我正在使用spring security来阻止用户进行多次登录,并在会话超时后将会话无效,从而将用户重定向到登录页面 .
下面是 web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>GrievancePortal</display-name>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml /WEB-INF/springSecurity.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>GrievanceServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/webController.xml</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>GrievanceServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<error-page>
<error-code>404</error-code>
<location>/home/error</location>
</error-page>
<session-config>
<session-timeout>1</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
</web-app>
springsecuirty.xml
<bean:beans xmlns="http://www.springframework.org/schema/security"
xmlns:bean="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<http auto-config="true" disable-url-rewriting="true"
use-expressions="true" authentication-manager-ref="authManager"
access-denied-page="/home/error">
<form-login always-use-default-target="true" login-page="/home/AuthCheck"
login-processing-url="/home/checkAuth" default-target-url="/user/welcome"
username-parameter="username" password-parameter="password"
authentication-failure-url="/home/AuthCheck?error" />
<logout delete-cookies="JSESSIONID" invalidate-session="true"
logout-url="/logout" logout-success-url="/home/logout" />
<intercept-url pattern="/" access="isAuthenticated()" />
<intercept-url pattern="/user/**" access="isAuthenticated()" />
<intercept-url pattern="/admin/**" access="isAuthenticated()" />
<session-management session-fixation-protection="newSession"
invalid-session-url="/home/sessionexpired">
<concurrency-control max-sessions="1"
expired-url="/home/sessionexpired" />
</session-management>
</http>
<authentication-manager id="authManager">
<authentication-provider ref="customAuthProvider">
</authentication-provider>
</authentication-manager>
<bean:bean id="customAuthProvider" class="com.GrievancePortal.Service.AuthProvider"></bean:bean>
</bean:beans>
CustomAuthProvider
package com.GrievancePortal.Service;
import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.IncorrectResultSizeDataAccessException;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import com.GrievancePortal.Dao.AuthProviderDao;
import com.GrievancePortal.Pojo.UserDetails;
import com.sun.xml.internal.ws.client.ResponseContext;
public class AuthProvider implements AuthenticationProvider{
@Autowired
private AuthProviderDao dao;
@Autowired
private UserDetailsSer userDetailsSer;
@Override
public Authentication authenticate(Authentication Object)
throws AuthenticationException {
String userName=Object.getName();
String passWord=Object.getCredentials().toString();
UserDetails user=null;
try{
user=(UserDetails) userDetailsSer.loadUserByUsername(userName);
if(!user.getPassword().equals(passWord)){
throw new BadCredentialsException("Invalid Credentials");
}
}
catch (IncorrectResultSizeDataAccessException e){
throw new BadCredentialsException("User Doesn't Exist Please Signup First");
}
/*HttpServletRequest request =
((ServletRequestAttributes) RequestContextHolder.
currentRequestAttributes()).
getRequest();
sessionAuthenticationStrategy.onAuthentication(Object,null,null);*/
return new UsernamePasswordAuthenticationToken(user, null,null);
}
@Override
public boolean supports(Class<?> authentication) {
// TODO Auto-generated method stub
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
CustomUserDetailsSer
package com.GrievancePortal.Service;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import com.GrievancePortal.Dao.AuthProviderDao;
@Service
public class UserDetailsSer implements UserDetailsService{
@Autowired
private AuthProviderDao dao;
@Override
public UserDetails loadUserByUsername(String userName)
throws UsernameNotFoundException {
com.GrievancePortal.Pojo.UserDetails userDetails=dao.getAuthUser(userName);
return userDetails;
}
}
CustomUserDetails服务的userDetails对象returend覆盖hashcode和equals方法,并实现Spring Security提供的UserDetails