zoukankan      html  css  js  c++  java
  • Springsecurity源码Filter之ConcurrentSessionFilter(十五)

    用于校验session是否过期 过期移除

    初始化处:org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer#configure

      public void configure(H http) {
            SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
            SessionManagementFilter sessionManagementFilter = new SessionManagementFilter(securityContextRepository,
                    getSessionAuthenticationStrategy(http));
            if (this.sessionAuthenticationErrorUrl != null) {
                sessionManagementFilter.setAuthenticationFailureHandler(
                        new SimpleUrlAuthenticationFailureHandler(this.sessionAuthenticationErrorUrl));
            }
            InvalidSessionStrategy strategy = getInvalidSessionStrategy();
            if (strategy != null) {
                sessionManagementFilter.setInvalidSessionStrategy(strategy);
            }
            AuthenticationFailureHandler failureHandler = getSessionAuthenticationFailureHandler();
            if (failureHandler != null) {
                sessionManagementFilter.setAuthenticationFailureHandler(failureHandler);
            }
            AuthenticationTrustResolver trustResolver = http.getSharedObject(AuthenticationTrustResolver.class);
            if (trustResolver != null) {
                sessionManagementFilter.setTrustResolver(trustResolver);
            }
            sessionManagementFilter = postProcess(sessionManagementFilter);
            http.addFilter(sessionManagementFilter);
            //如果return this.maximumSessions != null;
            if (isConcurrentSessionControlEnabled()) {
                ConcurrentSessionFilter concurrentSessionFilter = createConcurrencyFilter(http);
    
                concurrentSessionFilter = postProcess(concurrentSessionFilter);
                http.addFilter(concurrentSessionFilter);
            }
        }

    继承WebSecurityConfigurerAdapter 重写

    com.liqiang.demo.config.SecurityConfig#configure

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                    .anyRequest()
                    .authenticated()
                    .and().rememberMe()//记住登录
                    .tokenRepository(new InMemoryTokenRepositoryImpl())
                    .and()
                    .formLogin()// rm表单的方式
                    .loginPage("/login")//登录页面路径
                    .loginProcessingUrl("/doLogin")
                    //自定义登录请求地址
                    .defaultSuccessUrl("/hello")
                    .usernameParameter("loginName")
                    .passwordParameter("loginPassword")
                    .permitAll(true)//不拦截
                    .and()
                    .csrf()//记得关闭
                    .disable()
                    .sessionManagement().
                     maximumSessions(1) //需要这个字段设置为1
                    .maxSessionsPreventsLogin(true);
        }

    org.springframework.security.web.session.ConcurrentSessionFilter#doFilte

      private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
                throws IOException, ServletException {
            //获取当前session
            HttpSession session = request.getSession(false);
            if (session != null) {
                //根据session id 从sessionRegistry 获取sessionInfo
                SessionInformation info = this.sessionRegistry.getSessionInformation(session.getId());
                if (info != null) {
                    //判断是否过期 如果过期则触发doLogout逻辑
                    if (info.isExpired()) {
                        // Expired - abort processing
                        this.logger.debug(LogMessage
                                .of(() -> "Requested session ID " + request.getRequestedSessionId() + " has expired."));
                        doLogout(request, response);
                        this.sessionInformationExpiredStrategy
                                .onExpiredSessionDetected(new SessionInformationExpiredEvent(info, request, response));
                        return;
                    }
                    // 刷新最后一次访问时间
                    this.sessionRegistry.refreshLastRequest(info.getSessionId());
                }
            }
            chain.doFilter(request, response);
        }
  • 相关阅读:
    超经典~超全的jQuery插件大全
    如何用PHP做到页面注册审核
    php实现签到功能
    php中的实用分页类
    微信小程序,超能装的实例教程
    php之 常用的 流程管理
    php之 人员的权限管理(RBAC)
    php之简单的文件管理(基本功能)
    php最新学习-----文件的操作
    关于LAMP的配置之(虚拟机的安装、创建、配置)
  • 原文地址:https://www.cnblogs.com/LQBlog/p/15535203.html
Copyright © 2011-2022 走看看