Spring Security教程（14）---- Logout和SessionManager

Logout的配置很简单，只需要在http中加入下面的配置就可以了

[html] view plaincopy

1. <sec:logout invalidate-session="true" logout-url="/logout"  
2.     logout-success-url="/login.jsp" />  

invalidate-session是否销毁Session

logout-url logout地址

logout-success-url logout成功后要跳转的地址

Session管理中最简单的配置方法是

[html] view plaincopy

1. <sec:session-management invalid-session-url="/login.jsp" />  

意思就是Session失效时跳转到login.jsp

配置同一事件，只能有一个用户登录系统。

网上有的例子是这样配置的

[html] view plaincopy

1. <sec:session-management invalid-session-url="/login.jsp" >  
2.     <sec:concurrency-control error-if-maximum-exceeded="true"  
3.         max-sessions="1" expired-url="/login.jsp"/>  
4. </sec:session-management>  

但是这种配置在3.2版本中不管用

在3.2版本中需要这样配置

首先在web.xml中加入一下配置

[html] view plaincopy

1. <listener>  
2.     <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>  
3. </listener>  

然后修改applicationContext-security.xml

[html] view plaincopy

1. <sec:http access-decision-manager-ref="accessDecisionManager"  
2.     entry-point-ref="authenticationEntryPoint">  
3.       
4.     <sec:access-denied-handler ref="accessDeniedHandler"/>  
5.       
6.     <sec:logout invalidate-session="true" logout-url="/logout"  
7.         logout-success-url="/login.jsp" />  
8.   
9.     <sec:session-management session-authentication-strategy-ref="concurrentSessionControlStrategy" />  
10.       
11.     <sec:remember-me   
12.         authentication-success-handler-ref="authenticationSuccessHandler"  
13.         data-source-ref="dataSource"  
14.         user-service-ref="userDetailService"  
15.     />  
16.           
17.       
18.     <sec:custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR"/>  
19.     <sec:custom-filter ref="captchaAuthenticaionFilter" position="FORM_LOGIN_FILTER"/>  
20.     <sec:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>  
21. </sec:http>  
22.   
23. <bean id="captchaAuthenticaionFilter" class="com.zrhis.system.security.CaptchaAuthenticationFilter">  
24.     <property name="authenticationManager" ref="authenticationManager" />  
25.     <property name="authenticationFailureHandler" ref="authenticationFailureHandler" />  
26.     <property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />  
27.     <property name="filterProcessesUrl" value="/login.do" />  
28.     <property name="sessionAuthenticationStrategy" ref="concurrentSessionControlStrategy" />  
29. </bean>  
30.   
31. <bean id="authenticationSuccessHandler" class="com.zrhis.system.security.SavedRequestLoginSuccessHandler">  
32.     <property name="defaultTargetUrl" value="/index.jsp" />  
33.     <property name="forwardToDestination" value="true" />  
34.     <property name="alwaysUseDefaultTargetUrl" value="false" />  
35. </bean>  
36. <bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">  
37.     <property name="defaultFailureUrl" value="/login.jsp" />  
38. </bean>  
39.   
40. <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">  
41.     <property name="loginFormUrl" value="/login.jsp" />  
42. </bean>  
43.   
44. <bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">  
45.     <constructor-arg name="sessionRegistry" ref="sessionRegistry" />  
46.     <constructor-arg name="expiredUrl" value="/sessionOut.jsp" />  
47. </bean>  
48.   
49. <bean id="concurrentSessionControlStrategy"  
50.     class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">  
51.     <constructor-arg name="sessionRegistry" ref="sessionRegistry" />  
52.     <property name="maximumSessions" value="1"></property>  
53. </bean>  
54.   
55. <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />