
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
applicationContext-security.xml
<session-management>
<concurrency-control session-registry-ref="sessionRegistry" max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
UserManager.java是我实现UserDetails接口的类
在此类中重写了equals方法和hashCode方法就可以限制同一用户多次登录了,
但是我这样配置后,同一用户还是可以在多个地方登录
说明:
用户信息我是从数据库中读出来的
applicationContext-security.xml
--------------------编程问答-------------------- spring Security好像不能实现单点登录吧,不知道是不是孤陋寡闻,你看看
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<context:component-scan base-package="com.xp.security" />
<global-method-security pre-post-annotations="enabled" />
<!-- 该路径下的资源不用过滤 -->
<http pattern="/admin/js/**" security="none"/>
<http use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint">
<!-- <form-login login-processing-url="loginFilter" /> -->
<!--尝试访问没有权限的页面时跳转的页面 -->
<access-denied-handler error-page="/common/403.jsp" />
<logout logout-url="/admin/logout.do" logout-success-url="/admin/login.jsp"/>
<!-- 实现免登陆验证 -->
<remember-me />
<session-management>
<concurrency-control session-registry-ref="sessionRegistry" max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
<custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" />
<custom-filter ref="springSecurityFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
</http>
<!-- 登录验证器 -->
<beans:bean id="loginFilter" class="com.xp.security.SpringSecurityAuthFilter">
<!-- 处理登录 -->
<beans:property name="filterProcessesUrl" value="/admin/login.do"></beans:property>
<beans:property name="authenticationSuccessHandler" ref="loginLogAuthenticationSuccessHandler"></beans:property>
<beans:property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler"></beans:property>
<beans:property name="authenticationManager" ref="securityAuthenticationManager"></beans:property>
<!-- <beans:property name="usersDao" ref="usersDao"></beans:property> -->
</beans:bean>
<beans:bean id="loginLogAuthenticationSuccessHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/index.jsp"></beans:property>
</beans:bean>
<beans:bean id="simpleUrlAuthenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/admin/login.jsp"></beans:property>
</beans:bean>
<!-- 配置过滤器 -->
<beans:bean id="springSecurityFilter" class="com.xp.security.SpringSecurityFilter">
<!-- 用户拥有的权限 -->
<beans:property name="authenticationManager" ref="securityAuthenticationManager" />
<!-- 用户是否拥有所请求资源的权限 -->
<beans:property name="accessDecisionManager" ref="securityAccessDecisionManager" />
<!-- 资源与权限对应关系 -->
<beans:property name="securityMetaDataSource" ref="securityMetaDataSource" />
</beans:bean>
<!-- 实现了UserDetailsService的Bean -->
<authentication-manager alias="securityAuthenticationManager">
<authentication-provider user-service-ref="springSecurityService" />
</authentication-manager>
<beans:bean id="securityAccessDecisionManager" class="com.xp.security.SecurityAccessDecisionManager"></beans:bean>
<beans:bean id="securityMetaDataSource" class="com.xp.security.SpringSecurityMetaDataSource">
<beans:constructor-arg name="resourceDao" ref="resourceDao"></beans:constructor-arg>
</beans:bean>
<beans:bean id="springSecurityService" class="com.xp.security.SpringSecurityService">
</beans:bean>
<!-- 未登录的切入点 -->
<beans:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/admin/login.jsp"></beans:property>
</beans:bean>
</beans:beans>
CAS(Central Authentication Service)这个东西可以实现单点登录。 --------------------编程问答--------------------
这个不是单点登录,这个是防止同一个用户进行多次登录,就像qq一样。 --------------------编程问答-------------------- 帮顶!期待高手回答。 --------------------编程问答-------------------- --------------------编程问答-------------------- --------------------编程问答-------------------- 请参考我的基于spring,security,struts的开源项目
http://blog.csdn.net/shadowsick --------------------编程问答-------------------- 楼主解决了吗?我现在也遇到这个问题。真奇了怪了。 --------------------编程问答--------------------
<session-management>--------------------编程问答--------------------
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
security有提供cas单点登录的整合,只是替换提供的cas实现类就可以了,比较方便 --------------------编程问答-------------------- web.xml中
<listener>--------------------编程问答-------------------- applicationContext-security.xml 里面配置:
<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
</listener>
<beans:bean id="sas" class="*.*.*.ConcurrentSessionControlStrategy">
<beans:constructor-arg ref="sessionRegistry"/>
<beans:property name="alwaysCreateSession" value="true"/>
<beans:property name="exceptionIfMaximumExceeded" value="true"/>
<beans:property name="maximumSessions" value="9"/>
<!--这个9 是最多可以登录的用户 -->
<beans:property name="errorUrl" value="***/login.jsp?code=MaxLoginUser"/>
</beans:bean>
ConcurrentSessionControlStrategy 中
public class ConcurrentSessionControlStrategy extends
SessionFixationProtectionStrategy implements MessageSourceAware{
private final SessionRegistry sessionRegistry;
private boolean exceptionIfMaximumExceeded = false;
private int maximumSessions = 1;
private String errorUrl;
方法:
public void onAuthentication(Authentication authentication,
HttpServletRequest request, HttpServletResponse response) {
final List<SessionInformation> sessions = sessionRegistry
.getAllSessions(authentication.getName(), false);
int sessionCount = sessions.size();
if (sessionCount < maximumSessions ) {
//没过最多登录用户
return true;
}else{
.....做你想要做的事情 return false ;可以跳 回登录
}
补充:Java , Java EE