问题
How can I deny a second log in (with same or different user) to a already authenticated HTTP session?
For Form-Login I found following work-arounds:
Redirect in Controller
Redirect in View
Restrict the login page
But these work-arounds are not perfect, because I can still access the login-processing-url and execute a second log in. That is a problem for all authentication mechanisms without a login page, like HTTP Basic Authentication and Kerberos.
My Java Configuration:
@Configuration
@EnableWebSecurity
public static class MyWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**").hasAuthority("ROLE_user")
.and()
.formLogin()
.loginProcessingUrl("/Login").permitAll()
.loginPage("/index.jsp").permitAll()
.defaultSuccessUrl("start.jsp")
.failureUrl("/index.jsp")
.and()
.httpBasic();
}
}
Example:
- User A: Logs in with HTTP Basic Authentication.
- System: Creates a session and returns a session cookie.
- User B: Logs in with HTTP Basic Authentication on same machine and sends session cookie.
- System: Creates a new session, merges all values from old session into new session (see SessionFixationProtectionStrategy), destroys old session and returns new session cookie.
回答1:
put following entry in web.xml
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
and in your spring security config, use the following snippet:
<http>
<session-management>
<concurrency-control max-sessions="1" expired-url="/redirect-page" />
</session-management>
</http>
来源:https://stackoverflow.com/questions/33283213/deny-log-in-with-already-authenticated-session