如何限制每个用户仅一个会话并阻止随后的登录尝试?

编程入门 行业动态 更新时间:2024-10-28 00:28:32
本文介绍了如何限制每个用户仅一个会话并阻止随后的登录尝试?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧! 问题描述

并发控制的默认行为是使原始会话到期.但是,我想通过显示消息用户已登录"来阻止使用相同凭据登录的第二个用户.我该怎么做?

The default behavior of concurrency control is to expire the original session. However, I would like to block the second user which is logging in with the same credentials with displaying message "User has already logged in". How can I accomplish this ?

以下是spring-security.xml的配置:

Below is the configuration of spring-security.xml:

<http auto-config="false" use-expressions="true"> <intercept-url pattern="/login*" access="permitAll" requires-channel="https" /> <intercept-url pattern="/userHasLoggedIn" access="permitAll" requires-channel="https" /> <intercept-url pattern="/j_spring_security_*" access="permitAll" requires-channel="https" /> <intercept-url pattern="/session*" access="permitAll" requires-channel="https" /> <form-login login-page="/login" authentication-failure-url="/loginFailed" /> <intercept-url pattern="/**" access="isAuthenticated()" requires-channel="https" /> <session-management invalid-session-url="/sessionExpired" session-authentication-error-url="/loginAlready"> <concurrency-control error-if-maximum-exceeded="false" expired-url="/userHasLoggedIn" max-sessions="1"/> </session-management> <logout delete-cookies="JSESSIONID" /> </http>

(已更新)我最终的Spring安全配置:

(Updated) My final spring security configuration:

<http auto-config="false" use-expressions="true"> <intercept-url pattern="/login*" access="permitAll" requires-channel="https" /> <form-login default-target-url="/home" login-page="/login" authentication-failure-url="/loginFailed" /> <intercept-url pattern="/**" access="isFullyAuthenticated()" requires-channel="https" /> <session-management session-authentication-error-url="/loginFailed"> <concurrency-control expired-url="/loginFailed" error-if-maximum-exceeded="true" max-sessions="1"/> </session-management> <logout delete-cookies="JSESSIONID" /> </http>

推荐答案

解决方案是文档中的:

通常,您宁愿阻止第二次登录,在这种情况下, 可以使用

Often you would prefer to prevent a second login, in which case you can use <http> ... <session-management> <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" /> </session-management> </http>

第二次登录将被拒绝. 拒绝"是指 用户将被发送到authentication-failure-url 使用基于表单的登录.如果第二次身份验证需要 通过另一种非交互机制放置,例如 记住我",则会将未经授权"(402)错误发送给 客户.相反,如果您要使用错误页面,则可以添加 属性session-authentication-error-url到 session-management元素.

The second login will then be rejected. By "rejected", we mean that the user will be sent to the authentication-failure-url if form-based login is being used. If the second authentication takes place through another non-interactive mechanism, such as "remember-me", an "unauthorized" (402) error will be sent to the client. If instead you want to use an error page, you can add the attribute session-authentication-error-url to the session-management element.

因此,基本上将error-if-maximum-exceeded设置为"true"并从<concurrency-control>中删除expired-url属性.

So basically set error-if-maximum-exceeded to "true" and remove expired-url attribute from <concurrency-control>.

更多推荐

如何限制每个用户仅一个会话并阻止随后的登录尝试?

本文发布于:2023-06-03 05:59:44,感谢您对本站的认可!
本文链接:https://www.elefans.com/category/jswz/34/470186.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
本文标签:用户

发布评论

评论列表 (有 0 条评论)
草根站长

>www.elefans.com

编程频道|电子爱好者 - 技术资讯及电子产品介绍!