2013-04-16 18:11:53 [http-bio-8080-exec-103:553093] - [DEBUG] Publishing event: org.springframework.security.web.session.HttpSessionDestroyedEvent[source=org.apache.catalina.session.StandardSessionFacade@5c0bd7]
2013-04-16 18:11:53 [http-bio-8080-exec-103:553093] - [DEBUG] Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@1f0d425]
2013-04-16 18:11:53 [http-bio-8080-exec-103:553093] - [DEBUG] Started new session: BBA888FA500246B1B4541E15D381D29B
2013-04-16 18:11:53 [http-bio-8080-exec-103:553093] - [DEBUG] Registering session BBA888FA500246B1B4541E15D381D29B, for principal org.casic.javaframework.core.web.console.security.user.UserDetailsBean@0: Username: 管理员; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities
2013-04-16 18:11:56 [http-bio-8080-exec-103:555890] - [DEBUG] Opening Hibernate Session
Hibernate:
select
userloginm0_.userId as userId31_,
userloginm0_.lastLoginDate as lastLogi2_31_,
userloginm0_.lastLoginIP as lastLogi3_31_,
userloginm0_.loginDate as loginDate31_,
userloginm0_.loginIP as loginIP31_,
userloginm0_.maxFailedLogin as maxFaile6_31_,
userloginm0_.pswd1 as pswd7_31_,
userloginm0_.pswd2 as pswd8_31_,
userloginm0_.pswd3 as pswd9_31_,
userloginm0_.pswdExpiredDate as pswdExp10_31_,
userloginm0_.pswdModiTime as pswdMod11_31_
from
T_SYS_USERLOGIN userloginm0_
where
userloginm0_.userId=?
2013-04-16 18:11:56 [http-bio-8080-exec-103:555906] - [DEBUG] Eagerly flushing Hibernate session
2013-04-16 18:11:56 [http-bio-8080-exec-103:555906] - [DEBUG] Closing Hibernate Session
2013-04-16 18:11:56 [http-bio-8080-exec-103:555906] - [DEBUG] Opening Hibernate Session
2013-04-16 18:11:56 [http-bio-8080-exec-103:555906] - [DEBUG] Eagerly flushing Hibernate session
Hibernate:
update
T_SYS_USERLOGIN
set
lastLoginDate=?,
lastLoginIP=?,
loginDate=?,
loginIP=?,
maxFailedLogin=?,
pswd1=?,
pswd2=?,
pswd3=?,
pswdExpiredDate=?,
pswdModiTime=?
where
userId=?
2013-04-16 18:11:56 [http-bio-8080-exec-103:555906] - [DEBUG] Closing Hibernate Session
2013-04-16 18:11:57 [http-bio-8080-exec-103:557453] - [DEBUG] Publishing event: org.springframework.security.web.session.HttpSessionDestroyedEvent[source=org.apache.catalina.session.StandardSessionFacade@1639d1]
2013-04-16 18:11:57 [http-bio-8080-exec-103:557453] - [DEBUG] Removing session DF8BACBDCB2B67ECB245A68FFFD2880F from principal's set of registered sessions
2013-04-16 18:11:57 [http-bio-8080-exec-103:557453] - [DEBUG] Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fffffb0b: Principal: org.casic.javaframework.core.web.console.security.user.UserDetailsBean@0: Username: 管理员; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Password: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities
2013-04-16 18:11:58 [http-bio-8080-exec-103:557890] - [DEBUG] Using default Url: /index.action
2013-04-16 18:11:58 [http-bio-8080-exec-103:557890] - [DEBUG] Redirecting to '/bpm/index.action'
2013-04-16 18:11:58 [http-bio-8080-exec-103:557890] - [DEBUG] SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@fffffb0b: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fffffb0b: Principal: org.casic.javaframework.core.web.console.security.user.UserDetailsBean@0: Username: 管理员; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Password: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities'
2013-04-16 18:11:58 [http-bio-8080-exec-103:557890] - [DEBUG] SecurityContextHolder now cleared, as request processing completed
2013-04-16 18:11:58 [http-bio-8080-exec-103:557890] - [DEBUG] Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade@134b520
--ie6 请求登陆到这里就完了
3 个解决方案
#1
下面是我的配置
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http lowercase-comparisons="false" path-type="ant" access-denied-page="/nopop.jsp">
<!-- 当访问被拒绝时,会转到nopop.jsp -->
<intercept-url pattern="/login.jsp" filters="none" />
<intercept-url pattern="/nopop.jsp" filters="none" />
<intercept-url pattern="/uncaughtException.jsp" filters="none" />
<intercept-url pattern="/randomImage.jsp" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/common/**" filters="none" />
<intercept-url pattern="/layout/**" filters="none" />
<intercept-url pattern="/web/**" filters="none" />
<intercept-url pattern="/style/**" filters="none" />
<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=true"
default-target-url="/index.action" always-use-default-target="true" />
<http-basic />
<!-- 自定义登陆认证 -->
<custom-filter before="FORM_LOGIN_FILTER" ref="usernamePasswordAuthenticationFilter" />
<!-- 默认的认证-->
<custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="filterSecurity" />
<!-- 自定义退出认证 -->
<custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />
<session-management session-fixation-protection="none" invalid-session-url="/j_spring_security_logout">
<concurrency-control session-registry-ref="sessionRegistry" expired-url="/login.jsp?error=repeat" /><!-- 重复登陆返回页面 -->
