并发控制是否可以覆盖

时间:2013-01-18 10:12:08

标签: spring-security

我的applicationContext-security.xml 

<session-management session-authentication-error-url="/genesis"> 
        <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/genesis?sessionExpired=true"/> 
    </session-management>

将用户限制为单个会话。但是,我现在要求一个帐户必须允许多个会话,同时仍将所有其他帐户限制为单个会话。

有关如何实现这一目标的任何建议吗?

2 个答案:

答案 0 :(得分:2)

覆盖默认并发过滤器。跳过特殊用户的处理:

public class CustomConcurrentSessionFilter extends ConcurrentSessionFilter {

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
        ServletException {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (!auth.getName().equals("bob")) {
            super.doFilter(req, res, chain);
        }
    }

}

在conf:

中使用自定义过滤器替换默认过滤器 
<security:http ... >
    <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="customConcurrentSessionFilter"/>
</security:http>

<bean id="customConcurrentSessionFilter" class="com.domain.CustomConcurrentSessionFilter"/>

答案 1 :(得分:0)

(我在此扩展我的评论,为此问题提供更完整的解决方案。)

只需覆盖getMaximumSessionsForThisUser()子类中的ConcurrentSessionFilter(下面我使用com.example.CustomConcurrentSessionFilter),然后在XML配置中添加:

  • SessionAuthenticationStrategy bean(标识为"sas"),
    • {li> <session-management session-authentication-strategy-ref="sas" /> <http>
  • <bean:property name="sessionAuthenticationStrategy" ref="sas" />到您的UsernamePasswordAuthenticationFilter

完整设置应与here in docs显示的设置类似:

<http>
  <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
  <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />

  <session-management session-authentication-error-url="/genesis"
      session-authentication-strategy-ref="sas"/>
</http>

<beans:bean id="concurrencyFilter"
   class="com.example.CustomConcurrentSessionFilter">
  <beans:property name="sessionRegistry" ref="sessionRegistry" />
  <beans:property name="expiredUrl" value="/genesis?sessionExpired=true" />
</beans:bean>

<beans:bean id="myAuthFilter"
    class="o.s.s.web.authentication.UsernamePasswordAuthenticationFilter">
  <beans:property name="sessionAuthenticationStrategy" ref="sas" />
  <beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>

<beans:bean id="sas"
    class="o.s.s.web.authentication.session.ConcurrentSessionControlStrategy">
  <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
  <beans:property name="exceptionIfMaximumExceeded" value="true" />
  <beans:property name="maximumSessions" value="1" />
</beans:bean>

<beans:bean id="sessionRegistry"
    class="o.s.s.core.session.SessionRegistryImpl" />
相关问题
最新问题