SpringBoot整合SpringSecurity,SESSION 并发管理,同账号只允许登录一次

重写了UsernamePasswordAuthenticationFilter,里面继承AbstractAuthenticationProcessingFilter,这个类里面的session认证策略,是一个空方法,貌似RememberMe也是.

 

public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean implements ApplicationEventPublisherAware, MessageSourceAware {    protected ApplicationEventPublisher eventPublisher;    protected AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();    private AuthenticationManager authenticationManager;    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();    private RememberMeServices rememberMeServices = new NullRememberMeServices();    private RequestMatcher requiresAuthenticationRequestMatcher;    private boolean continueChainBeforeSuccessfulAuthentication = false;    private SessionAuthenticationStrategy sessionStrategy = new NullAuthenticatedSessionStrategy();    private boolean allowSessionCreation = true;    private AuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();    private AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();

NullAuthenticatedSessionStrategy 源码

public final class NullAuthenticatedSessionStrategy implements SessionAuthenticationStrategy {    public NullAuthenticatedSessionStrategy() {    }    public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {    }}

 

所以必须自己配置一个session验证策略,以及配置并发控制.红字为关键

WebSecurityConfigurerAdapter 

/** * Created by ZhenWeiLai on on 2016-10-16. * <p> * 三种方法级权限控制 * <p> * 1.securedEnabled: Spring Security’s native annotation * 2.jsr250Enabled: standards-based and allow simple role-based constraints * 3.prePostEnabled: expression-based */@EnableWebSecurity//@EnableGlobalMethodSecurity(prePostEnabled = true)public class WebSecurityConfig extends WebSecurityConfigurerAdapter {    @Resource    private UserDetailsService userDetailsService;    @Resource    private FilterInvocationSecurityMetadataSource securityMetadataSource;    @Resource    private SessionRegistry sessionRegistry;    @Override    public void configure(WebSecurity web) throws Exception {        web.ignoring().antMatchers("/assets/**");        web.ignoring().antMatchers("/components/**");        web.ignoring().antMatchers("/css/**");        web.ignoring().antMatchers("/images/**");        web.ignoring().antMatchers("/js/**");        web.ignoring().antMatchers("/mustache/**");        web.ignoring().antMatchers("/favicon.ico");        //注册地址不拦截//        web.ignoring().antMatchers("/base/invoice/userinfo/u/reg");//        web.ignoring().antMatchers("/**");    }    @Override    protected void configure(HttpSecurity http) throws Exception {        //解决不允许显示在iframe的问题        http.headers().frameOptions().disable();        http.addFilterAt(usernamePasswordAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);       //session并发控制过滤器        http.addFilterAt(new ConcurrentSessionFilter(sessionRegistry,sessionInformationExpiredStrategy()),ConcurrentSessionFilter.class);        //自定义过滤器        //在适当的地方加入        http.addFilterAt(filterSecurityInterceptor(securityMetadataSource, accessDecisionManager(), authenticationManagerBean()), FilterSecurityInterceptor.class);        http.exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")).and().logout().logoutUrl("/logout").logoutSuccessUrl("/login").permitAll().and().exceptionHandling().accessDeniedPage("/accessDenied");        http.authorizeRequests().anyRequest().fullyAuthenticated();        // 关闭csrf        http.csrf().disable();        /**         * 以下配置无效         */        //session管理        //session失效后跳转//        http.sessionManagement().invalidSessionUrl("/login");//        //只允许一个用户登录,如果同一个账户两次登录,那么第一个账户将被踢下线,跳转到登录页面//        http.sessionManagement().maximumSessions(1).expiredUrl("/login");    }    @Override    protected void configure(AuthenticationManagerBuilder auth)            throws Exception {        // 自定义UserDetailsService,设置加密算法        auth.userDetailsService(userDetailsService);//.passwordEncoder(passwordEncoder())        //不删除凭据，以便记住用户        auth.eraseCredentials(false);    }    //session失效跳转    private SessionInformationExpiredStrategy sessionInformationExpiredStrategy() {        return new SimpleRedirectSessionInformationExpiredStrategy("/login");    }    @Bean    public SessionRegistry sessionRegistry() {        return new SessionRegistryImpl();    }    //SpringSecurity内置的session监听器    @Bean    public HttpSessionEventPublisher httpSessionEventPublisher() {        return new HttpSessionEventPublisher();    }    private UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter() throws Exception {        UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter = new CuzUsernamePasswordAuthenticationFilter();        usernamePasswordAuthenticationFilter.setPostOnly(true);        usernamePasswordAuthenticationFilter.setAuthenticationManager(this.authenticationManager());        usernamePasswordAuthenticationFilter.setUsernameParameter("name_key");        usernamePasswordAuthenticationFilter.setPasswordParameter("pwd_key");        usernamePasswordAuthenticationFilter.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/checkLogin", "POST"));        usernamePasswordAuthenticationFilter.setAuthenticationFailureHandler(simpleUrlAuthenticationFailureHandler());        usernamePasswordAuthenticationFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler());        //session并发控制,因为默认的并发控制方法是空方法.