</session-management>
</http>
<!-- 注入自定义登陆认证usernamePasswordAuthenticationFilter 用以控制同一账户同时登陆个数 -->
<beans:bean id="concurrentSessionControlStrategy"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="2" />
</beans:bean>
<!-- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,
我们的所有控制将在这三个类中实现,解释详见具体配置
<beans:bean id="filterSecurity" class="com.ckm.console.security.auth.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
-->
<!-- 认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailService">
<!-- 如果用户的密码采用加密的话,可以加点“盐”
<password-encoder hash="md5" />
-->
</authentication-provider>
</authentication-manager>
<!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源
<beans:bean id="accessDecisionManager" class="com.ckm.console.security.auth.LocalAccessDecisionManager" />
-->
<!-- 资源源数据定义,即定义某一资源可以被哪些角色访问
<beans:bean id="securityMetadataSource" class="com.ckm.console.security.auth.InvocationSecurityMetadataSource" />
-->
<beans:bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.web.authentication.AuthenticationProcessingFilterEntryPoint">
<beans:property name="loginFormUrl" value="/authForbiden.jsp"></beans:property>
<beans:property name="forceHttps" value="false" />
</beans:bean>
<!-- 自定义登陆认证服务,保存用户登陆信于session中 -->
<beans:bean id="usernamePasswordAuthenticationFilter"
class="org.casic.javaframework.core.web.console.security.auth.LocalUsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="concurrentSessionControlStrategy" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
<beans:property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
<!-- 打开密码的MD5加密模式 -->
<beans:property name="passwordEncoderMd5" value="false" />
<!-- 打开验证码校验 -->
<beans:property name="validateCode" value="false" />
</beans:bean>
<!--
<beans:bean id="authenticationSuccessHandler"
class="com.ckm.console.security.auth.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/index.action"></beans:property>
</beans:bean>
-->
<beans:bean id="authenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.jsp"></beans:property>
</beans:bean>
<!-- 自定义退出服务 -->
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="/login.jsp" />
<beans:constructor-arg>
<beans:list>
<beans:ref bean="customSessionLogoutHandler" />
</beans:list>
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/j_spring_security_logout" />
</beans:bean>
<!--
<beans:bean id="customSessionLogoutHandler" class="com.ckm.console.security.logout.SessionLogoutHandler">
<beans:property name="sessionRegistry">
<beans:ref local="sessionRegistry" />
</beans:property>
</beans:bean>
-->
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
</beans:beans>
[/code]
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http lowercase-comparisons="false" path-type="ant" access-denied-page="/nopop.jsp">
<!-- 当访问被拒绝时,会转到nopop.jsp -->
<intercept-url pattern="/login.jsp" filters="none" />
<intercept-url pattern="/nopop.jsp" filters="none" />
<intercept-url pattern="/uncaughtException.jsp" filters="none" />
<intercept-url pattern="/randomImage.jsp" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/common/**" filters="none" />
<intercept-url pattern="/layout/**" filters="none" />
<intercept-url pattern="/web/**" filters="none" />
<intercept-url pattern="/style/**" filters="none" />
<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=true"
default-target-url="/index.action" always-use-default-target="true" />
<http-basic />
<!-- 自定义登陆认证 -->
<custom-filter before="FORM_LOGIN_FILTER" ref="usernamePasswordAuthenticationFilter" />
<!-- 默认的认证-->
<custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="filterSecurity" />
<!-- 自定义退出认证 -->
<custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />
<session-management session-fixation-protection="none" invalid-session-url="/j_spring_security_logout">
<concurrency-control session-registry-ref="sessionRegistry" expired-url="/login.jsp?error=repeat" /><!-- 重复登陆返回页面 -->
</session-management>
</http>
<!-- 注入自定义登陆认证usernamePasswordAuthenticationFilter 用以控制同一账户同时登陆个数 -->
<beans:bean id="concurrentSessionControlStrategy"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="2" />
</beans:bean>
<!-- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,
我们的所有控制将在这三个类中实现,解释详见具体配置
<beans:bean id="filterSecurity" class="com.ckm.console.security.auth.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
-->
<!-- 认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailService">
<!-- 如果用户的密码采用加密的话,可以加点“盐”
<password-encoder hash="md5" />
-->
</authentication-provider>
</authentication-manager>
<!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源
<beans:bean id="accessDecisionManager" class="com.ckm.console.security.auth.LocalAccessDecisionManager" />
-->
<!-- 资源源数据定义,即定义某一资源可以被哪些角色访问
<beans:bean id="securityMetadataSource" class="com.ckm.console.security.auth.InvocationSecurityMetadataSource" />
-->
<beans:bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.web.authentication.AuthenticationProcessingFilterEntryPoint">
<beans:property name="loginFormUrl" value="/authForbiden.jsp"></beans:property>
<beans:property name="forceHttps" value="false" />
</beans:bean>
<!-- 自定义登陆认证服务,保存用户登陆信于session中 -->
<beans:bean id="usernamePasswordAuthenticationFilter"
class="org.casic.javaframework.core.web.console.security.auth.LocalUsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="concurrentSessionControlStrategy" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
<beans:property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
<!-- 打开密码的MD5加密模式 -->
<beans:property name="passwordEncoderMd5" value="false" />
<!-- 打开验证码校验 -->
<beans:property name="validateCode" value="false" />
</beans:bean>
<!--
<beans:bean id="authenticationSuccessHandler"
class="com.ckm.console.security.auth.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/index.action"></beans:property>
</beans:bean>
-->
<beans:bean id="authenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.jsp"></beans:property>
</beans:bean>
<!-- 自定义退出服务 -->
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="/login.jsp" />
<beans:constructor-arg>
<beans:list>
<beans:ref bean="customSessionLogoutHandler" />
</beans:list>
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/j_spring_security_logout" />
</beans:bean>
<!--
<beans:bean id="customSessionLogoutHandler" class="com.ckm.console.security.logout.SessionLogoutHandler">
<beans:property name="sessionRegistry">
<beans:ref local="sessionRegistry" />
</beans:property>
</beans:bean>
-->
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
</beans:beans>
[/code]
#2
我也遇到这个问题,没人来为我们解答一下吗?
#3
在登陆事件里加上return false
#1
下面是我的配置
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http lowercase-comparisons="false" path-type="ant" access-denied-page="/nopop.jsp">
<!-- 当访问被拒绝时,会转到nopop.jsp -->
<intercept-url pattern="/login.jsp" filters="none" />
<intercept-url pattern="/nopop.jsp" filters="none" />
<intercept-url pattern="/uncaughtException.jsp" filters="none" />
<intercept-url pattern="/randomImage.jsp" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/common/**" filters="none" />
<intercept-url pattern="/layout/**" filters="none" />
<intercept-url pattern="/web/**" filters="none" />
<intercept-url pattern="/style/**" filters="none" />
<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=true"
default-target-url="/index.action" always-use-default-target="true" />
<http-basic />
<!-- 自定义登陆认证 -->
<custom-filter before="FORM_LOGIN_FILTER" ref="usernamePasswordAuthenticationFilter" />
<!-- 默认的认证-->
<custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="filterSecurity" />
<!-- 自定义退出认证 -->
<custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />
<session-management session-fixation-protection="none" invalid-session-url="/j_spring_security_logout">
<concurrency-control session-registry-ref="sessionRegistry" expired-url="/login.jsp?error=repeat" /><!-- 重复登陆返回页面 -->
</session-management>
</http>
<!-- 注入自定义登陆认证usernamePasswordAuthenticationFilter 用以控制同一账户同时登陆个数 -->
<beans:bean id="concurrentSessionControlStrategy"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="2" />
</beans:bean>
<!-- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,
我们的所有控制将在这三个类中实现,解释详见具体配置
<beans:bean id="filterSecurity" class="com.ckm.console.security.auth.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
-->
<!-- 认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailService">
<!-- 如果用户的密码采用加密的话,可以加点“盐”
<password-encoder hash="md5" />
-->
</authentication-provider>
</authentication-manager>
<!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源
<beans:bean id="accessDecisionManager" class="com.ckm.console.security.auth.LocalAccessDecisionManager" />
-->
<!-- 资源源数据定义,即定义某一资源可以被哪些角色访问
<beans:bean id="securityMetadataSource" class="com.ckm.console.security.auth.InvocationSecurityMetadataSource" />
-->
<beans:bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.web.authentication.AuthenticationProcessingFilterEntryPoint">
<beans:property name="loginFormUrl" value="/authForbiden.jsp"></beans:property>
<beans:property name="forceHttps" value="false" />
</beans:bean>
<!-- 自定义登陆认证服务,保存用户登陆信于session中 -->
<beans:bean id="usernamePasswordAuthenticationFilter"
class="org.casic.javaframework.core.web.console.security.auth.LocalUsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="concurrentSessionControlStrategy" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
<beans:property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
<!-- 打开密码的MD5加密模式 -->
<beans:property name="passwordEncoderMd5" value="false" />
<!-- 打开验证码校验 -->
<beans:property name="validateCode" value="false" />
</beans:bean>
<!--
<beans:bean id="authenticationSuccessHandler"
class="com.ckm.console.security.auth.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/index.action"></beans:property>
</beans:bean>
-->
<beans:bean id="authenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.jsp"></beans:property>
</beans:bean>
<!-- 自定义退出服务 -->
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="/login.jsp" />
<beans:constructor-arg>
<beans:list>
<beans:ref bean="customSessionLogoutHandler" />
</beans:list>
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/j_spring_security_logout" />
</beans:bean>
<!--
<beans:bean id="customSessionLogoutHandler" class="com.ckm.console.security.logout.SessionLogoutHandler">
<beans:property name="sessionRegistry">
<beans:ref local="sessionRegistry" />
</beans:property>
</beans:bean>
-->
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
</beans:beans>
[/code]
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http lowercase-comparisons="false" path-type="ant" access-denied-page="/nopop.jsp">
<!-- 当访问被拒绝时,会转到nopop.jsp -->
<intercept-url pattern="/login.jsp" filters="none" />
<intercept-url pattern="/nopop.jsp" filters="none" />
<intercept-url pattern="/uncaughtException.jsp" filters="none" />
<intercept-url pattern="/randomImage.jsp" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/common/**" filters="none" />
<intercept-url pattern="/layout/**" filters="none" />
<intercept-url pattern="/web/**" filters="none" />
<intercept-url pattern="/style/**" filters="none" />
<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=true"
default-target-url="/index.action" always-use-default-target="true" />
<http-basic />
<!-- 自定义登陆认证 -->
<custom-filter before="FORM_LOGIN_FILTER" ref="usernamePasswordAuthenticationFilter" />
<!-- 默认的认证-->
<custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="filterSecurity" />
<!-- 自定义退出认证 -->
<custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />
<session-management session-fixation-protection="none" invalid-session-url="/j_spring_security_logout">
<concurrency-control session-registry-ref="sessionRegistry" expired-url="/login.jsp?error=repeat" /><!-- 重复登陆返回页面 -->
</session-management>
</http>
<!-- 注入自定义登陆认证usernamePasswordAuthenticationFilter 用以控制同一账户同时登陆个数 -->
<beans:bean id="concurrentSessionControlStrategy"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="2" />
</beans:bean>
<!-- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,
我们的所有控制将在这三个类中实现,解释详见具体配置
<beans:bean id="filterSecurity" class="com.ckm.console.security.auth.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
-->
<!-- 认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailService">
<!-- 如果用户的密码采用加密的话,可以加点“盐”
<password-encoder hash="md5" />
-->
</authentication-provider>
</authentication-manager>
<!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源
<beans:bean id="accessDecisionManager" class="com.ckm.console.security.auth.LocalAccessDecisionManager" />
-->
<!-- 资源源数据定义,即定义某一资源可以被哪些角色访问
<beans:bean id="securityMetadataSource" class="com.ckm.console.security.auth.InvocationSecurityMetadataSource" />
-->
<beans:bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.web.authentication.AuthenticationProcessingFilterEntryPoint">
<beans:property name="loginFormUrl" value="/authForbiden.jsp"></beans:property>
<beans:property name="forceHttps" value="false" />
</beans:bean>
<!-- 自定义登陆认证服务,保存用户登陆信于session中 -->
<beans:bean id="usernamePasswordAuthenticationFilter"
class="org.casic.javaframework.core.web.console.security.auth.LocalUsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="concurrentSessionControlStrategy" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
<beans:property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
<!-- 打开密码的MD5加密模式 -->
<beans:property name="passwordEncoderMd5" value="false" />
<!-- 打开验证码校验 -->
<beans:property name="validateCode" value="false" />
</beans:bean>
<!--
<beans:bean id="authenticationSuccessHandler"
class="com.ckm.console.security.auth.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/index.action"></beans:property>
</beans:bean>
-->
<beans:bean id="authenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.jsp"></beans:property>
</beans:bean>
<!-- 自定义退出服务 -->
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="/login.jsp" />
<beans:constructor-arg>
<beans:list>
<beans:ref bean="customSessionLogoutHandler" />
</beans:list>
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/j_spring_security_logout" />
</beans:bean>
<!--
<beans:bean id="customSessionLogoutHandler" class="com.ckm.console.security.logout.SessionLogoutHandler">
<beans:property name="sessionRegistry">
<beans:ref local="sessionRegistry" />
</beans:property>
</beans:bean>
-->
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
</beans:beans>
[/code]
#2
我也遇到这个问题,没人来为我们解答一下吗?
#3
在登陆事件里加上return false