下面的代码配置为后台登录、前台登录验证处理。但是无法保存两个登录状态,要么是登录后台,要么是登录前台
<!--<debug/>--> <beans:bean id="userBCryptEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"> </beans:bean> <beans:bean id="adminUserDetailsService" class="com.fengyunhe.manager.service.AdminUserDetailsService"> <beans:property name="jdbcTemplate" ref="jdbcTemplate"/> </beans:bean> <authentication-manager id="adminAuthenticationManager" alias="adminAuthenticationManager"> <authentication-provider user-service-ref="adminUserDetailsService"> <password-encoder ref="userBCryptEncoder"/> </authentication-provider> </authentication-manager> <!-- 后台登录页面--> <beans:bean id="adminLoginEntryPoint" class="com.fengyunhe.manager.AdminLoginEntryPoint"> <beans:constructor-arg name="loginFormUrl" value="/admin/login"/> <beans:property name="forceHttps" value="true"/> <beans:property name="useForward" value="true"/> </beans:bean> <beans:bean id="adminAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> <beans:constructor-arg name="decisionVoters" > <beans:list> <beans:bean class="org.springframework.security.access.vote.RoleVoter" /> <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/> </beans:list> </beans:constructor-arg> </beans:bean> <!-- 后台用户安全配置--> <http pattern="/admin/**" authentication-manager-ref="adminAuthenticationManager" access-decision-manager-ref="adminAccessDecisionManager" use-expressions="true" access-denied-page="/admin/login"> <remember-me key="fengyunhe" user-service-ref="adminUserDetailsService"/> <intercept-url pattern="/admin/login" access="permitAll()" requires-channel="https"/> <intercept-url pattern="/admin/login_submit" access="permitAll()" requires-channel="https"/> <form-login login-page="/admin/login" default-target-url="/admin/" authentication-failure-url="/admin/login" login-processing-url="/admin/login_submit" always-use-default-target="true" /> <logout logout-url="/admin/logout" invalidate-session="true" delete-cookies="JSESSIONID" logout-success-url="/admin/login"/> <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" requires-channel="https"/> <session-management invalid-session-url="/admin/login" session-authentication-error-url="/admin/login" session-fixation-protection="migrateSession" > <!--<concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>--> </session-management> </http> <!-- 下面是会员的登录和权限控制--> <authentication-manager id="memberAuthenticationManager" alias="memberAuthenticationManager"> <authentication-provider user-service-ref="memberUserDetailsService"> <password-encoder ref="userBCryptEncoder"/> </authentication-provider> </authentication-manager> <beans:bean id="memberLoginEntryPoint" class="com.fengyunhe.member.MemberLoginEntryPoint"> <beans:constructor-arg name="loginFormUrl" value="/member/login"/> <beans:property name="forceHttps" value="true"/> <beans:property name="useForward" value="true"/> </beans:bean> <beans:bean id="memberUserDetailsService" class="com.fengyunhe.member.service.MemberUserDetailsService"> <beans:property name="jdbcTemplate" ref="jdbcTemplate"/> </beans:bean> <beans:bean id="memberAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> <beans:constructor-arg name="decisionVoters" > <beans:list> <beans:bean class="org.springframework.security.access.vote.RoleVoter" /> <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/> </beans:list> </beans:constructor-arg> </beans:bean> <http pattern="/member/**" authentication-manager-ref="memberAuthenticationManager" access-decision-manager-ref="memberAccessDecisionManager" use-expressions="true" access-denied-page="/member/login" > <remember-me key="fengyunhe" user-service-ref="memberUserDetailsService"/> <intercept-url pattern="/member/login" access="permitAll()" requires-channel="https"/> <intercept-url pattern="/member/login_submit" access="permitAll()" requires-channel="https" /> <form-login login-page="/member/login" default-target-url="/member/" authentication-failure-url="/member/login" login-processing-url="/member/login_submit" username-parameter="username" password-parameter="password" always-use-default-target="true" /> <logout logout-url="/member/logout" invalidate-session="true" delete-cookies="JSESSIONID" logout-success-url="/member/login"/> <intercept-url pattern="/member/**" access="hasRole('ROLE_MEMBER')" requires-channel="http"/> <session-management session-fixation-protection="none"> <!--<concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>--> </session-management> </http>
注意,如果关闭固定session攻击防御则只可能配置session-fixation-protection=”none”,其他的属性不能带,否则还是会开启固定session攻击防御。开启后会对用https登录切回http的这种方式造成影响,因为session发生变化,给的sessionId为secure,无法在http下获取到,所以会导致跳回http后还是在登录页面的问题。
了解 工作生活心情记忆 的更多信息
Subscribe to get the latest posts sent to your email.