【发布时间】:2018-08-06 09:57:28
【问题描述】:
我有“带有 Spring Boot 的 Vaadin 10”应用程序。我想允许用户一次从一个地方访问应用程序。所以我使用了maximumSessions(1)。例如,从 Chrome 浏览器中,我使用用户“XYZ”登录。现在使用同一个用户(即“XYZ”)我尝试登录到 Opera 浏览器。因此,按照下面显示的配置,它将使 Chrome 浏览器的会话过期,但不会重定向到“/login”。它显示消息“来自服务器的无效 JSON 响应”。下面是 Spring 的安全配置:
@Override
protected void configure(HttpSecurity http) throws Exception {
// Not using Spring CSRF here to be able to use plain HTML for the login page
http.csrf().disable()
// Register our CustomRequestCache, that saves unauthorized access attempts, so
// the user is redirected after login.
.requestCache().requestCache(new CustomRequestCache())
// Restrict access to our application.
.and().authorizeRequests()
.antMatchers("/ForgetPassword","/ChangePassword","/login").permitAll()
// Allow all flow internal requests.
.requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
// Allow all requests by logged in users.
.anyRequest().authenticated()
// Configure the login page.
.and().formLogin().loginPage("/login").permitAll().loginProcessingUrl("/login")
.failureUrl("/login?error")
// Register the success handler that redirects users to the page they last tried
// to access
.successHandler(new SavedRequestAwareAuthenticationSuccessHandler())
// Configure logout
.and().logout().logoutSuccessUrl(LOGOUT_SUCCESS_URL)
.deleteCookies("JSESSIONID")
//.invalidateHttpSession(true)
.and()
.sessionManagement()
//.invalidSessionUrl("/login")
.maximumSessions(1)
//.maxSessionsPreventsLogin(false)
.sessionRegistry(sessionRegistry())
.expiredUrl("/login");
【问题讨论】:
标签: spring-boot spring-security vaadin session-management