Spring Security 基本配置

标签 spring spring-mvc spring-security configuration

我想按以下方式使用 Spring security 配置 spring MVC 应用程序。

  1. 仅允许一次并发登录。
  2. 当 HTTP session 过期时,用户将被重定向到/security/sessionTimeout.html
  3. 当用户成功登录时,他将被重定向到“/”文件夹。
  4. 当用户注销时,他也会被重定向到“/”。

我按照以下方式配置它:

   <security:http>
 <security:form-login login-page="/security/login.html" login-processing-url="/login" authentication-failure-url="/login.jsp?login_error=1" default-target-url="/"/> 
  <security:session-management invalid-session-url="/security/sessionTimeout.html">
        <security:concurrency-control max-sessions="1" />
    </security:session-management>
  <security:logout logout-url="/logout" logout-success-url="/"/>
    </security:http>

我有以下问题:

  1. 我可以在 2 个不同的浏览器上使用同一帐户登录(并发控制不起作用)
  2. 当我点击注销时,我被重定向到“/security/sessionTimeout.html”而不是“/”。

我遵循了 Spring 安全引用指南。 我做错了什么?

更新: 这就是我的 web.xml 的样子。

 <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
  <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>WEB-INF/springSecurity-servlet.xml</param-value>
</context-param>
 <display-name>SpringSecurity</display-name>
    <servlet>
    <servlet-name>springSecurity</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>springSecurity</servlet-name>
    <url-pattern>*.html</url-pattern>
  </servlet-mapping>
   <servlet-mapping>
    <servlet-name>springSecurity</servlet-name>
    <url-pattern>*.do</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>springSecurity</servlet-name>
    <url-pattern>/index.html</url-pattern>
  </servlet-mapping>
   <welcome-file-list>
    <welcome-file>index.html</welcome-file>
  </welcome-file-list>

更新 2: 只需在 Debug模式下运行 log4j,这就是我单击注销时得到的结果:

DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 1 of 11 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:130) - No HttpSession currently exists
    DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:88) - No SecurityContext was available from the HttpSession: null. A new one will be created.
    DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
    DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
    DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
    DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
    DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
    DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
    DEBUG [http-8080-2] (AnonymousAuthenticationFilter.java:67) - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
    DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
    DEBUG [http-8080-2] (SessionManagementFilter.java:87) - Requested session IDD8429BBAAA9561A97E1D2350ED63BC35 is invalid.
    DEBUG [http-8080-2] (SessionManagementFilter.java:90) - Starting new session (if required) and redirecting to '/security/sessionTimeout.html'

感觉就像我在 /index.html 上应用了 session 管理过滤器,然后不存在 session 。我该如何解决?

最佳答案

来自the Spring Security documentation :

要使用并发 session 支持,您需要将以下内容添加到 web.xml:

<listener>
  <listener-class>
    org.springframework.security.web.session.HttpSessionEventPublisher
  </listener-class>
</listener>

这个是你添加的吗?

关于Spring Security 基本配置,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/6738758/

上一篇:sql-server-2005 - SQL "WITH"子句/语句

下一篇:java - Json 字符串到具有动态键名称的 Java 对象

相关文章:

java - 如何在 Spring 3 的 Java 配置中连接我的 Hibernate 4 拦截器?

spring - spring框架和spring roo有什么区别

java - Spring 3 基于注解的验证 : password and confirm password

Spring如何解析@RepositoryRestController中的实体uri

java - 从 Spring Boot 中的基本身份验证中删除 WWW-authenticate header

java - Spring+MyBatis异常: Mapped Statements collection does not contain value for

java - 如何从数据库中获取用户名和密码并传递给 Spring MVC 中的方法

angularjs - 带有 spring-boot 和 angularjs 的 CORS 不起作用

java - 具有用户名和 ID 的 Spring Security RememberMe 函数

java - 使用 java 配置进行 n 因素身份验证

©2024 IT工具网  联系我们