To define, function, or describe:
Concurrency Control: Concurrency controls, mainly used to avoid multiple logons by the same user, repeated logins, and including related session management-specific website---"
First crossing net: http://docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#session-mgmt
The concurrency control of the official website is quite clear, but someone (for example, me) has rewritten the method of validation, which leads to the problem of failure, so let's talk about the concurrency control configuration of spring security and related writing:
Divided into three ways:
Basic configuration:
Web. XML joins monitoring
< Listener > < Listener-class > org.springframework.security.web.session.HttpSessionEventPublisher </ Listener-class></listener>
First, the introductory test (simple configuration) did not customize the spring security validated
< http > ... < session-management > < max-sessions= "1" error-if-maximum-exceeded= "true"/ > </session-management></http >
Or
< http > ... < session-management > < max-sessions= "1" error-if-maximum-exceeded= "true"/ > </session-management></http >
The difference is that the former user is excluded, the second one does not log on
Remember the premise: there is no custom authentication method, official website:
If you were using a customized authentication filter for form-based login and then you had to configure concurrent session Co Ntrol support explicitly. More details can is found in the Session Management chapter.
However, if you customize the custom userdetails, you need to redefine equal and hashcode
The second method:
The opening of the official website has already made it very clear that ....
It is unclear to see the netizen from Iteye again http://sb33060418.iteye.com/blog/1953515
The Third Way (I'm just using this kind of ...) )
First Look at my verification (make the method of the program to call , a large extent of custom validation)
PublicLogininfo Login (@RequestParam (defaultvalue= ") String username, @RequestParam (defaultvalue=" ") String password,httpservletrequest request,httpservletresponse response) {if(!Checkvalidatecode (Request)) { return NewLogininfo (). Failed (). MSG ("CAPTCHA Error! "); } username=Username.trim (); Usernamepasswordauthenticationtoken authrequest=Newusernamepasswordauthenticationtoken (username, password);/*Detachedcriteria Detachedcriteria = Detachedcriteria.forclass (Cwsysuser.class, "Cwsysuser"); Detachedcriteria.add (Restrictions.eq ("Userno", username)); if (Cwsysuserservice.countuser (Detachedcriteria) ==0) {return new Logininfo (). Failed (). MSG ("Username:" +username+ "does not exist ."); }*/ Try{Authentication Authentication= Myauthenticationmanager.authenticate (authrequest);//Call LoaduserbyusernameSecuritycontextholder.getcontext (). Setauthentication (authentication); HttpSession Session=request.getsession (); Session.setattribute ("Spring_security_context", Securitycontextholder.getcontext ());//This is very important, otherwise you will not be able to login after verificationsas.onauthentication (authentication, request, response); return NewLogininfo (). Success (). MSG (Authentication.getname ()); }Catch(Authenticationexception ex) {if(Ex.getmessage () = =NULL){ return NewLogininfo (). Failed (). MSG ("User name does not exist."); } return NewLogininfo (). Failed (). MSG ("User name or password error"); } }
Description
Authentication authentication = myauthenticationmanager.authenticate (authrequest); This is the application
Myauthenticationmanager invokes the validation information, Myauthenticationmanager the Loaduserbyusername method based on the configuration of the following XML.
Sas.onauthentication (authentication, request, response);//This is the manual invocation of concurrency control (injected in XML configuration)
Configuration spring-security.xml (configuration basic and two bad, but less custom login interception configuration)
<Custom-filterposition= "Concurrent_session_filter"ref= "Concurrencyfilter" /> <session-managementSession-authentication-strategy-ref= "SAS" /> </http> <Beans:beanID= "Concurrencyfilter"class= "Org.springframework.security.web.session.ConcurrentSessionFilter"> <Beans:propertyname= "Sessionregistry"ref= "Sessionregistry" /> <Beans:propertyname= "Expiredurl"value= "/session-expired.htm" /> </Beans:bean> <Beans:beanID= "SAS"class= "Org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy"> <Beans:constructor-arg> <beans:list> <Beans:beanclass= "Org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy"> <Beans:constructor-argref= "Sessionregistry" /> <Beans:propertyname= "Maximumsessions"value= "1" /> </Beans:bean> <Beans:beanclass= "Org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"> </Beans:bean> <Beans:beanclass= "Org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy"> <Beans:constructor-argref= "Sessionregistry" /> </Beans:bean> </beans:list> </Beans:constructor-arg> </Beans:bean> <Beans:beanID= "Sessionregistry"class= "Org.springframework.security.core.session.SessionRegistryImpl" /> <Authentication-manageralias= "Myauthenticationmanager"> <Authentication-providerUser-service-ref= "Cwsysuserdetailsservice"> <!--Database Provider - <Password-encoderHash= "MD5"></Password-encoder> </Authentication-provider> </Authentication-manager>
At this point, complete .....
Thank you very much: StackOverflow and ma4 self-answer, this spirit is very want to praise, unfortunately to log in, to log in is to FQ, unfortunately point a half a day has not come out. In order to cross the mountains, involving million water, over the wall, through the wilderness, just to tell you: Thank you.
Http://stackoverflow.com/questions/26041756/concurrency-control-is-not-working
Keep talking about the concurrency control of spring Security (Concurrency controls)