Logout的配置很简单，只需要在http中加入下面的配置就可以了 ~~~ <sec:logout invalidate-session="true" logout-url="/logout" logout-success-url="/login.jsp" /> ~~~ invalidate-session是否销毁Session logout-url logout地址 logout-success-url logout成功后要跳转的地址 Session管理中最简单的配置方法是 ~~~ <sec:session-management invalid-session-url="/login.jsp" /> ~~~ 意思就是Session失效时跳转到login.jsp 配置同一事件，只能有一个用户登录系统。 网上有的例子是这样配置的 ~~~ <sec:session-management invalid-session-url="/login.jsp" > <sec:concurrency-control error-if-maximum-exceeded="true" max-sessions="1" expired-url="/login.jsp"/> </sec:session-management> ~~~ 但是这种配置在3.2版本中不管用 在3.2版本中需要这样配置 首先在web.xml中加入一下配置 ~~~ <listener> <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener> ~~~ 然后修改applicationContext-security.xml ~~~ <sec:http access-decision-manager-ref="accessDecisionManager" entry-point-ref="authenticationEntryPoint"> <sec:access-denied-handler ref="accessDeniedHandler"/> <sec:logout invalidate-session="true" logout-url="/logout" logout-success-url="/login.jsp" /> <sec:session-management session-authentication-strategy-ref="concurrentSessionControlStrategy" /> <sec:remember-me authentication-success-handler-ref="authenticationSuccessHandler" data-source-ref="dataSource" user-service-ref="userDetailService" /> <sec:custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR"/> <sec:custom-filter ref="captchaAuthenticaionFilter" position="FORM_LOGIN_FILTER"/> <sec:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/> </sec:http> <bean id="captchaAuthenticaionFilter" class="com.zrhis.system.security.CaptchaAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager" /> <property name="authenticationFailureHandler" ref="authenticationFailureHandler" /> <property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" /> <property name="filterProcessesUrl" value="/login.do" /> <property name="sessionAuthenticationStrategy" ref="concurrentSessionControlStrategy" /> </bean> <bean id="authenticationSuccessHandler" class="com.zrhis.system.security.SavedRequestLoginSuccessHandler"> <property name="defaultTargetUrl" value="/index.jsp" /> <property name="forwardToDestination" value="true" /> <property name="alwaysUseDefaultTargetUrl" value="false" /> </bean> <bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <property name="defaultFailureUrl" value="/login.jsp" /> </bean> <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <property name="loginFormUrl" value="/login.jsp" /> </bean> <bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> <constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <constructor-arg name="expiredUrl" value="/sessionOut.jsp" /> </bean> <bean id="concurrentSessionControlStrategy" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> <constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <property name="maximumSessions" value="1"></property> </bean> <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> ~~~