由于集成了spring session ,redis 共享session,导致SpringSecurity单节点的session并发控制失效,

springSession 号称 无缝整合httpsession,这个应该是没问题的,

但是为什么分布式情况下的session 并发依然是单节点呢?

因为session并发控制是第三方框架的 单节点缓存了session名单.我们要重写框架这一部分代码,把session名单存入到redis.

关于SpringSecruity的Session并发管理,看我另一篇随笔:

SpringBoot整合SpringSecurity,SESSION 并发管理,同账号只允许登录一次

废话说到,这里,看代码:

重写 SessionRegistry

**

 * Created by 为 on 2017-6-9.

 */

public class MySessionRegistryImpl implements SessionRegistry, ApplicationListener<SessionDestroyedEvent> {

    private static final String SESSIONIDS = "sessionIds";

    private static final String PRINCIPALS = "principals";

    @Resource

    private RedisTemplate redisTemplate;

    protected final Log logger = LogFactory.getLog(SessionRegistryImpl.class);

//    private final ConcurrentMap<Object, Set<String>> principals = new ConcurrentHashMap();

//    private final Map<String, SessionInformation> sessionIds = new ConcurrentHashMap();

    public MySessionRegistryImpl() {

    }

    public List<Object> getAllPrincipals() {

        return new ArrayList(this.getPrincipalsKeySet());

    }

    public List<SessionInformation> getAllSessions(Object principal, boolean includeExpiredSessions) {

        Set<String> sessionsUsedByPrincipal =  this.getPrincipals(((UserDetails)principal).getUsername());

        if (sessionsUsedByPrincipal == null) {

            return Collections.emptyList();

        } else {

            List<SessionInformation> list = new ArrayList(sessionsUsedByPrincipal.size());

            Iterator var5 = sessionsUsedByPrincipal.iterator();

            while (true) {

                SessionInformation sessionInformation;

                do {

                    do {

                        if (!var5.hasNext()) {

                            return list;

                        }

                        String sessionId = (String) var5.next();

                        sessionInformation = this.getSessionInformation(sessionId);

                    } while (sessionInformation == null);

                } while (!includeExpiredSessions && sessionInformation.isExpired());

                list.add(sessionInformation);

            }

        }

    }

    public SessionInformation getSessionInformation(String sessionId) {

        Assert.hasText(sessionId, "SessionId required as per interface contract");

        return (SessionInformation) this.getSessionInfo(sessionId);

    }

    public void onApplicationEvent(SessionDestroyedEvent event) {

        String sessionId = event.getId();

        this.removeSessionInformation(sessionId);

    }

    public void refreshLastRequest(String sessionId) {

        Assert.hasText(sessionId, "SessionId required as per interface contract");

        SessionInformation info = this.getSessionInformation(sessionId);

        if (info != null) {

            info.refreshLastRequest();

        }

    }

    public void registerNewSession(String sessionId, Object principal) {

        Assert.hasText(sessionId, "SessionId required as per interface contract");

        Assert.notNull(principal, "Principal required as per interface contract");

        if (this.logger.isDebugEnabled()) {

            this.logger.debug("Registering session " + sessionId + ", for principal " + principal);

        }

        if (this.getSessionInformation(sessionId) != null) {

            this.removeSessionInformation(sessionId);

        }

        this.addSessionInfo(sessionId, new SessionInformation(principal, sessionId, new Date()));

//        this.sessionIds.put(sessionId, new SessionInformation(principal, sessionId, new Date()));

        Set<String> sessionsUsedByPrincipal = (Set) this.getPrincipals(principal.toString());

        if (sessionsUsedByPrincipal == null) {

            sessionsUsedByPrincipal = new CopyOnWriteArraySet();

            Set<String> prevSessionsUsedByPrincipal = (Set) this.putIfAbsentPrincipals(principal.toString(), sessionsUsedByPrincipal);

            if (prevSessionsUsedByPrincipal != null) {

                sessionsUsedByPrincipal = prevSessionsUsedByPrincipal;

            }

        }

        ((Set) sessionsUsedByPrincipal).add(sessionId);

        this.putPrincipals(principal.toString(), sessionsUsedByPrincipal);

        if (this.logger.isTraceEnabled()) {

            this.logger.trace("Sessions used by '" + principal + "' : " + sessionsUsedByPrincipal);

        }

    }

    public void removeSessionInformation(String sessionId) {

        Assert.hasText(sessionId, "SessionId required as per interface contract");

        SessionInformation info = this.getSessionInformation(sessionId);

        if (info != null) {

            if (this.logger.isTraceEnabled()) {

                this.logger.debug("Removing session " + sessionId + " from set of registered sessions");

            }

            this.removeSessionInfo(sessionId);

