用于校验session是否过期 过期移除
初始化处:org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer#configure
public void configure(H http) { SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class); SessionManagementFilter sessionManagementFilter = new SessionManagementFilter(securityContextRepository, getSessionAuthenticationStrategy(http)); if (this.sessionAuthenticationErrorUrl != null) { sessionManagementFilter.setAuthenticationFailureHandler( new SimpleUrlAuthenticationFailureHandler(this.sessionAuthenticationErrorUrl)); } InvalidSessionStrategy strategy = getInvalidSessionStrategy(); if (strategy != null) { sessionManagementFilter.setInvalidSessionStrategy(strategy); } AuthenticationFailureHandler failureHandler = getSessionAuthenticationFailureHandler(); if (failureHandler != null) { sessionManagementFilter.setAuthenticationFailureHandler(failureHandler); } AuthenticationTrustResolver trustResolver = http.getSharedObject(AuthenticationTrustResolver.class); if (trustResolver != null) { sessionManagementFilter.setTrustResolver(trustResolver); } sessionManagementFilter = postProcess(sessionManagementFilter); http.addFilter(sessionManagementFilter); //如果return this.maximumSessions != null; if (isConcurrentSessionControlEnabled()) { ConcurrentSessionFilter concurrentSessionFilter = createConcurrencyFilter(http); concurrentSessionFilter = postProcess(concurrentSessionFilter); http.addFilter(concurrentSessionFilter); } }
继承WebSecurityConfigurerAdapter 重写
com.liqiang.demo.config.SecurityConfig#configure
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .anyRequest() .authenticated() .and().rememberMe()//记住登录 .tokenRepository(new InMemoryTokenRepositoryImpl()) .and() .formLogin()// rm表单的方式 .loginPage("/login")//登录页面路径 .loginProcessingUrl("/doLogin") //自定义登录请求地址 .defaultSuccessUrl("/hello") .usernameParameter("loginName") .passwordParameter("loginPassword") .permitAll(true)//不拦截 .and() .csrf()//记得关闭 .disable() .sessionManagement(). maximumSessions(1) //需要这个字段设置为1 .maxSessionsPreventsLogin(true); }
org.springframework.security.web.session.ConcurrentSessionFilter#doFilte
private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { //获取当前session HttpSession session = request.getSession(false); if (session != null) { //根据session id 从sessionRegistry 获取sessionInfo SessionInformation info = this.sessionRegistry.getSessionInformation(session.getId()); if (info != null) { //判断是否过期 如果过期则触发doLogout逻辑 if (info.isExpired()) { // Expired - abort processing this.logger.debug(LogMessage .of(() -> "Requested session ID " + request.getRequestedSessionId() + " has expired.")); doLogout(request, response); this.sessionInformationExpiredStrategy .onExpiredSessionDetected(new SessionInformationExpiredEvent(info, request, response)); return; } // 刷新最后一次访问时间 this.sessionRegistry.refreshLastRequest(info.getSessionId()); } } chain.doFilter(request, response); }