SpringBoot会话管理

时间:2015-09-02 16:50:15

标签: java spring-boot session spring-security

我有一个SpringBoot应用程序,并希望处理用户会话,但我的代码似乎不起作用。

 http
        // session management
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
        .sessionFixation().changeSessionId()
        .maximumSessions(1)
        .maxSessionsPreventsLogin(true)
        .expiredUrl("/index.html")
        .sessionRegistry(sessionRegistry());

// Work around https://jira.spring.io/browse/SEC-2855
@Bean
public SessionRegistry sessionRegistry() {
    SessionRegistry sessionRegistry = new SessionRegistryImpl();
    return sessionRegistry;
}

 // Register HttpSessionEventPublisher
@Bean
public static ServletListenerRegistrationBean httpSessionEventPublisher() {
    return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
}

上述解决方法是在JIRA票证上提供的,但我仍然可以使用相同的用户名和密码多次登录,我该如何预防呢?

使用Spring-Boot 1.2.5.RELEASE

  

更新01 

    @EnableWebMvcSecurity
@EnableWebSecurity(debug = true)
@ComponentScan
@Configuration
@EnableAutoConfiguration
@Order(2)
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
    private static final Logger log = LoggerFactory.getLogger(ApplicationSecurity.class);

    @Autowired
    CustomUserDetailsService customUserDetailsService;

    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();

        http
            // session management
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
            .sessionFixation().changeSessionId()
            .maximumSessions(1)
            .maxSessionsPreventsLogin(true)
            .expiredUrl("/index.html")
            .sessionRegistry(sessionRegistry());

        http
            // login management
            .formLogin()
            .loginPage("/index.html")
            .defaultSuccessUrl("/")
            .failureUrl("/index.html")
            .permitAll();
        http
            // logout management
            .logout()
            .logoutUrl("/index.html")
            .invalidateHttpSession(true)
            .deleteCookies("JSESSIONID");

        SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter = new XAuthTokenConfigurer(
                userDetailsServiceBean(), authenticationManagerBean());

        http.apply(securityConfigurerAdapter);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder authManagerBuilder) throws Exception {
        authManagerBuilder.userDetailsService(customUserDetailsService);
    }

    @Bean(name = "myAuthManager")
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    // Work around https://jira.spring.io/browse/SEC-2855
    @Bean
    public SessionRegistry sessionRegistry() {
        SessionRegistry sessionRegistry = new SessionRegistryImpl();
        return sessionRegistry;
    }

    // Register HttpSessionEventPublisher
    @Bean
    public static ServletListenerRegistrationBean httpSessionEventPublisher() {
        return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
    }
}

0 个答案:

没有答案
相关问题
最新问题