            Set<String> sessionsUsedByPrincipal = (Set) this.getPrincipals(info.getPrincipal().toString());

            if (sessionsUsedByPrincipal != null) {

                if (this.logger.isDebugEnabled()) {

                    this.logger.debug("Removing session " + sessionId + " from principal's set of registered sessions");

                }

                sessionsUsedByPrincipal.remove(sessionId);

                if (sessionsUsedByPrincipal.isEmpty()) {

                    if (this.logger.isDebugEnabled()) {

                        this.logger.debug("Removing principal " + info.getPrincipal() + " from registry");

                    }

                    this.removePrincipal(((UserDetails)info.getPrincipal()).getUsername());

                }

                if (this.logger.isTraceEnabled()) {

                    this.logger.trace("Sessions used by '" + info.getPrincipal() + "' : " + sessionsUsedByPrincipal);

                }

            }

        }

    }

    public void addSessionInfo(final String sessionId, final SessionInformation sessionInformation) {

        BoundHashOperations<String, String, SessionInformation> hashOperations = redisTemplate.boundHashOps(SESSIONIDS);

        hashOperations.put(sessionId, sessionInformation);

    }

    public SessionInformation getSessionInfo(final String sessionId) {

        BoundHashOperations<String, String, SessionInformation> hashOperations = redisTemplate.boundHashOps(SESSIONIDS);

        return hashOperations.get(sessionId);

    }

    public void removeSessionInfo(final String sessionId) {

        BoundHashOperations<String, String, SessionInformation> hashOperations = redisTemplate.boundHashOps(SESSIONIDS);

        hashOperations.delete(sessionId);

    }

    public Set<String> putIfAbsentPrincipals(final String key, final Set<String> set) {

        BoundHashOperations<String, String, Set<String>> hashOperations = redisTemplate.boundHashOps(PRINCIPALS);

        hashOperations.putIfAbsent(key, set);

        return hashOperations.get(key);

    }

    public void putPrincipals(final String key, final Set<String> set) {

        BoundHashOperations<String, String, Set<String>> hashOperations = redisTemplate.boundHashOps(PRINCIPALS);

        hashOperations.put(key,set);

    }

    public Set<String> getPrincipals(final String key) {

        BoundHashOperations<String, String, Set<String>> hashOperations = redisTemplate.boundHashOps(PRINCIPALS);

        return hashOperations.get(key);

    }

    public Set<String> getPrincipalsKeySet() {

        BoundHashOperations<String, String, Set<String>> hashOperations = redisTemplate.boundHashOps(PRINCIPALS);

        return hashOperations.keys();

    }

    public void removePrincipal(final String key) {

        BoundHashOperations<String, String, Set<String>> hashOperations = redisTemplate.boundHashOps(PRINCIPALS);

        hashOperations.delete(key);

    }

}

重写ConcurrentSessionControlAuthenticationStrategy

/**

 * Created by 为 on 2017-6-14.

 */

public class MyConcurrentSessionControlAuthenticationStrategy extends ConcurrentSessionControlAuthenticationStrategy {

    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();

    private final SessionRegistry sessionRegistry;

    private boolean exceptionIfMaximumExceeded = false;

    private int maximumSessions = 1;

    public MyConcurrentSessionControlAuthenticationStrategy(SessionRegistry sessionRegistry) {

        super(sessionRegistry);

        Assert.notNull(sessionRegistry, "The sessionRegistry cannot be null");

        this.sessionRegistry = sessionRegistry;

    }

    public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {

        List<SessionInformation> sessions = this.sessionRegistry.getAllSessions(authentication.getPrincipal(), false);

        int sessionCount = sessions.size();

        int allowedSessions = this.getMaximumSessionsForThisUser(authentication);

        if(sessionCount >= allowedSessions) {

            if(allowedSessions != -1) {

                if(sessionCount == allowedSessions) {

                    HttpSession session = request.getSession(false);

                    if(session != null) {

                        Iterator var8 = sessions.iterator();

                        while(var8.hasNext()) {

                            SessionInformation si = (SessionInformation)var8.next();

                            if(si.getSessionId().equals(session.getId())) {

                                return;

                            }

                        }

                    }

                }

                this.allowableSessionsExceeded(sessions, allowedSessions, this.sessionRegistry);

            }

        }

    }

    protected int getMaximumSessionsForThisUser(Authentication authentication) {

        return this.maximumSessions;

    }

    protected void allowableSessionsExceeded(List<SessionInformation> sessions, int allowableSessions, SessionRegistry registry) throws SessionAuthenticationException {

        if(!this.exceptionIfMaximumExceeded && sessions != null) {

            SessionInformation leastRecentlyUsed = null;

            Iterator var5 = sessions.iterator();

            while(true) {

                SessionInformation session;

                do {

                    if(!var5.hasNext()) {

                        leastRecentlyUsed.expireNow();

