我看了 Spring-Security 的样本,我想
使用 Spring-boot 集成我的应用程序,但我仍然可以同时登录两次或更多,我不知道为什么这是我的 SecurityConfig.java;我使用的是 Spring—Boot1.3.2RELEASE 和 Spring-Security4.0.3RELEASE。
package com.eexcel.branch.config;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
import com.eexcel.common.service.distributor.DistributorService;
@Configuration
@EnableWebSecurity(debug = false)
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig {
public static String[] ignoreUrls = { "/css/**", "/js/**", "/images/**",
"/assets/**", "**/favicon.ico" };
public static String[] anonymousUrls = { "/registe**", "/login**" };
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class ApplicationSecurity extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(ignoreUrls)
.permitAll()
//
.antMatchers(anonymousUrls)
.anonymous()
//
.anyRequest()
.authenticated()
//
.and()
//
.formLogin()
.loginPage("/login")
//
.and()
//
.logout()
.logoutUrl("/logout")
//
.and()
//
.rememberMe()
//
.and()
//
.sessionManagement().maximumSessions(1)
.maxSessionsPreventsLogin(true)
.expiredUrl("/login?expired");
}
}
@Order(Ordered.HIGHEST_PRECEDENCE)
@Configuration
protected static class AuthenticationManagerConfiguration extends
GlobalAuthenticationConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
private DistributorService userDetailsService;
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(
passwordEncoder);
}
}
}
您需要覆盖 equals 和 hashCode 以确保 SessionRegistryImpl
List<SessionInformation> org.springframework.security.core.session.SessionRegistryImpl.getAllSessions(Object principal, boolean includeExpiredSessions)
可以获取同一个主体的会话,主体只是用户详细信息