网站上线后,建设银行支行网站,网站开发与管理所对应的职位及岗位,求网站建设这篇文章主要介绍了Spring Security实现禁止用户重复登陆的配置原理,文中通过示例代码介绍的非常详细#xff0c;对大家的学习或者工作具有一定的参考学习价值,需要的朋友可以参考下系统使用了Spring Security做权限管理#xff0c;现在对于系统的用户#xff0c;需要改动配…这篇文章主要介绍了Spring Security实现禁止用户重复登陆的配置原理,文中通过示例代码介绍的非常详细对大家的学习或者工作具有一定的参考学习价值,需要的朋友可以参考下系统使用了Spring Security做权限管理现在对于系统的用户需要改动配置实现无法多地登陆。一、SpringMVC项目配置如下首先在修改Security相关的XML我这里是spring-security.xml修改UsernamePasswordAuthenticationFilter相关Bean的构造配置加入新增sas的Bean及其相关配置classorg.springframework.security.core.session.SessionRegistryImpl /加入ConcurrentSessionFilter相关Bean配置classorg.springframework.security.web.session.ConcurrentSessionFilterclassorg.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy二、SpringBoot项目略三、Bean配置说明SessionAuthenticationStrategy该接口中存在onAuthentication方法用于对新登录用户进行session相关的校验。查看UsernamePasswordAuthenticationFilter及其父类代码可以发现在doFilter中存在sessionStrategy.onAuthentication(authResult, request, response);方法但UsernamePasswordAuthenticationFilter中的sessionStrategy对象默认为NullAuthenticatedSessionStrategy即不对session进行相关验证。如本文配置建立id为sas的CompositeSessionAuthenticationStrategy的Bean对象。CompositeSessionAuthenticationStrategy可以理解为一个托管类托管所有实现SessionAuthenticationStrategy接口的对象用来批量托管执行onAuthentication函数这里CompositeSessionAuthenticationStrategy中注入了三个对象关注ConcurrentSessionControlAuthenticationStrategy它实现了对于session并发的控制UsernamePasswordAuthenticationFilter的Bean中注入新配置的sas用于替换原本的NullAuthenticatedSessionStrategyConcurrentSessionFilter的Bean用来验证session是否失效并通过SimpleRedirectSessionInformationExpiredStrategy将失败访问进行跳转。四、代码流程说明(这里模拟用户现在A处登录随后用户在B处登录之后A处再进行操作时会返回失败提示重新登录)1、用户在A处登录UsernamePasswordAuthenticationFilter调用sessionStrategy.onAuthentication进行session验证2、ConcurrentSessionControlAuthenticationStrategy中的onAuthentication开始进行session验证服务器中保存了登录后的session/*** In addition to the steps from the superclass, the sessionRegistry will be updated* with the new session information.*/public void onAuthentication(Authentication authentication,HttpServletRequest request, HttpServletResponse response) {//根据所登录的用户信息查询相对应的现存session列表final List sessions sessionRegistry.getAllSessions(authentication.getPrincipal(), false);int sessionCount sessions.size();//获取session并发数量对于XML中的maximumSessionsint allowedSessions getMaximumSessionsForThisUser(authentication);//判断现有session列表数量和并发控制数间的关系//如果是首次登录根据xml配置这里应该是01程序将会继续向下执行//最终执行到SessionRegistryImpl的registerNewSession进行新session的保存if (sessionCount allowedSessions) {// They havent got too many login sessions running at presentreturn;}if (allowedSessions -1) {// We permit unlimited loginsreturn;}if (sessionCount allowedSessions) {//获取本次http请求的sessionHttpSession session request.getSession(false);if (session ! null) {// Only permit it though if this request is associated with one of the// already registered sessionsfor (SessionInformation si : sessions) {//循环已保存的session列表判断本次http请求session是否已经保存if (si.getSessionId().equals(session.getId())) {//本次http请求是有效请求返回执行下一个filterreturn;}}}// If the session is null, a new one will be created by the parent class,// exceeding the allowed number}//本次http请求为新请求进入具体判断allowableSessionsExceeded(sessions, allowedSessions, sessionRegistry);}/*** Allows subclasses to customise behaviour when too many sessions are detected.** param sessions either null or all unexpired sessions associated with* the principal* param allowableSessions the number of concurrent sessions the user is allowed to* have* param registry an instance of the SessionRegistry for subclass use**/protected void allowableSessionsExceeded(List sessions,int allowableSessions, SessionRegistry registry)throws SessionAuthenticationException {//根据exceptionIfMaximumExceeded判断是否要将新http请求拒绝//exceptionIfMaximumExceeded也可以在XML中配置if (exceptionIfMaximumExceeded || (sessions null)) {throw new SessionAuthenticationException(messages.getMessage(ConcurrentSessionControlAuthenticationStrategy.exceededAllowed,new Object[] { Integer.valueOf(allowableSessions) },Maximum sessions of {0} for this principal exceeded));}// Determine least recently used session, and mark it for invalidationSessionInformation leastRecentlyUsed null;//若不拒绝新请求遍历现存seesion列表for (SessionInformation session : sessions) {//获取上一次/已存的session信息if ((leastRecentlyUsed null)|| session.getLastRequest().before(leastRecentlyUsed.getLastRequest())) {leastRecentlyUsed session;}}//将上次session信息写为无效(欺骗)leastRecentlyUsed.expireNow();}3、用户在B处登录再次通过ConcurrentSessionControlAuthenticationStrategy的检查将A处登录的session置于无效状态并在session列表中添加本次session4、用户在A处尝试进行其他操作ConcurrentSessionFilter进行Session相关的验证发现A处用户已经失效提示重新登录public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)throws IOException, ServletException {HttpServletRequest request (HttpServletRequest) req;HttpServletResponse response (HttpServletResponse) res;//获取本次http请求的sessionHttpSession session request.getSession(false);if (session ! null) {//从本地session关系表中取出本次http访问的具体session信息SessionInformation info sessionRegistry.getSessionInformation(session.getId());//如果存在信息则继续执行if (info ! null) {//判断session是否已经失效(这一步在本文4.2中被执行)if (info.isExpired()) {// Expired - abort processingif (logger.isDebugEnabled()) {logger.debug(Requested session ID request.getRequestedSessionId() has expired.);}//执行登出操作doLogout(request, response);//从XML配置中的redirectSessionInformationExpiredStrategy获取URL重定向信息页面跳转到登录页面this.sessionInformationExpiredStrategy.onExpiredSessionDetected(new SessionInformationExpiredEvent(info, request, response));return;}else {// Non-expired - update last request date/timesessionRegistry.refreshLastRequest(info.getSessionId());}}}chain.doFilter(request, response);}5、A处用户只能再次登录这时B处用户session将会失效重登如此循环以上就是本文的全部内容希望对大家的学习有所帮助也希望大家多多支持脚本之家。
