我试图限制用户多次签名（迫使上一个会话过期）。

我检查了这个专题的文件在这里。我将其设置与文档非常相似，但是用户并不仅限于一次会话。我可以使用同一用户多次登录（在不同的浏览器中），并进行多个并发会话。

我认为这是我的安全设置的相关部分。我正在使用自定义UserDetailsS​​ervice，UserDetails和AuthenticationFilter实现。

    <http entry-point-ref="authenticationEntryPoint">
        <!-- Make sure everyone can access the login page -->
        <intercept-url pattern="/login.do*" filters="none" />

        [...]

        <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
        <custom-filter position="FORM_LOGIN_FILTER" ref="authenticationFilter" />

        <logout logout-url="/logout" logout-success-url="/login.do" />
    </http>

    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="userDetailsService">
            <password-encoder hash="sha" />
        </authentication-provider>
    </authentication-manager>

    <beans:bean id="userDetailsService" class="[...]">
        <beans:property name="userManager" ref="userManager" />
    </beans:bean>

    <beans:bean id="authenticationFilter" class="[...]">
        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="eventPublisher">
            <beans:bean
                class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher" />
        </beans:property>
        <beans:property name="filterProcessesUrl" value="/security_check" />
        <beans:property name="authenticationFailureHandler">
            <beans:bean
                class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
                <beans:property name="defaultFailureUrl" value="/login.do?login_error=true" />
            </beans:bean>
        </beans:property>
        <beans:property name="sessionAuthenticationStrategy"
            ref="sessionAuthenticationStrategy" />
    </beans:bean>

    <beans:bean id="authenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/login.do" />
    </beans:bean>

    <beans:bean id="concurrencyFilter"
        class="org.springframework.security.web.session.ConcurrentSessionFilter">
        <beans:property name="sessionRegistry" ref="sessionRegistry" />
        <beans:property name="expiredUrl" value="/login.do?login_error=true!" />
    </beans:bean>

    <beans:bean id="sessionAuthenticationStrategy"
        class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
        <beans:constructor-arg name="sessionRegistry"
            ref="sessionRegistry" />
        <beans:property name="maximumSessions" value="1" />
    </beans:bean>

    <beans:bean id="sessionRegistry"
        class="org.springframework.security.core.session.SessionRegistryImpl" />

我还在org.springframework.security.web.session.HttpSessionEventPublisher我的web.xml文件中注册为侦听器。

据我所知，我已经根据文档进行了配置。我不知道为什么这不起作用。这与我使用基于表单的登录名有关吗？还是上面提到的我的自定义实现？