SpringSecurity3.X

http://hanqunfeng.iteye.com/blog/1163284

http://www.iteye.com/topic/1117066

直接说问题吧，就是希望同一时间相同的用户只能有一个访问系统，我理所当然的想到了session-management，在使用SpringSecurity2.x时，直接配置如下即可：

 <sec:http entry-point-ref="casProcessingFilterEntryPoint" 

    access-denied-page="/access/denied.do" 

    access-decision-manager-ref="accessDecisionManager" auto-config="false">

       …………………………

    &nbsp;<sec:concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="false" expired-url="/access/same_login.do" />

 </sec:http>

也就是说，相同的用户在第二次登录后，那么第一次登录就会失效，需要重新获取认证。

在使用SpringSecurity3.X时，我尝试配置如下：

<http entry-point-ref="casEntryPoint" access-decision-manager-ref="accessDecisionManager"

access-denied-page="/access/denied.do" auto-config="false">

                 …………………………

   &nbsp;          <session-management> 

                     <concurrency-control max-sessions="1" expired-url="/access/same_login.do" 

      error-if-maximum-exceeded="false" /> 

              </session-management> 

<custom-filter position="CAS_FILTER" ref="casFilter" />

<custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" />

<custom-filter ref="singleLogoutFilter" before="CAS_FILTER" />

</http>

结果发现并没有起作用，查看了一下源码，基本上搞清楚了原因，下面是session管理相关的时序图：

从图中可以看出，验证的关键就是ConcurrentSessionControlStrategy

CasAuthenticationFilter继承于AbstractAuthenticationProcessingFilter，可是后者默认使用的不是ConcurrentSessionControlStrategy，而是NullAuthenticatedSessionStrategy，该类什么都没做，所以，上面的配置根本不会起作用，

那么要想使session-management真正起作用，我们该如何做呢？

首先，必须为CasAuthenticationFilter注入一个ConcurrentSessionControlStrategy，

然后，ConcurrentSessionControlStrategy和ConcurrentSessionFilter又需要使用相同的SessionRegistryImpl，所以我们只需要将这些bean显示声明即可。

参看了一下SpringSecurity3.X的官方帮助文件，修改配置如下：

<http entry-point-ref="casEntryPoint" access-decision-manager-ref="accessDecisionManager"

access-denied-page="/access/denied.do" auto-config="false">

…………………………

<session-management

session-authentication-strategy-ref="sessionAuthenticationStrategy" />

<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />

<custom-filter position="CAS_FILTER" ref="casFilter" />

<custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" />

<custom-filter ref="singleLogoutFilter" before="CAS_FILTER" />

</http>

<beans:bean id="sessionAuthenticationStrategy"

class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">

<beans:constructor-arg name="sessionRegistry"

ref="sessionRegistry" />

<beans:property name="maximumSessions" value="1" />

</beans:bean>

<beans:bean id="sessionRegistry"

class="org.springframework.security.core.session.SessionRegistryImpl" />

<beans:bean id="concurrencyFilter"

class="org.springframework.security.web.session.ConcurrentSessionFilter">

<beans:property name="sessionRegistry" ref="sessionRegistry" />

<beans:property name="expiredUrl" value="/session-expired.htm" />

</beans:bean>

<!-- cas 认证过滤器 -->

<beans:bean id="casFilter"

class="org.springframework.security.cas.web.CasAuthenticationFilter">

<beans:property name="authenticationManager" ref="authenticationManager" />

<beans:property name="authenticationFailureHandler"

ref="authenticationFailureHandler" />

<beans:property name="authenticationSuccessHandler"

ref="authenticationSuccessHandler" />

<beans:property name="filterProcessesUrl" value="/j_spring_cas_security_check.do" />

<beans:property name="sessionAuthenticationStrategy"

ref="sessionAuthenticationStrategy" />

</beans:bean>