Spring Security教程（14）---- Logout和SessionManager

Logout的配置很简单，只需要在http中加入下面的配置就可以了

<sec:logout invalidate-session="true" logout-url="/logout"
	logout-success-url="/login.jsp" />

invalidate-session是否销毁Session

logout-url logout地址

logout-success-url logout成功后要跳转的地址

Session管理中最简单的配置方法是

<sec:session-management invalid-session-url="/login.jsp" />

意思就是Session失效时跳转到login.jsp

配置同一事件，只能有一个用户登录系统。

网上有的例子是这样配置的

<sec:session-management invalid-session-url="/login.jsp" >
	<sec:concurrency-control error-if-maximum-exceeded="true"
		max-sessions="1" expired-url="/login.jsp"/>
</sec:session-management>

但是这种配置在3.2版本中不管用

在3.2版本中需要这样配置

首先在web.xml中加入一下配置

<listener>
	<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

然后修改applicationContext-security.xml

	<sec:http access-decision-manager-ref="accessDecisionManager"
		entry-point-ref="authenticationEntryPoint">
		
		<sec:access-denied-handler ref="accessDeniedHandler"/>
		
		<sec:logout invalidate-session="true" logout-url="/logout"
			logout-success-url="/login.jsp" />

		<sec:session-management session-authentication-strategy-ref="concurrentSessionControlStrategy" />
		
		<sec:remember-me 
			authentication-success-handler-ref="authenticationSuccessHandler"
			data-source-ref="dataSource"
			user-service-ref="userDetailService"
		/>
			
		
		<sec:custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR"/>
		<sec:custom-filter ref="captchaAuthenticaionFilter" position="FORM_LOGIN_FILTER"/>
		<sec:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>
	</sec:http>

	<bean id="captchaAuthenticaionFilter" class="com.zrhis.system.security.CaptchaAuthenticationFilter">
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
		<property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
		<property name="filterProcessesUrl" value="/login.do" />
		<property name="sessionAuthenticationStrategy" ref="concurrentSessionControlStrategy" />
	</bean>
	
	<bean id="authenticationSuccessHandler" class="com.zrhis.system.security.SavedRequestLoginSuccessHandler">
		<property name="defaultTargetUrl" value="/index.jsp" />
		<property name="forwardToDestination" value="true" />
		<property name="alwaysUseDefaultTargetUrl" value="false" />
	</bean>
	<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
		<property name="defaultFailureUrl" value="/login.jsp" />
	</bean>
	
	<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
		<property name="loginFormUrl" value="/login.jsp" />
	</bean>
	
	<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
		<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
		<constructor-arg name="expiredUrl" value="/sessionOut.jsp" />
	</bean>
	
	<bean id="concurrentSessionControlStrategy"
		class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
		<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
		<property name="maximumSessions" value="1"></property>
	</bean>
	
	<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />