我想在我的应用程序中为单个用户限制一个最大会话,我使用的是spring boot和基于java的config.I使用了spring max session 1.但它不适用于我。 这是我基于java的spring配置文件
package com.prcvideoplt.prc;
import javax.annotation.Resource;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl;
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
import org.springframework.security.web.session.HttpSessionEventPublisher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import com.prcvideoplt.handlers.LoginFailureHandler;
import com.prcvideoplt.handlers.LoginSuccessHandler;
import com.prcvideoplt.handlers.LogoutSuccessHandler;
import com.prcvideoplt.service.security.CompanyBasedCustomFilter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity
@ComponentScan(basePackages = "com.prcvideoplt")
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Resource(name = "custUserDetails")
private UserDetailsService userDetailsService;
@Override
@Bean
public UserDetailsService userDetailsService() {
return super.userDetailsService();
}
@Bean(name = "passwordEncoder")
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(13);
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Configuration
@Order(value = 1)
public static class UserWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Resource(name = "loginSuccessHandler")
private LoginSuccessHandler loginSuccessHandler;
@Resource(name = "loginFailureHandler")
private LoginFailureHandler loginFailureHandler;
@Resource(name = "logoutSuccesshandler")
private LogoutSuccessHandler logoutSuccesshandler;
@Autowired
DataSource dataSource;
@Autowired
UserDetailsService userDetailsService;
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/assets/**");
}
@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
return new HttpSessionEventPublisher();
}
@Bean
public CompanyBasedCustomFilter authenticationFilter() throws Exception {
CompanyBasedCustomFilter authFilter = new CompanyBasedCustomFilter();
authFilter.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/authenticate", "POST"));
authFilter.setAuthenticationSuccessHandler(loginSuccessHandler);
authFilter.setAuthenticationFailureHandler(loginFailureHandler);
authFilter.setAuthenticationManager(authenticationManager());
return authFilter;
}
@Override
@Bean(name = "authenticationManager")
protected AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
@Bean
public PersistentTokenRepository persistentTokenRepository() {
JdbcTokenRepositoryImpl tokenRepositoryImpl = new JdbcTokenRepositoryImpl();
tokenRepositoryImpl.setDataSource(dataSource);
return tokenRepositoryImpl;
}
@Bean
public SessionRegistry sessionRegistry() {
SessionRegistry sessionRegistry = new SessionRegistryImpl();
return sessionRegistry;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().antMatchers(new String[]{"/user/**"}).hasRole("USER").antMatchers("/admin/**")
.hasAnyRole(new String[]{"ADMIN", "SUB_ADMIN"}).antMatchers(new String[]{"/**"}).permitAll().anyRequest().authenticated().and()
.formLogin().loginPage("/check-url-pattern").loginProcessingUrl("/authenticate").usernameParameter("username")
.passwordParameter("password").permitAll().and().addFilterBefore(authenticationFilter(), UsernamePasswordAuthenticationFilter.class)
.rememberMe().key("rem-me-key").rememberMeParameter("remember-me").rememberMeCookieName("my-remember-me")
.tokenRepository(persistentTokenRepository()).tokenValiditySeconds(86400).and().logout().logoutUrl("/invalidate")
.logoutSuccessHandler(logoutSuccesshandler).invalidateHttpSession(true).and().headers().frameOptions().sameOrigin().and()
.sessionManagement().maximumSessions(1).expiredUrl("/expired").maxSessionsPreventsLogin(true).sessionRegistry(sessionRegistry());
}
}
}
请提出解决方案。
答案 0 :(得分:1)
这里是如何以简单的弹簧启动方式执行此操作,在您的情况下转到WebSecurityConfig类,它被称为SpringSecurityConfig
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true);
}
答案 1 :(得分:0)
不要仅仅创建HttpSessionEventPublisher,而是确保将其注册为会话事件监听器:
@Bean
public static ServletListenerRegistrationBean httpSessionEventPublisher() {
return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
}
希望这有帮助!
答案 2 :(得分:0)
你必须删除
@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
return new HttpSessionEventPublisher();
}