67,513
社区成员
发帖
与我相关
我的任务
分享
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<session-management>
<concurrency-control session-registry-ref="sessionRegistry" max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<context:component-scan base-package="com.xp.security" />
<global-method-security pre-post-annotations="enabled" />
<!-- 该路径下的资源不用过滤 -->
<http pattern="/admin/js/**" security="none"/>
<http use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint">
<!-- <form-login login-processing-url="loginFilter" /> -->
<!--尝试访问没有权限的页面时跳转的页面 -->
<access-denied-handler error-page="/common/403.jsp" />
<logout logout-url="/admin/logout.do" logout-success-url="/admin/login.jsp"/>
<!-- 实现免登陆验证 -->
<remember-me />
<session-management>
<concurrency-control session-registry-ref="sessionRegistry" max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
<custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" />
<custom-filter ref="springSecurityFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
</http>
<!-- 登录验证器 -->
<beans:bean id="loginFilter" class="com.xp.security.SpringSecurityAuthFilter">
<!-- 处理登录 -->
<beans:property name="filterProcessesUrl" value="/admin/login.do"></beans:property>
<beans:property name="authenticationSuccessHandler" ref="loginLogAuthenticationSuccessHandler"></beans:property>
<beans:property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler"></beans:property>
<beans:property name="authenticationManager" ref="securityAuthenticationManager"></beans:property>
<!-- <beans:property name="usersDao" ref="usersDao"></beans:property> -->
</beans:bean>
<beans:bean id="loginLogAuthenticationSuccessHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/index.jsp"></beans:property>
</beans:bean>
<beans:bean id="simpleUrlAuthenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/admin/login.jsp"></beans:property>
</beans:bean>
<!-- 配置过滤器 -->
<beans:bean id="springSecurityFilter" class="com.xp.security.SpringSecurityFilter">
<!-- 用户拥有的权限 -->
<beans:property name="authenticationManager" ref="securityAuthenticationManager" />
<!-- 用户是否拥有所请求资源的权限 -->
<beans:property name="accessDecisionManager" ref="securityAccessDecisionManager" />
<!-- 资源与权限对应关系 -->
<beans:property name="securityMetaDataSource" ref="securityMetaDataSource" />
</beans:bean>
<!-- 实现了UserDetailsService的Bean -->
<authentication-manager alias="securityAuthenticationManager">
<authentication-provider user-service-ref="springSecurityService" />
</authentication-manager>
<beans:bean id="securityAccessDecisionManager" class="com.xp.security.SecurityAccessDecisionManager"></beans:bean>
<beans:bean id="securityMetaDataSource" class="com.xp.security.SpringSecurityMetaDataSource">
<beans:constructor-arg name="resourceDao" ref="resourceDao"></beans:constructor-arg>
</beans:bean>
<beans:bean id="springSecurityService" class="com.xp.security.SpringSecurityService">
</beans:bean>
<!-- 未登录的切入点 -->
<beans:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/admin/login.jsp"></beans:property>
</beans:bean>
</beans:beans>
<http>
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
<session-management session-authentication-strategy-ref="sas"/>
</http>
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/session-expired.htm" />
</beans:bean>
<beans:bean id="myAuthFilter" class=
"org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry"/>
<beans:property name="maximumSessions" value="1" />
<beans:property name="exceptionIfMaximumExceeded" value="true" />
</beans:bean>
<beans:bean class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
</beans:bean>
<beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry"/>
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
<beans:bean id="sas" class="*.*.*.ConcurrentSessionControlStrategy">
<beans:constructor-arg ref="sessionRegistry"/>
<beans:property name="alwaysCreateSession" value="true"/>
<beans:property name="exceptionIfMaximumExceeded" value="true"/>
<beans:property name="maximumSessions" value="9"/>
<!--这个9 是最多可以登录的用户 -->
<beans:property name="errorUrl" value="***/login.jsp?code=MaxLoginUser"/>
</beans:bean>
ConcurrentSessionControlStrategy 中
public class ConcurrentSessionControlStrategy extends
SessionFixationProtectionStrategy implements MessageSourceAware{
private final SessionRegistry sessionRegistry;
private boolean exceptionIfMaximumExceeded = false;
private int maximumSessions = 1;
private String errorUrl;
方法:public void onAuthentication(Authentication authentication,
HttpServletRequest request, HttpServletResponse response) {
final List<SessionInformation> sessions = sessionRegistry
.getAllSessions(authentication.getName(), false);
int sessionCount = sessions.size();
if (sessionCount < maximumSessions ) {
//没过最多登录用户
return true;
}else{
.....做你想要做的事情 return false ;可以跳 回登录
}
<listener>
<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
</listener>
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>