In this paper, we introduce the different configuration methods of the session management and concurrency control of Spring security in four different situations, as well as the result.
(1) First, you write session_error.jsp page, for displaying Session related error message.
The error message is passed in through the page parameter ID .
< P > Session error:${param.id}</p><p>${spring_ Security_last_exception.message}</p>
(2) write the appropriate Sessioncontroller class.
@Controller @requestmapping (Value= "/login") Public class Sessioncontroller {@RequestMapping ("/session_error.action") public Modelandview Session_error (String id) {System.out.println ("session_error:" + ID); Modelandview new Modelandview (); Mv.setviewname ("Login/session_error"); return MV;} }
(3) Write Spring-security.xml in the Session manage the related configuration while increasing the associated anonymous access control support.
(a) situation one: First Test in Session No error when the number exceeds the limit, and no configuration Invalid-session-url the situation.
<!--Session Management - <sec:session-managementsession-fixation-protection= "Changesessionid"Session-authentication-error-url= "/login/session_error.action?id=max_session_error" > <!--invalid-session-url= "/login/session_error.action?id=invalid_session_error" - <Sec:concurrency-controlmax-sessions= "1"Expired-url= "/login/session_error.action?id=session_expired_error"error-if-maximum-exceeded= "false" /> </sec:session-management> <!--Anonymous Access - <sec:anonymousenabled= "true"granted-authority= "Role_anonymous" /> <Sec:intercept-urlpattern="/"Access= "Hasrole (' role_anonymous ') or Hasrole (' Role_user ')" /> <Sec:intercept-urlpattern= "/login/**"Access= "Hasrole (' role_anonymous ') or Hasrole (' Role_user ')" />
Login successful in browser 1 .
then the login succeeds in browser 2 .
then go back to Browser 1 and click on a link.
you can see that the login expiration of the previously logged on browser 1 has expired.
(b) Scenario Two: Re-test test in Session no error when the number exceeds the limit, and configuration Invalid-session-url the situation.
<!--Session Management - <sec:session-managementsession-fixation-protection= "Changesessionid"Session-authentication-error-url= "/login/session_error.action?id=max_session_error"Invalid-session-url= "/login/session_error.action?id=invalid_session_error" > <Sec:concurrency-controlmax-sessions= "1"Expired-url= "/login/session_error.action?id=session_expired_error"error-if-maximum-exceeded= "false" /> </sec:session-management>
Login successful in browser 1 .
Login successful in browser 2 .
then go back to browser 1and click on a link.
you can see that the page jumps to the URL specified by Invalid-session-urland is no longer the expired-url specified URL .
(c) Scenario Three: Testing in Session the number exceeds the limit of the times in the wrong situation. Whether or not to specify invalid-session-url has little effect.
with form-login form validation, you will jump to the properties of form-login authentication-failure-url specifies the URL , if this URL is not specified , jumps to the specified URL for the property's default value .
<sec:session-managementsession-fixation-protection= "Changesessionid"Session-authentication-error-url= "/login/session_error.action?id=max_session_error"Invalid-session-url= "/login/session_error.action?id=invalid_session_error" > <Sec:concurrency-controlmax-sessions= "1"Expired-url= "/login/session_error.action?id=session_expired_error"error-if-maximum-exceeded= "true" /> </sec:session-management><Sec:form-loginLogin-page= "/login/login_form.action"Username-parameter= "username"Password-parameter= "Password"Login-processing-url= "/login/login_process.action"Authentication-success-forward-url= "/login/login_success.action"Authentication-failure-url= "/login/login_failed.action" />
Login successful in browser 1 .
then log in in Browser 2 .
this jumps to the URL specified by form-login 's authentication-failure-url .
(d) situation four: testing in Session the number exceeds the limit of the times in the wrong situation. jump to session-manager if no form-login form authentication is used, exceeding the session number limit of the Properties Authentication-failure-url of the specified URL . HTTP Basic authentication is enabled for this test .
<!---<!-- <sec:form-login login-page= "/login/login_form.action " username-parameter=" username " password-parameter=" password " login-processing-url="/login/login_ Process.action " authentication-success-forward-url="/login/login_success.action " Authentication-failure-url= "/login/login_failed.action" /> - <! ---</>
Login successful in browser 1 .
Log in in browser 2 :
you can see that the page jumps to the session-manager node's properties authentication-failure-url the specified URL when the login fails .
The test situation of the above four cases is summarized as follows:
(1) Spring security 's configuration parameters are flexible and adaptable to more complex application requirements.
(2) configuration parameters are too flexible and error-prone in practical applications.
(3) This test basically validates the content of the previous blog post.
Spring Security Application Development (11) Concurrency control practices