java Spring安全性在登录失败后阻止用户
我用的是spring security 3
我试图登录应用程序,但输入了错误的用户/通行证组合。在三次错误尝试后,我填写了正确的用户/通行证组合,但它仍然返回:
Your login attempt was not successful, try again.
Reason: Bad credentials
在开发阶段,这(有点)没问题,因为我只需重新启动服务器,就可以正常登录,但在生产阶段,我不能每次有人忘记密码时都重新启动服务器
我想也许在超时后我仍然可以登录,但这也不起作用
应用安全网。xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:property-placeholder location="file:${PROPERTIES_HOME}/app.properties" ignore-unresolvable="true"/>
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<session-management>
<concurrency-control max-sessions="3" error-if-maximum-exceeded="false"/>
</session-management>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userService" />
</authentication-manager>
<user-service id="userService">
<user name="foo" password="bar" authorities="ROLE_USER"/>
</user-service>
</beans:beans>
网络。xml
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>PM app</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:app-service-context.xml
classpath:app-dao-context.xml
/WEB-INF/app-web-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<servlet>
<servlet-name>pmapp-web</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>app-web</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>CXFServlet</servlet-name>
<servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>CXFServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
<mime-mapping>
<extension>js</extension>
<mime-type>text/javascript</mime-type>
</mime-mapping>
<filter>
<filter-name>urlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>urlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<resource-ref>
<res-ref-name>jdbc/App</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
<mapped-name>App</mapped-name>
</resource-ref>
</web-app>
我希望用户能够在n分钟后登录(取消阻止),或者在阻止用户之前设置尝试次数。任何其他想法都欢迎
我使用的是spring 3.0.6。发布和spring security 3.0.6。释放
谢谢
# 1 楼答案
Spring security在尝试3次失败后不会阻止用户。您可以实现yr own though
Max concurrent sessions只是限制单个用户同时单独登录的次数
# 2 楼答案
试试SpringSecurity 3.0.7。释放这为我解决了完全相同的问题