Question

朋友我经常搜索并尝试在互联网上提供的所有解决方案，但我的问题没有解决。

我希望检查（在Spring Boot Web应用程序中）当前用户使用登录页面中指定的凭据登录，如果当前存在使用用户名的会话，则首先使该请求再次登录失效。

我想确保用户会有一个会话，如果会话存在则会失效并强行登录。

我试图从SessionRegistry获取所有原则，但即使在多个用户登录系统后，它仍会返回[]空列表。

这是我的春季安全配置

...
@Autowired private CustomUserDetailsService customUserDetailsService;
    @Autowired private CustomUrlAuthenticationSuccessHandler customUrlAuthenticationSuccessHandler;
    @Autowired private PasswordEncoder passwordEncoder;

@Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authProvider());
    }

@Bean
    JCaptchaAuthenticationFilter jCaptchaAuthenticationFilter() throws Exception {
        JCaptchaAuthenticationFilter jCaptchaAuthenticationFilter = new JCaptchaAuthenticationFilter();
        jCaptchaAuthenticationFilter.setAuthenticationManager(authenticationManager());
        jCaptchaAuthenticationFilter.setAuthenticationFailureHandler(customLoginFailureHandler());
        jCaptchaAuthenticationFilter.setAuthenticationSuccessHandler(customUrlAuthenticationSuccessHandler);
        return jCaptchaAuthenticationFilter;
    }
@Bean
    public DaoAuthenticationProvider authProvider() {
        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
        authProvider.setUserDetailsService(customUserDetailsService);
        authProvider.setPasswordEncoder(passwordEncoder);
        return authProvider;
    }
@Bean
    public CustomLoginFailureHandler customLoginFailureHandler() {
        CustomLoginFailureHandler customLoginFailureHandler = new CustomLoginFailureHandler("/login");
        return customLoginFailureHandler;
    }

@Override
    protected void configure(HttpSecurity http) throws Exception {// @formatter:off
        http.authorizeRequests().antMatchers("/js/**", "/fonts/**", "/css/**", "/images/**", "/favicon.ico").permitAll()
        .antMatchers("/", "/register/**", "/email/**", "/captcha.png/**").permitAll().antMatchers("/login/**")
        .permitAll()// Basically I'm allowing parameters for login so
        // .antMatchers("/services/**").permitAll()
        .antMatchers("/forgot/password/**", "/user/verify/**").permitAll().antMatchers("/user/resetPassword*")
        .hasAuthority("CHANGE_PASSWORD_PRIVILEGE").anyRequest().authenticated().and()
        .addFilterBefore(jCaptchaAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class).formLogin()
        .loginPage("/login").permitAll().and()
        .csrf().disable()
        .sessionManagement().invalidSessionUrl("/invalidSession")
        .maximumSessions(1)
        .maxSessionsPreventsLogin(true)
        .sessionRegistry(sessionRegistry()).and()
        .sessionFixation().newSession().and()
        .logout()
        .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/")
        .invalidateHttpSession(false).deleteCookies("JSESSIONID").permitAll();
        http.headers().frameOptions().sameOrigin();

    }
....
@Bean
SessionRegistry sessionRegistry() {         
    return new SessionRegistryImpl();
}

@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
    return new HttpSessionEventPublisher();
}

这是我正在获取会议列表

List<String> userList = sessionRegistry.getAllPrincipals().stream()
          .filter(u -> !sessionRegistry.getAllSessions(u, true).isEmpty())
          .map(Object::toString)
          .collect(Collectors.toList());

但是上面的代码总是返回空列表。我已检查是否有任何双sessionRegistry通过禁用sessionRepositry加载，但春天抛出异常，找不到bean。

请帮助朋友。

Spring Security SessionRegistry返回空列表

0 个答案: