-1

私のSpring-security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:p="http://www.springframework.org/schema/p" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/security 

            http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <!-- This is where we configure Spring-Security  -->

    <security:global-method-security pre-post-annotations="enabled" />
    <!-- <security:global-method-security secured-annotations="enabled" /> -->

    <security:http auto-config="false" use-expressions="true" access-denied-page="/access-deniad" 
            entry-point-ref="authenticationEntryPoint">
        <security:intercept-url pattern="/RetailEnterpriseSuite/login.do" access="permitAll"  requires-channel="https" />
        <security:intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" requires-channel="https"/>
        <!-- <security:intercept-url pattern="/common" access="hasRole('ROLE_USER')"/> -->
        <security:intercept-url pattern="/users" access="hasRole('ROLE_USER')"/>
        <security:intercept-url pattern="/*" access="permitAll" requires-channel="any"/>

        <security:logout 
                invalidate-session="true" 
                logout-success-url="/login.html" 
                logout-url=""/>

        <!-- 
            Querying the SessionRegistry for currently authenticated users and their sessions
            http://static.springsource.org/spring-security/site/docs/3.1.x/reference/session-mgmt.html#list-authenticated-principals 
        -->
        <security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
        <security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>
        <security:custom-filter ref="singleEntryFilter" after="FORM_LOGIN_FILTER"/>
        <security:session-management session-authentication-strategy-ref="sas"/>
    </security:http>



    <bean id="singleEntryFilter" class="com.stc.res.filter.SingleEntryFilter" 
            p:redirectURI="/login.html">
            <property name="guardURI">
                <list>
                    <!-- <value>/index.html</value> -->
                    <value>/index.html</value>
                    <!-- <value>/index.html</value>
                    <value>/index.html</value>
                    <value>/index.html</value>
                    <value>/index.html</value> -->
                </list>
            </property>
    </bean>
    <bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
        p:sessionAuthenticationStrategy-ref="sas"
        p:authenticationManager-ref="authenticationManager" 
        p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
        p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler"/>

    <!-- We just actually need to set the default failure url here -->
    <bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
        p:defaultFailureUrl="/loginfailed" />

     <!-- We just actually need to set the default target url here -->

     <bean id= "customAuthenticationSuccessHandler"  class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
        <property name="redirectStrategy" ref="customSuccessRedirStrategy" />
     </bean>
    <!-- <bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
         p:redirectStrategy-ref="customSuccessRedirStrategy" /> -->

    <bean id= "customSuccessRedirStrategy"  class=" com.stc.res.customeredirection.CustomSuccessRedirection"> </bean>   



    <!-- The AuthenticationEntryPoint is responsible for redirecting the user to a particular page, like a login page,
            whenever the server sends back a response requiring authentication -->
    <!-- See Spring-Security Reference 5.4.1 for more info -->
    <bean id="authenticationEntryPoint"  class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
        p:loginFormUrl="/login.html"/>

    <!-- Declare an authentication-manager to use a custom userDetailsService -->
    <!-- It's important to set the alias here because it's used by the authenticationFilter -->
    <security:authentication-manager alias="authenticationManager">
       <security:authentication-provider user-service-ref="userservice">
        <security:password-encoder ref="passwordEncoder">
                  <security:salt-source ref="saltSource"/>
        </security:password-encoder>
        </security:authentication-provider>
         <security:authentication-provider user-service-ref="jdbcUserService"/> 
    </security:authentication-manager>

    <bean id="userservice"  class="com.stc.res.service.UserLoginService" >
        <property name="usrlogindao" ref="userLogindao"/>
    </bean> 

    <bean id="userLogindao" class = "com.stc.res.dao.UserLoginDao" />

    <bean id="jdbcUserService" class="com.stc.res.service.JdbcUserService">
        <property name="customJdbcDao" ref="custjdbcDao"/>
    </bean>

    <bean id="custjdbcDao"  class= "com.stc.res.dao.CustomJdbcDaoImpl">
        <property name="dataSource" ref="dataSource"/>
    </bean>


    <bean id="jdbcAdminUserService" class="com.stc.res.controller.JdbcAdminUserService">
        <property name="dataSource" ref="dataSource"/>
        <property name="authenticationManager" ref="authenticationManager"/>
    </bean>


    <!-- Use a Sha  encoder since the user's passwords are stored as Md5 in the database -->
    <bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" id="passwordEncoder"/>
    <bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="saltSource">
            <property name="userPropertyToUse" value="username"/>
    </bean>

    <!-- <security:bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.PersistentTokenBasedRememberMeServices"> 
        <property name="tokenRepository" ref="jdbcTokenRepository" /> 
        <property name="userDetailsService" ref="userservice" /> 
        <property name="key" value="springRocks" /> 
        <property name="alwaysRemember" value="false" /> 
   </security:bean>

   Uses a database table to maintain a set of persistent login data 
    <security:bean id="jdbcTokenRepository" class="org.springframework.security.ui.rememberme.JdbcTokenRepositoryImpl"> 
        <property name="createTableOnStartup" value="false" /> 
        <property name="dataSource" ref="dataSource" /> 
    </security:bean> 
   -->


     <!-- An in-memory list of users. No need to access an external database layer.
            See Spring Security 3.1 Reference 5.2.1 In-Memory Authentication -->
     <!-- john's password is admin, while jane;s password is user  -->



    <!-- Filter required by concurrent session handling package 
            The ConcurrentSessionFilter requires two properties, sessionRegistry, which generally points to an 
            instance of SessionRegistryImpl, and expiredUrl, which points to the page to display when a session has expired.
            See: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/session-mgmt.html#list-authenticated-principals -->
    <bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"
            p:sessionRegistry-ref="sessionRegistry" 
            p:expiredUrl="/login.html" />

    <!--  Defines a concrete concurrent control strategy 
             Checks whether the user in question should be allowed to proceed, by comparing the number of 
             sessions they already have active with the configured maximumSessions value. The SessionRegistry 
             is used as the source of data on authenticated users and session data.
             See: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.html-->
    <bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"
            p:maximumSessions="1"  error-if-maximum-exceeded="true" >
            <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
    </bean>

    <!-- Maintains a registry of SessionInformation instances
           See: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/core/session/SessionRegistry.html -->
    <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> 

</beans>

そして、web.xmlで構成しました。

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>ERROR</dispatcher>
  </filter-mapping>
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>
  <filter>
    <display-name>MycustomFilter</display-name>
    <filter-name>MycustomFilter</filter-name>
    <filter-class>com.stc.res.filter.MycustomFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>MycustomFilter</filter-name>
    <url-pattern>/MycustomFilter</url-pattern>
  </filter-mapping>

 listener>
    <listener-class>
    org.springframework.security.web.session.HttpSessionEventPublisher
    </listener-class>
  </listener> 

このコードのどこに問題があるのか​​教えてください、そして私を案内してください。私は春のセキュリティに不慣れです。ユーザーでも、ログアウトせずに別のブラウザからログインできます。

4

1 に答える 1

0

公式ドキュメントからこのスニペットを試しましたか(複数のログインを防ぎます):

<security:http ... >

    ....

    <security:session-management>
        <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
    </security:session-management>        
</security:http>
于 2013-03-19T10:32:41.867 に答える