重写了UsernamePasswordAuthenticationFilter,里面继承AbstractAuthenticationProcessingFilter,这个类里面的session认证策略,是一个空方法,貌似RememberMe也是.

public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean implements ApplicationEventPublisherAware, MessageSourceAware {

    protected ApplicationEventPublisher eventPublisher;

    protected AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();

    private AuthenticationManager authenticationManager;

    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();

    private RememberMeServices rememberMeServices = new NullRememberMeServices();

    private RequestMatcher requiresAuthenticationRequestMatcher;

    private boolean continueChainBeforeSuccessfulAuthentication = false;

    private SessionAuthenticationStrategy sessionStrategy = new NullAuthenticatedSessionStrategy();

    private boolean allowSessionCreation = true;

    private AuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();

    private AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();
NullAuthenticatedSessionStrategy 源码
public final class NullAuthenticatedSessionStrategy implements SessionAuthenticationStrategy {

    public NullAuthenticatedSessionStrategy() {

    }

    public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {

    }

}

所以必须自己配置一个session验证策略,以及配置并发控制.红字为关键

WebSecurityConfigurerAdapter 
/**

 * Created by ZhenWeiLai on on 2016-10-16.

 * <p>

 * 三种方法级权限控制

 * <p>

 * 1.securedEnabled: Spring Security’s native annotation

 * 2.jsr250Enabled: standards-based and allow simple role-based constraints

 * 3.prePostEnabled: expression-based

 */

@EnableWebSecurity

//@EnableGlobalMethodSecurity(prePostEnabled = true)

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Resource

    private UserDetailsService userDetailsService;

    @Resource

    private FilterInvocationSecurityMetadataSource securityMetadataSource;

    @Resource

    private SessionRegistry sessionRegistry;

    @Override

    public void configure(WebSecurity web) throws Exception {

        web.ignoring().antMatchers("/assets/**");

        web.ignoring().antMatchers("/components/**");

        web.ignoring().antMatchers("/css/**");

        web.ignoring().antMatchers("/images/**");

        web.ignoring().antMatchers("/js/**");

        web.ignoring().antMatchers("/mustache/**");

        web.ignoring().antMatchers("/favicon.ico");

        //注册地址不拦截

//        web.ignoring().antMatchers("/base/invoice/userinfo/u/reg");

//        web.ignoring().antMatchers("/**");

    }

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        //解决不允许显示在iframe的问题

        http.headers().frameOptions().disable();

        http.addFilterAt(usernamePasswordAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);

       //session并发控制过滤器

        http.addFilterAt(new ConcurrentSessionFilter(sessionRegistry,sessionInformationExpiredStrategy()),ConcurrentSessionFilter.class);

        //自定义过滤器

        //在适当的地方加入

        http.addFilterAt(filterSecurityInterceptor(securityMetadataSource, accessDecisionManager(), authenticationManagerBean()), FilterSecurityInterceptor.class);

        http.exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")).and().logout().logoutUrl("/logout").logoutSuccessUrl("/login").permitAll().and().exceptionHandling().accessDeniedPage("/accessDenied");

        http.authorizeRequests().anyRequest().fullyAuthenticated();

        // 关闭csrf

        http.csrf().disable();

        /**

         * 以下配置无效

         */

        //session管理

        //session失效后跳转

//        http.sessionManagement().invalidSessionUrl("/login");

//        //只允许一个用户登录,如果同一个账户两次登录,那么第一个账户将被踢下线,跳转到登录页面

//        http.sessionManagement().maximumSessions(1).expiredUrl("/login");

    }

    @Override

    protected void configure(AuthenticationManagerBuilder auth)

            throws Exception {

        // 自定义UserDetailsService,设置加密算法

        auth.userDetailsService(userDetailsService);

//.passwordEncoder(passwordEncoder())

        //不删除凭据,以便记住用户

        auth.eraseCredentials(false);

    }

    //session失效跳转

    private SessionInformationExpiredStrategy sessionInformationExpiredStrategy() {

        return new SimpleRedirectSessionInformationExpiredStrategy("/login");

    }

    @Bean

    public SessionRegistry sessionRegistry() {

        return new SessionRegistryImpl();

    }

    //SpringSecurity内置的session监听器

    @Bean

    public HttpSessionEventPublisher httpSessionEventPublisher() {

        return new HttpSessionEventPublisher();

    }

    private UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter() throws Exception {

        UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter = new CuzUsernamePasswordAuthenticationFilter();

        usernamePasswordAuthenticationFilter.setPostOnly(true);

        usernamePasswordAuthenticationFilter.setAuthenticationManager(this.authenticationManager());

        usernamePasswordAuthenticationFilter.setUsernameParameter("name_key");

        usernamePasswordAuthenticationFilter.setPasswordParameter("pwd_key");

        usernamePasswordAuthenticationFilter.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/checkLogin", "POST"));

        usernamePasswordAuthenticationFilter.setAuthenticationFailureHandler(simpleUrlAuthenticationFailureHandler());

        usernamePasswordAuthenticationFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler());

