问题
I followed the below example to integrated the spring security in wicket. https://github.com/thombergs/wicket-spring-security-example.
I changed spring-security.xml file to configure the concurrency control as follows.
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:jdbc="http://www.springframework.org/schema/jdbc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http use-expressions="true" create-session="never" auto-config="true">
<!-- <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter"
/> -->
<!-- <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" /> -->
<intercept-url pattern="/" access="permitAll"
requires-channel="https" />
<intercept-url pattern="/home" access="permitAll"
requires-channel="https" />
<intercept-url pattern="/login" access="permitAll"
requires-channel="https" />
<intercept-url pattern="/**/*.png" access="permitAll"
requires-channel="https" />
<intercept-url pattern="/**/*.css" access="permitAll"
requires-channel="https" />
<intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')"
requires-channel="https" />
<intercept-url pattern="/secure/**" access="isAuthenticated()"
requires-channel="https" />
<!-- <intercept-url pattern="/**" access="permitAll" requires-channel="https"
/> -->
<!-- the login page is a wicket page mounted in WicketApplication.init() -->
<form-login login-page="/login" default-target-url='/home'
always-use-default-target='true' />
<session-management>
<concurrency-control max-sessions="1"
session-registry-alias="authenticationManager" expired-url="/login"
error-if-maximum-exceeded="true" session-registry-ref="sessionRegistry" />
</session-management>
<!-- <session-management session-authentication-error-url="/login"> <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" /> </session-management> -->
<!-- <session-management invalid-session-url="/login" /> -->
</http>
<!-- <beans:bean id="myAuthFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas" /> <beans:property name="authenticationManager" ref="authenticationManager" /> </beans:bean> -->
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="rod" password="koala" authorities="supervisor, teller, user" />
<user name="dianne" password="emu" authorities="teller, user" />
<user name="scott" password="wombat" authorities="user" />
<user name="peter" password="opal" authorities="user" />
</user-service>
</authentication-provider>
</authentication-manager>
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/login" />
</beans:bean>
<!-- <beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <beans:property name="maximumSessions" value="1" /> </beans:bean> -->
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" autowire="default" />
<!-- This filter is responsible for storing the SecurityContextHolder between
requests. Also see SecureWebSession.authenticate(). -->
<beans:bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />
</beans:beans>
web.xml file :
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>wicket-spring-security-example</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:spring-security.xml
</param-value>
</context-param>
<listener>
<listener- class>org.springframework.web.context.ContextLoaderListener</listener- class>
</listener>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>wicket.wicket-spring-security-example</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
<init-param>
<param-name>applicationClassName</param-name>
<param-value>org.wickedsource.WicketApplication</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>wicket.wicket-spring-security-example</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<session-config>
<session-timeout>1</session-timeout>
</session-config>
</web-app>
My Questions :
1) Concurrency control is not working with the above configuration. I am able to login multiple browsers.
2) Single sign-in per user(I mean, the user 'x' is logged in, if the same user('x') logged in again. Here I want invalidate the previously logged in session). How can I achieve this.
回答1:
1) It probably doesn't work since the Session Management in the example is handled by Wicket and not by Spring Security, so you must find a way to enable this in Wicket.
2) The Wicket Session class has the method replaceSession() that you can use to create a new session on login. Try this.
来源:https://stackoverflow.com/questions/16720617/concurrency-control-configurarion-using-spring-security-in-wicket-6-7-0