SpringBoot的Session并发控制

⒈是什么？

　　即控制业务系统中一个用户只能有一个Session

⒉解决方案

　　1.当这个用户在其它地方登录的时候，把之前的Session失效掉。

package cn.coreqi.security.config;

import cn.coreqi.security.Filter.SmsCodeFilter;
import cn.coreqi.security.Filter.ValidateCodeFilter;
import cn.coreqi.security.session.CoreqiExpiredSessionStrategy;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationSuccessHandler coreqiAuthenticationSuccessHandler;

    @Autowired
    private AuthenticationFailureHandler coreqiAuthenticationFailureHandler;

    @Autowired
    private SmsCodeAuthenticationSecurityConfig smsCodeAuthenticationSecurityConfig;

    @Bean
    public PasswordEncoder passwordEncoder(){
        return NoOpPasswordEncoder.getInstance();
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        ValidateCodeFilter validateCodeFilter = new ValidateCodeFilter();
        validateCodeFilter.setAuthenticationFailureHandler(coreqiAuthenticationFailureHandler);

        SmsCodeFilter smsCodeFilter = new SmsCodeFilter();


        //http.httpBasic()    //httpBasic登录 BasicAuthenticationFilter
        http.addFilterBefore(smsCodeFilter, UsernamePasswordAuthenticationFilter.class)    //加载用户名密码过滤器的前面
                .addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class)    //加载用户名密码过滤器的前面
                .formLogin()    //表单登录 UsernamePasswordAuthenticationFilter
                    .loginPage("/coreqi-signIn.html")  //指定登录页面
                    //.loginPage("/authentication/require")
                    .loginProcessingUrl("/authentication/form") //指定表单提交的地址用于替换UsernamePasswordAuthenticationFilter默认的提交地址
                    .successHandler(coreqiAuthenticationSuccessHandler) //登录成功以后要用我们自定义的登录成功处理器，不用Spring默认的。
                    .failureHandler(coreqiAuthenticationFailureHandler) //自己体会把
                .and()
                .sessionManagement()
                    .invalidSessionUrl("session/invalid")    //session过期后跳转的URL
                    .maximumSessions(1) //配置最大的Session数量，即同一个用户后面登录所产生的Session之前登录所产生的Session给失效掉
                    .expiredSessionStrategy(new CoreqiExpiredSessionStrategy())
                .and()
                .and()
                .authorizeRequests()    //对授权请求进行配置
                    .antMatchers("/coreqi-signIn.html","/code/image","/session/invalid").permitAll() //指定登录页面不需要身份认证
                    .anyRequest().authenticated()  //任何请求都需要身份认证
                    .and().csrf().disable()    //禁用CSRF
                .apply(smsCodeAuthenticationSecurityConfig);
            //FilterSecurityInterceptor 整个SpringSecurity过滤器链的最后一环
    }
}

package cn.coreqi.security.session;

import org.springframework.security.web.session.SessionInformationExpiredEvent;
import org.springframework.security.web.session.SessionInformationExpiredStrategy;

import javax.servlet.ServletException;
import java.io.IOException;

public class CoreqiExpiredSessionStrategy implements SessionInformationExpiredStrategy {
    @Override
    public void onExpiredSessionDetected(SessionInformationExpiredEvent sessionInformationExpiredEvent) throws IOException, ServletException {
        sessionInformationExpiredEvent.getResponse().setContentType("application/json;charset=UTF-8");
        sessionInformationExpiredEvent.getResponse().getWriter().write("并发登录！");
    }
}

　　2.当这个用户已经登陆了，禁止在其它地方登录。

package cn.coreqi.security.config;

import cn.coreqi.security.Filter.SmsCodeFilter;
import cn.coreqi.security.Filter.ValidateCodeFilter;
import cn.coreqi.security.session.CoreqiExpiredSessionStrategy;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationSuccessHandler coreqiAuthenticationSuccessHandler;

    @Autowired
    private AuthenticationFailureHandler coreqiAuthenticationFailureHandler;

    @Autowired
    private SmsCodeAuthenticationSecurityConfig smsCodeAuthenticationSecurityConfig;

    @Bean
    public PasswordEncoder passwordEncoder(){
        return NoOpPasswordEncoder.getInstance();
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        ValidateCodeFilter validateCodeFilter = new ValidateCodeFilter();
        validateCodeFilter.setAuthenticationFailureHandler(coreqiAuthenticationFailureHandler);

        SmsCodeFilter smsCodeFilter = new SmsCodeFilter();


        //http.httpBasic()    //httpBasic登录 BasicAuthenticationFilter
        http.addFilterBefore(smsCodeFilter, UsernamePasswordAuthenticationFilter.class)    //加载用户名密码过滤器的前面
                .addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class)    //加载用户名密码过滤器的前面
                .formLogin()    //表单登录 UsernamePasswordAuthenticationFilter
                    .loginPage("/coreqi-signIn.html")  //指定登录页面
                    //.loginPage("/authentication/require")
                    .loginProcessingUrl("/authentication/form") //指定表单提交的地址用于替换UsernamePasswordAuthenticationFilter默认的提交地址
                    .successHandler(coreqiAuthenticationSuccessHandler) //登录成功以后要用我们自定义的登录成功处理器，不用Spring默认的。
                    .failureHandler(coreqiAuthenticationFailureHandler) //自己体会把
                .and()
                .sessionManagement()
                    .invalidSessionUrl("session/invalid")    //session过期后跳转的URL
                    .maximumSessions(1) //配置最大的Session数量，即同一个用户后面登录所产生的Session之前登录所产生的Session给失效掉
                    .maxSessionsPreventsLogin(true) //当一个用户的Session数量达到最大数量以后，阻止后面的登陆行为
                .expiredSessionStrategy(new CoreqiExpiredSessionStrategy())
                .and()
                .and()
                .authorizeRequests()    //对授权请求进行配置
                    .antMatchers("/coreqi-signIn.html","/code/image","/session/invalid").permitAll() //指定登录页面不需要身份认证
                    .anyRequest().authenticated()  //任何请求都需要身份认证
                    .and().csrf().disable()    //禁用CSRF
                .apply(smsCodeAuthenticationSecurityConfig);
            //FilterSecurityInterceptor 整个SpringSecurity过滤器链的最后一环
    }
}