        //session并发控制,因为默认的并发控制方法是空方法.这里必须自己配置一个

        usernamePasswordAuthenticationFilter.setSessionAuthenticationStrategy(new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry));

        return usernamePasswordAuthenticationFilter;

    }

//    @Bean

//    public LoggerListener loggerListener() {

//        System.out.println("org.springframework.security.authentication.event.LoggerListener");

//        return new LoggerListener();

//    }

//

//    @Bean

//    public org.springframework.security.access.event.LoggerListener eventLoggerListener() {

//        System.out.println("org.springframework.security.access.event.LoggerListener");

//        return new org.springframework.security.access.event.LoggerListener();

//    }

    /**

     * 投票器

     */

    private AbstractAccessDecisionManager accessDecisionManager() {

        List<AccessDecisionVoter<? extends Object>> decisionVoters = new ArrayList();

        decisionVoters.add(new AuthenticatedVoter());

        decisionVoters.add(new RoleVoter());//角色投票器,默认前缀为ROLE_

        RoleVoter AuthVoter = new RoleVoter();

        AuthVoter.setRolePrefix("AUTH_");//特殊权限投票器,修改前缀为AUTH_

        decisionVoters.add(AuthVoter);

        AbstractAccessDecisionManager accessDecisionManager = new AffirmativeBased(decisionVoters);

        return accessDecisionManager;

    }

    @Override

    public AuthenticationManager authenticationManagerBean() {

        AuthenticationManager authenticationManager = null;

        try {

            authenticationManager = super.authenticationManagerBean();

        } catch (Exception e) {

            e.printStackTrace();

        }

        return authenticationManager;

    }

    /**

     * 验证异常处理器

     *

     * @return

     */

    private SimpleUrlAuthenticationFailureHandler simpleUrlAuthenticationFailureHandler() {

        return new SimpleUrlAuthenticationFailureHandler("/getLoginError");

    }

//    /**

//     * 表达式控制器

//     *

//     * @return

//     */

//    private DefaultWebSecurityExpressionHandler webSecurityExpressionHandler() {

//        DefaultWebSecurityExpressionHandler webSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();

//        return webSecurityExpressionHandler;

//    }

//    /**

//     * 表达式投票器

//     *

//     * @return

//     */

//    private WebExpressionVoter webExpressionVoter() {

//        WebExpressionVoter webExpressionVoter = new WebExpressionVoter();

//        webExpressionVoter.setExpressionHandler(webSecurityExpressionHandler());

//        return webExpressionVoter;

//    }

    // Code5  官方推荐加密算法

//    @Bean("passwordEncoder")

//    public BCryptPasswordEncoder passwordEncoder() {

//        BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();

//        return bCryptPasswordEncoder;

//    }

//    // Code3----------------------------------------------

    /**

     * 登录成功后跳转

     * 如果需要根据不同的角色做不同的跳转处理,那么继承AuthenticationSuccessHandler重写方法

     *

     * @return

     */

    private SimpleUrlAuthenticationSuccessHandler authenticationSuccessHandler() {

        return new SimpleUrlAuthenticationSuccessHandler("/loginSuccess");

    }

    /**

     * Created by ZhenWeiLai on on 2016-10-16.

     */

    private FilterSecurityInterceptor filterSecurityInterceptor(FilterInvocationSecurityMetadataSource securityMetadataSource, AccessDecisionManager accessDecisionManager, AuthenticationManager authenticationManager) {

        FilterSecurityInterceptor filterSecurityInterceptor = new FilterSecurityInterceptor();

        filterSecurityInterceptor.setSecurityMetadataSource(securityMetadataSource);

        filterSecurityInterceptor.setAccessDecisionManager(accessDecisionManager);

        filterSecurityInterceptor.setAuthenticationManager(authenticationManager);

        return filterSecurityInterceptor;

    }

}

继承UsernamePasswordAuthenticationFilter ,注入SessionRegistry ,当用户登录验证成功后注册session

/**

 * Created by ZhenWeiLai on 2017/6/2.

 */

public class CuzUsernamePasswordAuthenticationFilter  extends UsernamePasswordAuthenticationFilter {

    private boolean postOnly = true;

    @Resource

    private SessionRegistry sessionRegistry;

    @Override

    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

        if(this.postOnly && !request.getMethod().equals("POST")) {

            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());

        } else {

            String username = this.obtainUsername(request);

            String password = this.obtainPassword(request);

            if(username == null) {

                username = "";

            }

            if(password == null) {

                password = "";

            }

            username = username.trim();

            UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);

            //用户名密码验证通过后,注册session

            sessionRegistry.registerNewSession(request.getSession().getId(),authRequest.getPrincipal());

            this.setDetails(request, authRequest);

            return this.getAuthenticationManager().authenticate(authRequest);

        }

    }

}

重写用户实体类的比较方法.

