一、创建一个实现 AccessControlFilter 的过滤器类
package com.beovo.dsd.common.shiro.filter; import cn.hutool.core.collection.CollUtil; import cn.hutool.core.util.ObjectUtil; import com.beovo.dsd.common.shiro.ShiroFilterUtils; import com.beovo.dsd.common.shiro.ShiroUser; import org.apache.shiro.cache.Cache; import org.apache.shiro.cache.CacheManager; import org.apache.shiro.session.Session; import org.apache.shiro.session.mgt.DefaultSessionKey; import org.apache.shiro.session.mgt.SessionManager; import org.apache.shiro.subject.Subject; import org.apache.shiro.web.filter.AccessControlFilter; import org.apache.shiro.web.util.WebUtils; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.Serializable; import java.util.Deque; import java.util.LinkedList; /** * 限制并发人数登录与剔除 * @author Jimc. * @since 2018/11/28. */ public class KickoutSessionControlFilter extends AccessControlFilter { private static final String KICKOUT_CACHE_NAME = "kickoutCache"; private static final String KICKOUT = "kickout"; /** * 踢出后到的地址 */ private String kickoutUrl; /** * 踢出之前登录的/之后登录的用户,默认踢出之前登录的用户 */ private boolean kickoutAfter = false; /** * 同一个帐号最大会话数,默认1 */ private int maxSession = 1; private SessionManager sessionManager; private Cache<String, Deque<Serializable>> cache; public void setKickoutUrl(String kickoutUrl) { this.kickoutUrl = kickoutUrl; } public void setKickoutAfter(boolean kickoutAfter) { this.kickoutAfter = kickoutAfter; } public void setMaxSession(int maxSession) { this.maxSession = maxSession; } public void setSessionManager(SessionManager sessionManager) { this.sessionManager = sessionManager; } public void setCacheManager(CacheManager cacheManager) { this.cache = cacheManager.getCache(KICKOUT_CACHE_NAME); } @Override protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception { return false; } @Override protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { Subject subject = getSubject(request, response); if(!subject.isAuthenticated() && !subject.isRemembered()) { //如果没有登录,直接进行之后的流程 return true; } Session session = subject.getSession(); ShiroUser user = (ShiroUser)subject.getPrincipal(); String username = user.getAccount(); Serializable sessionId = session.getId(); // 同步控制 Deque<Serializable> deque = cache.get(username); if(CollUtil.isEmpty(deque)) { deque = new LinkedList<Serializable>(); cache.put(username, deque); } //如果队列里没有此sessionId,且用户没有被踢出;放入队列 if(!deque.contains(sessionId) && ObjectUtil.isNull(session.getAttribute(KICKOUT))) { deque.push(sessionId); } //如果队列里的sessionId数超出最大会话数,开始踢人 while(deque.size() > maxSession) { Serializable kickoutSessionId = null; if(kickoutAfter) { //如果踢出后者 kickoutSessionId = deque.removeFirst(); } else { //否则踢出前者 kickoutSessionId = deque.removeLast(); } try { Session kickoutSession = sessionManager.getSession(new DefaultSessionKey(kickoutSessionId)); if(ObjectUtil.isNotNull(kickoutSession)) { // 设置会话的kickout属性表示踢出了 kickoutSession.setAttribute(KICKOUT, true); } } catch (Exception e) {//ignore exception } } // 如果被踢出了,直接退出,重定向到踢出后的地址 if (ObjectUtil.isNotNull(session.getAttribute(KICKOUT))) { // 会话被踢出了 try { subject.logout(); } catch (Exception e) { //ignore } saveRequest(request); HttpServletRequest httpRequest = WebUtils.toHttp(request); if (ShiroFilterUtils.isAjax(httpRequest)) { HttpServletResponse res = WebUtils.toHttp(response); // 采用res.sendError(401);在Easyui中会处理掉error,$.ajaxSetup中监听不到 res.setHeader("oauthstatus", "401"); return false; } else { WebUtils.issueRedirect(request, response, kickoutUrl); return false; } } return true; } }
二、将过滤器加入到shiro的配置中
<!-- 并发登处理 --> <bean id="kickoutSessionControlFilter" class="com.beovo.dsd.common.shiro.filter.KickoutSessionControlFilter"> <property name="cacheManager" ref="shiroSpringCacheManager"/> <property name="sessionManager" ref="sessionManager"/> <!-- 是否踢出后来登录的,默认是false;即后者登录的用户踢出前者登录的用户 --> <property name="kickoutAfter" value="false"/> <!-- 同一个用户最大的会话数,默认1;比如2的意思是同一个用户允许最多同时两个人登录 --> <property name="maxSession" value="1"/> <!-- 踢出后到的地址 --> <property name="kickoutUrl" value="/login"/> </bean> <!-- Shiro Filter --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <!-- 安全管理器 --> <property name="securityManager" ref="securityManager"/> <!-- 默认的登陆访问url --> <property name="loginUrl" value="/login"/> <!-- 登陆成功后跳转的url --> <property name="successUrl" value="/index"/> <!-- 没有权限跳转的url --> <property name="unauthorizedUrl" value="/unauth"/> <property name="filterChainDefinitions"> <value> <!-- anon 不需要认证 authc 需要认证 user 验证通过或RememberMe登录的都可以 kickout 需要验证并发登录 --> /login = anon /captcha = anon /resources/** = anon /** = user,kickout </value> </property> <property name="filters"> <map> <entry key="kickout" value-ref="kickoutSessionControlFilter"/> </map> </property> </bean>
注意:过滤器拦截所有请求那里需要加入 kickout:
/** = user,kickout