适用于session方式的登录,不适用于jwt token方式的登录。因为jwt token方式的话session就没什么事儿了 (此处为了防止小白不懂原理盲目抄)。
有这样一个需求,一个账号只能在一个客户端浏览器上登录,如果同样的账号在别的客户端浏览器上登录的话,之前的登录需要被踢下去。这个需求看似很简单,而且默认情况下使用Spring Security配置也挺简单,如下配置即可:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
... //此处忽略若干行配置
.sessionManagement()
.maximumSessions(1);
}
这个配置在默认formLogin状态下生效,但如果使用自定义过滤器接管登录过程的话就会失效,如这样:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
... //此处忽略若干行配置
// 添加自己的登录过滤器
.addFilterBefore(adminLoginFilter(), UsernamePasswordAuthenticationFilter.class)
// 因为adminLoginFilter接管了默认formLogin的工作,所以下面的session配置失效了
.sessionManagement()
.maximumSessions(1);
}
这时我们需要手动配置session了,先看看官网是怎么说的 官网说明 这是官网的一段话
If you are using a customized authentication filter for form-based login, then you have to configure concurrent session control support explicitly.
官网也提供了具体配置方法
<http>
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
<session-management session-authentication-strategy-ref="sas"/>
</http>
<beans:bean id="redirectSessionInformationExpiredStrategy"
class="org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy">
<beans:constructor-arg name="invalidSessionUrl" value="/session-expired.htm" />
</beans:bean>
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:constructor-arg name="sessionInformationExpiredStrategy" ref="redirectSessionInformationExpiredStrategy" />
</beans:bean>
<beans:bean id="myAuthFilter" class=
"org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry"/>
<beans:property name="maximumSessions" value="1" />
<beans:property name="exceptionIfMaximumExceeded" value="true" />
</beans:bean>
<beans:bean class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
</beans:bean>
<beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry"/>
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
官网提供的是xml配置方法,现在应该是比较少用了,所以我们得在自己项目中使用代码配置,具体流程:
第一步 定义一个sessionRegistry bean
@Bean
public SessionRegistry sessionRegistry(){
return new SessionRegistryImpl();
}
第二步 定义几个Session Strategy bean,其中在ConcurrentSessionControlAuthenticationStrategy配置账号的最大同时登录数
@Bean
public ConcurrentSessionControlAuthenticationStrategy controlAuthenticationStrategy(SessionRegistry sessionRegistry){
ConcurrentSessionControlAuthenticationStrategy strategy = new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry);
strategy.setMaximumSessions(1); // 这里配置一个账号最大登录数
return strategy;
}
@Bean
public SessionFixationProtectionStrategy sessionFixationProtectionStrategy(){
return new SessionFixationProtectionStrategy();
}
@Bean
public RegisterSessionAuthenticationStrategy registerSessionAuthenticationStrategy(SessionRegistry sessionRegistry){
return new RegisterSessionAuthenticationStrategy(sessionRegistry);
}
第三步 定义CompositeSessionAuthenticationStrategy bean,他接受的是List集合,也就是其他Session Strategy的集合
@Bean
public CompositeSessionAuthenticationStrategy sessionAuthenticationStrategy(List<SessionAuthenticationStrategy> authenticationStrategies){
return new CompositeSessionAuthenticationStrategy(authenticationStrategies);
}
第四步 定义ConcurrentSessionFilter bean
@Bean
public ConcurrentSessionFilter concurrentSessionFilter(SessionRegistry sessionRegistry){
return new ConcurrentSessionFilter(sessionRegistry);
}
第五步 在自己的自定义登录filter里面设置session strategy
public AdminLoginFilter adminLoginFilter(CompositeSessionAuthenticationStrategy strategy) throws Exception {
AdminLoginFilter adminLoginFilter = new AdminLoginFilter();
... 省略若干行配置
adminLoginFilter.setSessionAuthenticationStrategy(strategy);
return adminLoginFilter;
}
第六步 在configure(HttpSecurity http)里面配置session
@Override
protected void configure(HttpSecurity http) throws Exception {
List<SessionAuthenticationStrategy> authenticationStrategies = Arrays.asList(
controlAuthenticationStrategy(sessionRegistry()),
sessionFixationProtectionStrategy(),
registerSessionAuthenticationStrategy(sessionRegistry())
);
http
... //此处忽略若干行配置
.addFilterBefore(concurrentSessionFilter(sessionRegistry()),ConcurrentSessionFilter.class)
.addFilterBefore(adminLoginFilter(sessionAuthenticationStrategy(authenticationStrategies)), UsernamePasswordAuthenticationFilter.class)
.sessionManagement()
.sessionAuthenticationStrategy(sessionAuthenticationStrategy(authenticationStrategies));
}
下面看完整的代码
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class PortalSecurityConfig2 extends WebSecurityConfigurerAdapter {
@Autowired
private AdminLoginService adminDetailsService;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
public AdminLoginFilter adminLoginFilter(CompositeSessionAuthenticationStrategy strategy) throws Exception {
AdminLoginFilter adminLoginFilter = new AdminLoginFilter();
adminLoginFilter.setFilterProcessesUrl("/admin/login");
adminLoginFilter.setAuthenticationManager(authenticationManagerBean());
adminLoginFilter.setSessionAuthenticationStrategy(strategy);
return adminLoginFilter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
List<SessionAuthenticationStrategy> authenticationStrategies = Arrays.asList(
controlAuthenticationStrategy(sessionRegistry()),
sessionFixationProtectionStrategy(),
registerSessionAuthenticationStrategy(sessionRegistry())
);
http
.authorizeRequests().anyRequest().authenticated()
.and()
.addFilterBefore(concurrentSessionFilter(sessionRegistry()), ConcurrentSessionFilter.class)
.addFilterBefore(adminLoginFilter(sessionAuthenticationStrategy(authenticationStrategies)), UsernamePasswordAuthenticationFilter.class)
.sessionManagement()
.sessionAuthenticationStrategy(sessionAuthenticationStrategy(authenticationStrategies));
}
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(adminDetailsService);
}
@Bean
public SessionRegistry sessionRegistry(){
return new SessionRegistryImpl();
}
@Bean
public ConcurrentSessionFilter concurrentSessionFilter(SessionRegistry sessionRegistry){
return new ConcurrentSessionFilter(sessionRegistry);
}
@Bean
public ConcurrentSessionControlAuthenticationStrategy controlAuthenticationStrategy(SessionRegistry sessionRegistry){
ConcurrentSessionControlAuthenticationStrategy strategy = new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry);
strategy.setMaximumSessions(1);
return strategy;
}
@Bean
public SessionFixationProtectionStrategy sessionFixationProtectionStrategy(){
return new SessionFixationProtectionStrategy();
}
@Bean
public RegisterSessionAuthenticationStrategy registerSessionAuthenticationStrategy(SessionRegistry sessionRegistry){
return new RegisterSessionAuthenticationStrategy(sessionRegistry);
}
@Bean
public CompositeSessionAuthenticationStrategy sessionAuthenticationStrategy(List<SessionAuthenticationStrategy> authenticationStrategies){
return new CompositeSessionAuthenticationStrategy(authenticationStrategies);
}
}
希望以上内容能帮到你。
近期评论