    /**

     * 重写比较方法,SpringSecurity根据用户名来比较是否同一个用户

     */

    @Override

    public boolean equals(Object o){

        if(o.toString().equals(this.username))

            return true;

        return false;

    }

    @Override

    public int hashCode(){

        return username.hashCode();

    }

    @Override

    public String toString() {

        return this.username;

    }

SpringBoot整合SpringSecurity,SESSION 并发管理,同账号只允许登录一次的更多相关文章

  1. SpringBoot整合SpringSecurity示例实现前后分离权限注解

    SpringBoot 整合SpringSecurity示例实现前后分离权限注解+JWT登录认证 作者:Sans_ juejin.im/post/5da82f066fb9a04e2a73daec 一.说 ...

  2. SpringBoot整合SpringSecurity简单实现登入登出从零搭建

    技术栈 : SpringBoot + SpringSecurity + jpa + freemark ,完整项目地址 : https://github.com/EalenXie/spring-secu ...

  3. 9、SpringBoot整合之SpringBoot整合SpringSecurity

    SpringBoot整合SpringSecurity 一.创建项目,选择依赖 选择Spring Web.Thymeleaf即可 二.在pom文件中导入相关依赖 <!-- 导入SpringSecu ...

  4. boke练习: springboot整合springSecurity出现的问题,传递csrf

    boke练习: springboot整合springSecurity出现的问题,传递csrf freemarker模板 在html页面中加入: <input name="_csrf&q ...

  5. springboot整合springsecurity遇到的问题

    在整合springsecurity时遇到好几个问题,自动配置登录,下线,注销用户的操作,数据基于mybatis,模版引擎用的thymeleaf+bootstrap. 一.认证时密码的加密(passwo ...

  6. SpringBoot整合SpringSecurity实现JWT认证

    目录 前言 目录 1.创建SpringBoot工程 2.导入SpringSecurity与JWT的相关依赖 3.定义SpringSecurity需要的基础处理类 4. 构建JWT token工具类 5 ...

  7. boke练习: springboot整合springSecurity出现的问题,post,delete,put无法使用

    springboot 与 SpringSecurity整合后,为了防御csrf攻击,只有GET|OPTIONS|HEAD|TRACE|CONNECTION可以通过. 其他方法请求时,需要有token ...

  8. SpringBoot整合Mybatis完整详细版二:注册、登录、拦截器配置

    接着上个章节来,上章节搭建好框架,并且测试也在页面取到数据.接下来实现web端,实现前后端交互,在前台进行注册登录以及后端拦截器配置.实现简单的未登录拦截跳转到登录页面 上一节传送门:SpringBo ...

  9. SpringBoot 整合 SpringSecurity 梳理

    文档 Spring Security Reference SpringBoot+SpringSecurity+jwt整合及初体验 JSON Web Token 入门教程 - 阮一峰 JWT 官网 Sp ...

随机推荐

  1. MySQL中时间函数NOW()和SYSDATE()的区别

    mysql中日期函数还是比较常用的.主要有NOW()和SYSDATE()两种,虽然都表示当前时间,但使用上有一点点区别. NOW()取的是语句开始执行的时间,SYSDATE()取的是动态的实时时间. ...

  2. Oracle数据库创建用户小结

    前言:使用Oracle开发系统过程中,会涉及到数据库用户的建立,及给该用户分配权限.刚开始接触开发的时候,对这些操作是一种茫茫然的状态.后,经过积累,对这方面有了一定的认识,现总结一些,一则,巩固自身 ...

  3. java IO(一):File类

    */ .hljs { display: block; overflow-x: auto; padding: 0.5em; color: #333; background: #f8f8f8; } .hl ...

  4. CU社区shell板块awk十三问整理

    CU社区shell板块awk十三问整理 一.RS="" 当 RS="" 时,会将\n强制加入到FS变量中,因为RS为空时,是将连续多空行作为分隔符,近似于\n\ ...

  5. 【转】shell:date 常用方式

    在linux下获取时间字符串 命令 date # 以yyyymmdd格式输出23天之前现在这个时刻的时间 $ date +%Y%m%d –date=’23 days ago’ $ date -u Th ...

  6. 2018-01-05-医药行业的IT革命探讨

    layout: post title: 2018-01-05-医药行业的IT革命探讨 key: 20180105 tags: IT AI 医疗 modify_date: 2018-01-05 --- ...

  7. mkdir -p 参数的使用

    ssh root@%s -o ConnectTimeout=2 "ssh root@%s ConnectTimeout=2 "if [ ! -d /root/scripts ]; ...

  8. sphinx的再创造coreseek的安装过程

    CoreSeek详细安装过程:coreseek-3.2.14.tar.gz下载链接: http://pan.baidu.com/s/1o6DNesE 解压缩安装mmseg分词程序: .tar.gz c ...

  9. verilog实验1:基于FPGA蜂鸣器演奏乐曲并数码管显示

    一.实验任务 利用FPGA进行代码开发,使蜂鸣器演奏出乐曲<生日快乐>,将音调显示在数码管.原理为蜂鸣器为交流源蜂鸣器,在引脚上加一定频率的方波就可以发声,而且发声的频率由所加方波决定.这 ...

  10. 洛谷 [P1154] 奶牛分厩

    类似筛法的思想 本题实际上就是反推hash的模数, 首先想到枚举k,但显然会超时. $a mod k==b mod k <==> k|(a-b) $ 由同余的定义可以知道 所以我们的任务就 ...