这里必须自己配置一个        usernamePasswordAuthenticationFilter.setSessionAuthenticationStrategy(new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry));        return usernamePasswordAuthenticationFilter;    }//    @Bean//    public LoggerListener loggerListener() {//        System.out.println("org.springframework.security.authentication.event.LoggerListener");//        return new LoggerListener();//    }////    @Bean//    public org.springframework.security.access.event.LoggerListener eventLoggerListener() {//        System.out.println("org.springframework.security.access.event.LoggerListener");//        return new org.springframework.security.access.event.LoggerListener();//    }    /**     * 投票器     */    private AbstractAccessDecisionManager accessDecisionManager() {        List<AccessDecisionVoter<? extends Object>> decisionVoters = new ArrayList();        decisionVoters.add(new AuthenticatedVoter());        decisionVoters.add(new RoleVoter());//角色投票器,默认前缀为ROLE_        RoleVoter AuthVoter = new RoleVoter();        AuthVoter.setRolePrefix("AUTH_");//特殊权限投票器,修改前缀为AUTH_        decisionVoters.add(AuthVoter);        AbstractAccessDecisionManager accessDecisionManager = new AffirmativeBased(decisionVoters);        return accessDecisionManager;    }    @Override    public AuthenticationManager authenticationManagerBean() {        AuthenticationManager authenticationManager = null;        try {            authenticationManager = super.authenticationManagerBean();        } catch (Exception e) {            e.printStackTrace();        }        return authenticationManager;    }    /**     * 验证异常处理器     *     * @return     */    private SimpleUrlAuthenticationFailureHandler simpleUrlAuthenticationFailureHandler() {        return new SimpleUrlAuthenticationFailureHandler("/getLoginError");    }//    /**//     * 表达式控制器//     *//     * @return//     *///    private DefaultWebSecurityExpressionHandler webSecurityExpressionHandler() {//        DefaultWebSecurityExpressionHandler webSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();//        return webSecurityExpressionHandler;//    }//    /**//     * 表达式投票器//     *//     * @return//     *///    private WebExpressionVoter webExpressionVoter() {//        WebExpressionVoter webExpressionVoter = new WebExpressionVoter();//        webExpressionVoter.setExpressionHandler(webSecurityExpressionHandler());//        return webExpressionVoter;//    }    // Code5  官方推荐加密算法//    @Bean("passwordEncoder")//    public BCryptPasswordEncoder passwordEncoder() {//        BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();//        return bCryptPasswordEncoder;//    }//    // Code3----------------------------------------------    /**     * 登录成功后跳转     * 如果需要根据不同的角色做不同的跳转处理,那么继承AuthenticationSuccessHandler重写方法     *     * @return     */    private SimpleUrlAuthenticationSuccessHandler authenticationSuccessHandler() {        return new SimpleUrlAuthenticationSuccessHandler("/loginSuccess");    }    /**     * Created by ZhenWeiLai on on 2016-10-16.     */    private FilterSecurityInterceptor filterSecurityInterceptor(FilterInvocationSecurityMetadataSource securityMetadataSource, AccessDecisionManager accessDecisionManager, AuthenticationManager authenticationManager) {        FilterSecurityInterceptor filterSecurityInterceptor = new FilterSecurityInterceptor();        filterSecurityInterceptor.setSecurityMetadataSource(securityMetadataSource);        filterSecurityInterceptor.setAccessDecisionManager(accessDecisionManager);        filterSecurityInterceptor.setAuthenticationManager(authenticationManager);        return filterSecurityInterceptor;    }}

 

继承UsernamePasswordAuthenticationFilter ,注入SessionRegistry ,当用户登录验证成功后注册session

/** * Created by ZhenWeiLai on 2017/6/2. */public class CuzUsernamePasswordAuthenticationFilter  extends UsernamePasswordAuthenticationFilter {    private boolean postOnly = true;    @Resource    private SessionRegistry sessionRegistry;    @Override    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {        if(this.postOnly && !request.getMethod().equals("POST")) {            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());        } else {            String username = this.obtainUsername(request);            String password = this.obtainPassword(request);            if(username == null) {                username = "";            }            if(password == null) {                password = "";            }            username = username.trim();            UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);            //用户名密码验证通过后,注册session            sessionRegistry.registerNewSession(request.getSession().getId(),authRequest.getPrincipal());            this.setDetails(request, authRequest);            return this.getAuthenticationManager().authenticate(authRequest);        }    }}

重写用户实体类的比较方法.

    /**     * 重写比较方法,SpringSecurity根据用户名来比较是否同一个用户     */    @Override    public boolean equals(Object o){        if(o.toString().equals(this.username))            return true;        return false;    }    @Override    public int hashCode(){        return username.hashCode();    }    @Override    public String toString() {        return this.username;