我具有以下弹簧配置:-
static SessionRegistry SR;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/forgotPwd", "/resetPwd").permitAll()
.anyRequest().authenticated().and().formLogin().loginPage("/login")
.defaultSuccessUrl("/home").failureUrl("/login?error").permitAll()
.successHandler(authenticationSuccessHandler) // autowired or defined below
.and().logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessHandler(myLogoutSuccessHandler)
.permitAll()
.and().sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.sessionRegistry(SR);
}
@Bean
public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
return new ServletListenerRegistrationBean<HttpSessionEventPublisher>(new HttpSessionEventPublisher());
}
我期望sessionManagement().maximumSessions(1)
禁止同一用户进行多次登录。它正在工作,但是该应用程序的第一个用户logout
,所以我尝试在另一个浏览器中登录,但显示为This account is already using by someone
。
请您让我知道问题出在哪里。
您应该注销注销时使用的cookie无效的用户会话和/或删除具有cookie的cookie。
.logout().deleteCookies(...).invalidateHttpSession(true)
删除httpSessionEventPublisher
和SessionRegistry
尝试此配置:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/", "/forgotPwd", "/resetPwd").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").defaultSuccessUrl("/home").failureUrl("/login?error").permitAll()
.and()
.sessionManagement()
.maximumSessions(1);
}
您可以在application.properties
中设置会话定时输出>
server.session.timeout= # Session timeout in seconds.