spring security 在分布式下，session该怎么配置

给你看看我刚实现的代码
1.applicationContext-security.xml
自己重写ValidateCodeUsernamePasswordAuthenticationFilter继承UsernamePasswordAuthenticationFilter

Java code?



2.ValidateCodeUsernamePasswordAuthenticationFilter.java
/**
*

带验证码校验功能的用户名、密码认证过滤器

*

* 支持不输入验证码；支持验证码忽略大小写。
*
* @author cb
*
*/
public class ValidateCodeUsernamePasswordAuthenticationFilter extends
UsernamePasswordAuthenticationFilter {

private boolean postOnly = true;
private boolean allowEmptyValidateCode = false;
private String sessionvalidateCodeField = DEFAULT_SESSION_VALIDATE_CODE_FIELD;
private String validateCodeParameter = DEFAULT_VALIDATE_CODE_PARAMETER;
public static final String DEFAULT_SESSION_VALIDATE_CODE_FIELD = "_validate_code";//session中的验证码
public static final String DEFAULT_VALIDATE_CODE_PARAMETER = "j_code";//表单输入验证码

@Override
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException(
"Authentication method not supported: "
+ request.getMethod());
}

String username = obtainUsername(request);
String password = obtainPassword(request);

if (username == null) {
username = "";
}

if (password == null) {
password = "";
}

username = username.trim();

UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
username, password);

// Place the last username attempted into HttpSession for views
HttpSession session = request.getSession(false);

if (session != null || getAllowSessionCreation()) {
request.getSession().setAttribute(
SPRING_SECURITY_LAST_USERNAME_KEY,
TextEscapeUtils.escapeEntities(username));
}

// Allow subclasses to set the "details" property
setDetails(request, authRequest);
// check validate code
if (!isAllowEmptyValidateCode())
checkValidateCode(request);
return this.getAuthenticationManager().authenticate(authRequest);
}

/**
*
*

比较session中的验证码和用户输入的验证码是否相等

*
*/
protected void checkValidateCode(HttpServletRequest request) {
String sessionValidateCode = obtainSessionValidateCode(request);
String validateCodeParameter = obtainValidateCodeParameter(request);
if (StringUtils.isEmpty(validateCodeParameter)
|| !sessionValidateCode.equalsIgnoreCase(validateCodeParameter)) {
throw new AuthenticationServiceException("ValidateCode error");
}
}

private String obtainValidateCodeParameter(HttpServletRequest request) {
return request.getParameter(validateCodeParameter);
}

protected String obtainSessionValidateCode(HttpServletRequest request) {
Object obj = request.getSession()
.getAttribute(sessionvalidateCodeField);
return null == obj ? "" : obj.toString();
}

public boolean isPostOnly() {
return postOnly;
}

@Override
public void setPostOnly(boolean postOnly) {
this.postOnly = postOnly;
}

public String getValidateCodeName() {
return sessionvalidateCodeField;
}

public void setValidateCodeName(String validateCodeName) {
this.sessionvalidateCodeField = validateCodeName;
}

public boolean isAllowEmptyValidateCode() {
return allowEmptyValidateCode;
}

public void setAllowEmptyValidateCode(boolean allowEmptyValidateCode) {
this.allowEmptyValidateCode = allowEmptyValidateCode;
}

}

利用session来判断