我有以下 Spring 配置:-
static SessionRegistry SR;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/forgotPwd", "/resetPwd").permitAll()
.anyRequest().authenticated().and().formLogin().loginPage("/login")
.defaultSuccessUrl("/home").failureUrl("/login?error").permitAll()
.successHandler(authenticationSuccessHandler) // autowired or defined below
.and().logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessHandler(myLogoutSuccessHandler)
.permitAll()
.and().sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.sessionRegistry(SR);
}
@Bean
public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
return new ServletListenerRegistrationBean<HttpSessionEventPublisher>(new HttpSessionEventPublisher());
}
我期待 sessionManagement().maximumSessions(1) 禁用同一用户的多次登录。它正在工作,但首先用户注销应用程序,所以我尝试在另一个浏览器中登录,但它显示This account is already used by someone。
请您告诉我哪里出了问题。
最佳答案
删除您的httpSessionEventPublisher 和SessionRegistry
试试这个配置:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/", "/forgotPwd", "/resetPwd").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").defaultSuccessUrl("/home").failureUrl("/login?error").permitAll()
.and()
.sessionManagement()
.maximumSessions(1);
}
您可以在application.properties
server.session.timeout= # Session timeout in seconds.
关于java - 在 spring security + spring boot 中禁用同一用户的多个登录,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44155608/