spring并发会话管理的并发和会话超时不起作用

我正在使用spring security来阻止用户进行多次登录，并在会话超时后将会话无效，从而将用户重定向到登录页面 .

下面是 web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    id="WebApp_ID" version="3.0">
    <display-name>GrievancePortal</display-name>
    <listener>
        <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/applicationContext.xml  /WEB-INF/springSecurity.xml</param-value>
    </context-param>
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <servlet>
        <servlet-name>GrievanceServlet</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/webController.xml</param-value>
        </init-param>
    </servlet>
    <servlet-mapping>
        <servlet-name>GrievanceServlet</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
        <welcome-file>default.html</welcome-file>
        <welcome-file>default.htm</welcome-file>
        <welcome-file>default.jsp</welcome-file>
    </welcome-file-list>
    <error-page>
        <error-code>404</error-code>
        <location>/home/error</location>
    </error-page>
    <session-config>
        <session-timeout>1</session-timeout>
        <tracking-mode>COOKIE</tracking-mode>
    </session-config>
</web-app>

springsecuirty.xml

<bean:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:bean="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.2.xsd">
    <http auto-config="true" disable-url-rewriting="true"
        use-expressions="true" authentication-manager-ref="authManager"
        access-denied-page="/home/error">
        <form-login always-use-default-target="true" login-page="/home/AuthCheck"
            login-processing-url="/home/checkAuth" default-target-url="/user/welcome"
            username-parameter="username" password-parameter="password"
            authentication-failure-url="/home/AuthCheck?error" />

        <logout delete-cookies="JSESSIONID" invalidate-session="true"
            logout-url="/logout" logout-success-url="/home/logout" />

        <intercept-url pattern="/" access="isAuthenticated()" />
        <intercept-url pattern="/user/**" access="isAuthenticated()" />
        <intercept-url pattern="/admin/**" access="isAuthenticated()" />

        <session-management session-fixation-protection="newSession"
            invalid-session-url="/home/sessionexpired">
            <concurrency-control max-sessions="1"
                expired-url="/home/sessionexpired" />
        </session-management>
    </http>
    <authentication-manager id="authManager">
        <authentication-provider ref="customAuthProvider">
        </authentication-provider>
    </authentication-manager>
    <bean:bean id="customAuthProvider" class="com.GrievancePortal.Service.AuthProvider"></bean:bean>

</bean:beans>

CustomAuthProvider

package com.GrievancePortal.Service;

import javax.servlet.http.HttpServletRequest;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.IncorrectResultSizeDataAccessException;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

import com.GrievancePortal.Dao.AuthProviderDao;
import com.GrievancePortal.Pojo.UserDetails;
import com.sun.xml.internal.ws.client.ResponseContext;

public class AuthProvider implements AuthenticationProvider{

    @Autowired
    private AuthProviderDao dao;

    @Autowired
    private UserDetailsSer userDetailsSer;


    @Override
    public Authentication authenticate(Authentication Object)
            throws AuthenticationException {
        String userName=Object.getName();
        String passWord=Object.getCredentials().toString();
        UserDetails user=null;
        try{
         user=(UserDetails) userDetailsSer.loadUserByUsername(userName);
         if(!user.getPassword().equals(passWord)){
                throw new BadCredentialsException("Invalid Credentials");
            }
        }
        catch (IncorrectResultSizeDataAccessException e){
            throw new BadCredentialsException("User Doesn't Exist Please Signup First");
        }
        /*HttpServletRequest request = 
                  ((ServletRequestAttributes) RequestContextHolder.
                    currentRequestAttributes()).
                    getRequest();
         sessionAuthenticationStrategy.onAuthentication(Object,null,null);*/
        return new UsernamePasswordAuthenticationToken(user, null,null);
    }

    @Override
    public boolean supports(Class<?> authentication) {
        // TODO Auto-generated method stub
        return authentication.equals(UsernamePasswordAuthenticationToken.class);
    }

}

CustomUserDetailsSer

package com.GrievancePortal.Service;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import com.GrievancePortal.Dao.AuthProviderDao;

    @Service
    public class UserDetailsSer implements UserDetailsService{

        @Autowired
        private AuthProviderDao dao;

        @Override
        public UserDetails loadUserByUsername(String userName)
                throws UsernameNotFoundException {
            com.GrievancePortal.Pojo.UserDetails userDetails=dao.getAuthUser(userName);
            return userDetails;
        }

    }

CustomUserDetails服务的userDetails对象returend覆盖hashcode和equals方法，并实现Spring Security提供的UserDetails