重写了UsernamePasswordAuthenticationFilter,里面继承AbstractAuthenticationProcessingFilter,这个类里面的session认证策略,是一个空方法,貌似RememberMe也是.

public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean implements ApplicationEventPublisherAware, MessageSourceAware {

    protected ApplicationEventPublisher eventPublisher;

    protected AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();

    private AuthenticationManager authenticationManager;

    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();

    private RememberMeServices rememberMeServices = new NullRememberMeServices();

    private RequestMatcher requiresAuthenticationRequestMatcher;

    private boolean continueChainBeforeSuccessfulAuthentication = false;

    private SessionAuthenticationStrategy sessionStrategy = new NullAuthenticatedSessionStrategy();

    private boolean allowSessionCreation = true;

    private AuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();

    private AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();
NullAuthenticatedSessionStrategy 源码
public final class NullAuthenticatedSessionStrategy implements SessionAuthenticationStrategy {

    public NullAuthenticatedSessionStrategy() {

    }

    public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {

    }

}

所以必须自己配置一个session验证策略,以及配置并发控制.红字为关键

WebSecurityConfigurerAdapter 
/**

 * Created by ZhenWeiLai on on 2016-10-16.

 * <p>

 * 三种方法级权限控制

 * <p>

 * 1.securedEnabled: Spring Security’s native annotation

 * 2.jsr250Enabled: standards-based and allow simple role-based constraints

 * 3.prePostEnabled: expression-based

 */

@EnableWebSecurity

//@EnableGlobalMethodSecurity(prePostEnabled = true)

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Resource

    private UserDetailsService userDetailsService;

    @Resource

    private FilterInvocationSecurityMetadataSource securityMetadataSource;

    @Resource

    private SessionRegistry sessionRegistry;

    @Override

    public void configure(WebSecurity web) throws Exception {

        web.ignoring().antMatchers("/assets/**");

        web.ignoring().antMatchers("/components/**");

        web.ignoring().antMatchers("/css/**");

        web.ignoring().antMatchers("/images/**");

        web.ignoring().antMatchers("/js/**");

        web.ignoring().antMatchers("/mustache/**");

        web.ignoring().antMatchers("/favicon.ico");

        //注册地址不拦截

//        web.ignoring().antMatchers("/base/invoice/userinfo/u/reg");

//        web.ignoring().antMatchers("/**");

    }

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        //解决不允许显示在iframe的问题

        http.headers().frameOptions().disable();

        http.addFilterAt(usernamePasswordAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);

       //session并发控制过滤器

        http.addFilterAt(new ConcurrentSessionFilter(sessionRegistry,sessionInformationExpiredStrategy()),ConcurrentSessionFilter.class);

        //自定义过滤器

        //在适当的地方加入

        http.addFilterAt(filterSecurityInterceptor(securityMetadataSource, accessDecisionManager(), authenticationManagerBean()), FilterSecurityInterceptor.class);

        http.exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")).and().logout().logoutUrl("/logout").logoutSuccessUrl("/login").permitAll().and().exceptionHandling().accessDeniedPage("/accessDenied");

        http.authorizeRequests().anyRequest().fullyAuthenticated();

        // 关闭csrf

        http.csrf().disable();

        /**

         * 以下配置无效

         */

        //session管理

        //session失效后跳转

//        http.sessionManagement().invalidSessionUrl("/login");

//        //只允许一个用户登录,如果同一个账户两次登录,那么第一个账户将被踢下线,跳转到登录页面

//        http.sessionManagement().maximumSessions(1).expiredUrl("/login");

    }

    @Override

    protected void configure(AuthenticationManagerBuilder auth)

            throws Exception {

        // 自定义UserDetailsService,设置加密算法

        auth.userDetailsService(userDetailsService);

//.passwordEncoder(passwordEncoder())

        //不删除凭据,以便记住用户

        auth.eraseCredentials(false);

    }

    //session失效跳转

    private SessionInformationExpiredStrategy sessionInformationExpiredStrategy() {

        return new SimpleRedirectSessionInformationExpiredStrategy("/login");

    }

    @Bean

    public SessionRegistry sessionRegistry() {

        return new SessionRegistryImpl();

    }

    //SpringSecurity内置的session监听器

    @Bean

    public HttpSessionEventPublisher httpSessionEventPublisher() {

        return new HttpSessionEventPublisher();

    }

    private UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter() throws Exception {

        UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter = new CuzUsernamePasswordAuthenticationFilter();

        usernamePasswordAuthenticationFilter.setPostOnly(true);

        usernamePasswordAuthenticationFilter.setAuthenticationManager(this.authenticationManager());

        usernamePasswordAuthenticationFilter.setUsernameParameter("name_key");

        usernamePasswordAuthenticationFilter.setPasswordParameter("pwd_key");

        usernamePasswordAuthenticationFilter.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/checkLogin", "POST"));

        usernamePasswordAuthenticationFilter.setAuthenticationFailureHandler(simpleUrlAuthenticationFailureHandler());

        usernamePasswordAuthenticationFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler());

