1
스프링 보안 3.2에서 동시성 제어를 구현하려고합니다. 저는 auth에 form-login을 사용합니다. 가 여기 내 security.xml이다스프링 보안 동시 제어가 작동하지 않습니다.
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<http access-denied-page="/login.html" create-session="ifRequired">
<intercept-url pattern="/settings.html" access="ROLE_USER"/>
<intercept-url pattern="/history.html" access="ROLE_USER"/>
<form-login login-page="/"
authentication-failure-url="/error.do"
default-target-url="/logged.do"
always-use-default-target="true"
login-processing-url="/j_spring_security_check"/>
<logout logout-url="/j_spring_security_logout" logout-success-url="/index.html" invalidate-session="true"/>
<session-management session-authentication-strategy-ref="sas"/>
<custom-filter ref="accessFilter" after="FORM_LOGIN_FILTER" />
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<custom-filter before="FORM_LOGIN_FILTER" ref="myAuthFilter" />
</http>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<beans:bean id="accessFilter" class="ua.com.site.http.filter.PlayerAccessFilter" />
<beans:bean id="passwordUserDetailService" class="ua.com.site.web.security.cristal.PasswordUserDetailService">
<beans:property name="playerDao" ref="playerDao"/>
</beans:bean>
<beans:bean id="tokenUserDetailsService" class="ua.com.site.web.security.cristal.TokenUserDetailService">
<beans:property name="playerDao" ref="playerDao"/>
</beans:bean>
<beans:bean id="passwordAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="passwordEncoder">
<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
</beans:property>
<beans:property name="userDetailsService" ref="passwordUserDetailService" />
</beans:bean>
<beans:bean id="tokenAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="passwordEncoder">
<beans:bean class="org.springframework.security.authentication.encoding.PlaintextPasswordEncoder" />
</beans:property>
<beans:property name="userDetailsService" ref="tokenUserDetailsService" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="passwordAuthenticationProvider" />
<authentication-provider ref="tokenAuthenticationProvider" />
</authentication-manager>
<beans:bean id="concurrentSessionController" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/expired.html" />
</beans:bean>
<beans:bean id="myAuthFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry"/>
<beans:property name="maximumSessions" value="1" />
<beans:property name="exceptionIfMaximumExceeded" value="true" />
</beans:bean>
<beans:bean class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
</beans:bean>
<beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry"/>
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean>
리스너
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
은 내 web.xml 파일에 포함되어 있습니다.
나는 다른 브라우저에서 실행하고, 둘 다 로그인하지만 두 세션을 활성화했습니다. 동시성 제어가 작동하지 않는 것 같습니다.
form-login을 사용하여 동시성 제어를 구현하는 방법은 무엇입니까?
은 이전 버전에서는 그냥
<session-management>
<concurrency-control max-sessions="1" expired-url="/expired.html" error-if-maximum-exceeded="false" session-registry-ref="sessionRegistry" />
</session-management>
어떤 조언을 주셔서 감사합니다 사용했다.
그리고 왜 모든 것을 지금 스스로 구성하고 있습니까? –
나 자신이 아닙니다. 나는 문서에서 샘플을 사용하려고합니다. 그러나 form-login과 함께 를 사용하면 예외가 발생합니다. –
스프링 보안 업그레이드를 위해 작업 구성을 변경 한 이유는 무엇입니까? –