相关疑难解决方法(0)

我知道,有很多关于这个主题的文章,但我有一个问题,我找不到任何解决方案.

我有一个经典的spring security java配置:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private AuctionAuthenticationProvider auctionAuthenticationProvider;

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(auctionAuthenticationProvider);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.httpBasic();

    ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequest = http.authorizeRequests();

    configureAdminPanelAccess(authorizeRequest);
    configureFrontApplicationAccess(authorizeRequest);
    configureCommonAccess(authorizeRequest);

    http.csrf()
        .csrfTokenRepository(csrfTokenRepository()).and()
        .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);

    http.logout()
        .clearAuthentication(true)
        .invalidateHttpSession(true);
}
...
}

另外,我有两个控制器方法,我通过AJAX从我的Web应用程序登录/注销.

当我想注销时,我首先调用这个方法,我期望清除用户会话并清除安全上下文中的所有内容.

@Override
@RequestMapping(value = "/logout", method = GET, produces = APPLICATION_JSON_UTF8_VALUE)
public ResponseEntity<Boolean> logout(final HttpServletRequest request, final HttpServletResponse response) {
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    if (auth != …

我的Web应用程序使用spring security在登录时对用户进行身份验证.我还有并发控制,以避免用户在不同的机器上登录两次.这工作正常但我的问题是:如果用户登录计算机,则关闭浏览器.然后他重新打开网络应用程序,尝试再次登录,他获得以下消息:"超出此主数的最大会话数为1".我想在浏览器关闭时使会话无效.我怎样才能做到这一点？

弹簧security.xml文件

       <?xml version="1.0" encoding="UTF-8"?>
          <beans xmlns="http://.   www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/.    XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
                       http://www.springframework.org/schema/beans/spring-beans.xsd
                       http://www.springframework.org/schema/security
                       http://www.springframework.org/schema/security/.  spring-security-3.1.xsd">

  <security:global-method-security
        secured-annotations="enabled" />

  <security:http auto-config="false"
        authentication-manager-ref="authenticationManager" use-expressions="true">
        <!-- Override default login and logout pages -->
        <security:form-login
              authentication-failure-handler-ref="fail"
              authentication-success-handler-ref="success" login-page="/car/login.xhtml"
              default-target-url="/jsf/car/home.xhtml" />
        <security:logout invalidate-session="true"
              logout-url="/j_spring_security_logout" success-handler-ref="customLogoutHandler" delete-cookies="JSESSIONID"/>
        <security:session-management>
              <security:concurrency-control
                    max-sessions="1" error-if-maximum-exceeded="true" />
        </security:session-management>
        <security:intercept-url pattern="/jsf/**"
              access="isAuthenticated()" />
        <security:intercept-url pattern="/run**"
              access="isAuthenticated()" />
        <security:intercept-url pattern="/pages/login.xhtml"
              access="permitAll" />
  </security:http>

  <bean id="success" class="com.car.LoginSuccess" />

  <bean id="fail" class="com.car.LoginFailed">
        <property name="defaultFailureUrl" value="/?login_error=true" />
  </bean>
  <bean id="passwordEncoder"
        class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />

  <security:authentication-manager alias="authenticationManager"> …