        //session并发控制,因为默认的并发控制方法是空方法.这里必须自己配置一个

        usernamePasswordAuthenticationFilter.setSessionAuthenticationStrategy(new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry));

        return usernamePasswordAuthenticationFilter;

    }

//    @Bean

//    public LoggerListener loggerListener() {

//        System.out.println("org.springframework.security.authentication.event.LoggerListener");

//        return new LoggerListener();

//    }

//

//    @Bean

//    public org.springframework.security.access.event.LoggerListener eventLoggerListener() {

//        System.out.println("org.springframework.security.access.event.LoggerListener");

//        return new org.springframework.security.access.event.LoggerListener();

//    }

    /**

     * 投票器

     */

    private AbstractAccessDecisionManager accessDecisionManager() {

        List<AccessDecisionVoter<? extends Object>> decisionVoters = new ArrayList();

        decisionVoters.add(new AuthenticatedVoter());

        decisionVoters.add(new RoleVoter());//角色投票器,默认前缀为ROLE_

        RoleVoter AuthVoter = new RoleVoter();

        AuthVoter.setRolePrefix("AUTH_");//特殊权限投票器,修改前缀为AUTH_

        decisionVoters.add(AuthVoter);

        AbstractAccessDecisionManager accessDecisionManager = new AffirmativeBased(decisionVoters);

        return accessDecisionManager;

    }

    @Override

    public AuthenticationManager authenticationManagerBean() {

        AuthenticationManager authenticationManager = null;

        try {

            authenticationManager = super.authenticationManagerBean();

        } catch (Exception e) {

            e.printStackTrace();

        }

        return authenticationManager;

    }

    /**

     * 验证异常处理器

     *

     * @return

     */

    private SimpleUrlAuthenticationFailureHandler simpleUrlAuthenticationFailureHandler() {

        return new SimpleUrlAuthenticationFailureHandler("/getLoginError");

    }

//    /**

//     * 表达式控制器

//     *

//     * @return

//     */

//    private DefaultWebSecurityExpressionHandler webSecurityExpressionHandler() {

//        DefaultWebSecurityExpressionHandler webSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();

//        return webSecurityExpressionHandler;

//    }

//    /**

//     * 表达式投票器

//     *

//     * @return

//     */

//    private WebExpressionVoter webExpressionVoter() {

//        WebExpressionVoter webExpressionVoter = new WebExpressionVoter();

//        webExpressionVoter.setExpressionHandler(webSecurityExpressionHandler());

//        return webExpressionVoter;

//    }

    // Code5  官方推荐加密算法

//    @Bean("passwordEncoder")

//    public BCryptPasswordEncoder passwordEncoder() {

//        BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();

//        return bCryptPasswordEncoder;

//    }

//    // Code3----------------------------------------------

    /**

     * 登录成功后跳转

     * 如果需要根据不同的角色做不同的跳转处理,那么继承AuthenticationSuccessHandler重写方法

     *

     * @return

     */

    private SimpleUrlAuthenticationSuccessHandler authenticationSuccessHandler() {

        return new SimpleUrlAuthenticationSuccessHandler("/loginSuccess");

    }

    /**

     * Created by ZhenWeiLai on on 2016-10-16.

     */

    private FilterSecurityInterceptor filterSecurityInterceptor(FilterInvocationSecurityMetadataSource securityMetadataSource, AccessDecisionManager accessDecisionManager, AuthenticationManager authenticationManager) {

        FilterSecurityInterceptor filterSecurityInterceptor = new FilterSecurityInterceptor();

        filterSecurityInterceptor.setSecurityMetadataSource(securityMetadataSource);

        filterSecurityInterceptor.setAccessDecisionManager(accessDecisionManager);

        filterSecurityInterceptor.setAuthenticationManager(authenticationManager);

        return filterSecurityInterceptor;

    }

}

继承UsernamePasswordAuthenticationFilter ,注入SessionRegistry ,当用户登录验证成功后注册session

/**

 * Created by ZhenWeiLai on 2017/6/2.

 */

public class CuzUsernamePasswordAuthenticationFilter  extends UsernamePasswordAuthenticationFilter {

    private boolean postOnly = true;

    @Resource

    private SessionRegistry sessionRegistry;

    @Override

    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

        if(this.postOnly && !request.getMethod().equals("POST")) {

            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());

        } else {

            String username = this.obtainUsername(request);

            String password = this.obtainPassword(request);

            if(username == null) {

                username = "";

            }

            if(password == null) {

                password = "";

            }

            username = username.trim();

            UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);

            //用户名密码验证通过后,注册session

            sessionRegistry.registerNewSession(request.getSession().getId(),authRequest.getPrincipal());

            this.setDetails(request, authRequest);

            return this.getAuthenticationManager().authenticate(authRequest);

        }

    }

}

重写用户实体类的比较方法.

    /**

     * 重写比较方法,SpringSecurity根据用户名来比较是否同一个用户

     */

    @Override

    public boolean equals(Object o){

        if(o.toString().equals(this.username))

            return true;

        return false;

    }

    @Override

    public int hashCode(){

        return username.hashCode();

    }

    @Override

    public String toString() {

        return this.username;

    }

SpringBoot整合SpringSecurity,SESSION 并发管理,同账号只允许登录一次的更多相关文章

  1. SpringBoot整合SpringSecurity示例实现前后分离权限注解

    SpringBoot 整合SpringSecurity示例实现前后分离权限注解+JWT登录认证 作者:Sans_ juejin.im/post/5da82f066fb9a04e2a73daec 一.说 ...

  2. SpringBoot整合SpringSecurity简单实现登入登出从零搭建

    技术栈 : SpringBoot + SpringSecurity + jpa + freemark ,完整项目地址 : https://github.com/EalenXie/spring-secu ...

  3. 9、SpringBoot整合之SpringBoot整合SpringSecurity

    SpringBoot整合SpringSecurity 一.创建项目,选择依赖 选择Spring Web.Thymeleaf即可 二.在pom文件中导入相关依赖 <!-- 导入SpringSecu ...

  4. boke练习: springboot整合springSecurity出现的问题,传递csrf

    boke练习: springboot整合springSecurity出现的问题,传递csrf freemarker模板 在html页面中加入: <input name="_csrf&q ...

  5. springboot整合springsecurity遇到的问题

    在整合springsecurity时遇到好几个问题,自动配置登录,下线,注销用户的操作,数据基于mybatis,模版引擎用的thymeleaf+bootstrap. 一.认证时密码的加密(passwo ...

  6. SpringBoot整合SpringSecurity实现JWT认证

    目录 前言 目录 1.创建SpringBoot工程 2.导入SpringSecurity与JWT的相关依赖 3.定义SpringSecurity需要的基础处理类 4. 构建JWT token工具类 5 ...

  7. boke练习: springboot整合springSecurity出现的问题,post,delete,put无法使用

    springboot 与 SpringSecurity整合后,为了防御csrf攻击,只有GET|OPTIONS|HEAD|TRACE|CONNECTION可以通过. 其他方法请求时,需要有token ...

  8. SpringBoot整合Mybatis完整详细版二:注册、登录、拦截器配置

    接着上个章节来,上章节搭建好框架,并且测试也在页面取到数据.接下来实现web端,实现前后端交互,在前台进行注册登录以及后端拦截器配置.实现简单的未登录拦截跳转到登录页面 上一节传送门:SpringBo ...

  9. SpringBoot 整合 SpringSecurity 梳理

    文档 Spring Security Reference SpringBoot+SpringSecurity+jwt整合及初体验 JSON Web Token 入门教程 - 阮一峰 JWT 官网 Sp ...

随机推荐

  1. 一步步使用BMC Atrium Orchestrator Vmware Infrastructure Event Monitor

    本教程将一步步演示怎么使用BMC Atrium Orchestrator (BAO) Vmware Infrastructure Event Monitor来监控VSphere Webservice的 ...

  2. The server's host key is not cached in the registry. You have no guarantee that the server……

    使用putty中的pscp.exe ,可以通过脚本方式实现windows向linux上传文件,但pscp.exe第一次运行时必须手工输入确认信息,本文主要解决掉初次运行时的人工交互,彻底实现静默运行. ...

  3. Java并发系列[1]----AbstractQueuedSynchronizer源码分析之概要分析

    学习Java并发编程不得不去了解一下java.util.concurrent这个包,这个包下面有许多我们经常用到的并发工具类,例如:ReentrantLock, CountDownLatch, Cyc ...

  4. curl错误码说明

    1.得到错误码 $errno=curl_errno($ch); if($errno!=0){ -- } 2.错误码说明 <?php return [ '1'=>'CURLE_UNSUPPO ...

  5. 【转】 SED多行模式空间

    1. sed执行模板=sed '模式{命令1;命令2}' 即逐行读入模式空间,执行命令,最后输出打印出来 2. 为方便下面,先说下p和P,p打印当前模式空间内容,追加到默认输出之后,P打印当前模式空间 ...

  6. [PHP] Phalcon操作示范

    这篇内容将对下列操作进行示范: Insert.Select.Update.Calculation.Transaction.models advanced.dev-tools.cookies [ Ins ...

  7. CSS3属性详解(图文教程)

    本文最初发表于博客园,并在GitHub上持续更新前端的系列文章.欢迎在GitHub上关注我,一起入门和进阶前端. 以下是正文. 前言 我们在上一篇文章中学习了CSS3的选择器,本文来学一下CSS3的一 ...

  8. 浅谈python模块的导入操作

    1.什么是模块 在Python中有一个概念叫做模块(module). 所谓模块,就是将代码量较大的程序分割成多个有组织的,彼此独立但双能互相交互的代码片段, 这些自我包含的有组织的代码段就是模块. 2 ...

  9. 编译安装 python 2.7

    下载python2.7 Python-2.7.6.tgz 下载链接:http://pan.baidu.com/s/1c0AJDDI 配置./configure 编译make 安装 make insta ...

  10. Installing VirtualBox

    The (VirtualBox) website has a lot of quality documentation including: End-user documentation Techni ...