                        ((MySessionRegistryImpl)sessionRegistry).addSessionInfo(leastRecentlyUsed.getSessionId(),leastRecentlyUsed);

                        return;

                    }

                    session = (SessionInformation)var5.next();

                } while(leastRecentlyUsed != null && !session.getLastRequest().before(leastRecentlyUsed.getLastRequest()));

                leastRecentlyUsed = session;

            }

        } else {

            throw new SessionAuthenticationException(this.messages.getMessage("ConcurrentSessionControlAuthenticationStrategy.exceededAllowed", new Object[]{Integer.valueOf(allowableSessions)}, "Maximum sessions of {0} for this principal exceeded"));

        }

    }

    public void setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded) {

        this.exceptionIfMaximumExceeded = exceptionIfMaximumExceeded;

    }

    public void setMaximumSessions(int maximumSessions) {

        Assert.isTrue(maximumSessions != 0, "MaximumLogins must be either -1 to allow unlimited logins, or a positive integer to specify a maximum");

        this.maximumSessions = maximumSessions;

    }

    public void setMessageSource(MessageSource messageSource) {

        Assert.notNull(messageSource, "messageSource cannot be null");

        this.messages = new MessageSourceAccessor(messageSource);

    }

}
WebSecurityConfigurerAdapter

   @Bean

    public MyUsernamePasswordAuthenticationFilter myUsernamePasswordAuthenticationFilter() throws Exception {

        MyUsernamePasswordAuthenticationFilter myUsernamePasswordAuthenticationFilter = new MyUsernamePasswordAuthenticationFilter();

        myUsernamePasswordAuthenticationFilter.setPostOnly(true);

        myUsernamePasswordAuthenticationFilter.setAuthenticationManager(this.authenticationManager());

        myUsernamePasswordAuthenticationFilter.setUsernameParameter("name_key");

        myUsernamePasswordAuthenticationFilter.setPasswordParameter("pwd_key");

        myUsernamePasswordAuthenticationFilter.setVerificationCodeParameter("verification_code");

        myUsernamePasswordAuthenticationFilter.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/checkLogin", "POST"));

        myUsernamePasswordAuthenticationFilter.setAuthenticationFailureHandler(simpleUrlAuthenticationFailureHandler());

        myUsernamePasswordAuthenticationFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler());

        myUsernamePasswordAuthenticationFilter.setSessionAuthenticationStrategy(new MyConcurrentSessionControlAuthenticationStrategy(sessionRegistry));

        return myUsernamePasswordAuthenticationFilter;

    }

开启两个服务,同一个账户登录不同的端口测试,能否被T下线

SpringBoot,Security4, redis共享session,分布式SESSION并发控制,同账号只能登录一次的更多相关文章

  1. SpringBoot系列: Redis 共享Session

    Web项目Session管理是一个很重要的话题, 涉及到系统横向扩展, SpringBoot已经为共享Session很好的解决方案, 这篇文章关注使用Redis共享会话, 同时这也是最常用的方法. = ...

  2. spring+redis+nginx 实现分布式session共享

    1,spring 必须是4.3以上版本的 2,maven配置 添加两个重要的依赖 <dependency> <groupId>org.springframework.sessi ...

  3. SpringBoot使用Redis共享用户session信息

    SpringBoot引入Redis依赖: <dependency> <groupId>org.springframework.boot</groupId> < ...

  4. SpringBoot SpringSession redis 共享 SESSION

    号称无缝整合httpsession 共享, 但注意如果存在第三方框架,例如SESSION并发控制,这个是需要自己重写session名单的. 关于redis session 共享 的session并发控 ...

  5. SpringBoot+Shiro+Redis共享Session入门小栗子

    在单机版的Springboot+Shiro的基础上,这次实现共享Session. 这里没有自己写RedisManager.SessionDAO.用的 crazycake 写的开源插件 pom.xml ...

  6. springboot 整合 redis 共享Session-spring-session-data-redis

    参考:https://www.cnblogs.com/ityouknow/p/5748830.html 如何使用 1.引入 spring-boot-starter-redis <dependen ...

  7. springboot集成redis(mybatis、分布式session)

    安装Redis请参考:<CentOS快速安装Redis> 一.springboot集成redis并实现DB与缓存同步 1.添加redis及数据库相关依赖(pom.xml) <depe ...

  8. 基于redis解决session分布式一致性问题

    1.session是什么 当用户在前端发起请求时,服务器会为当前用户建立一个session,服务器将sessionId回写给客户端,只要用户浏览器不关闭,再次请求服务器时,将sessionId传给服务 ...

  9. ASP.NET Core中间件实现分布式 Session

    1. ASP.NET Core中间件详解 1.1. 中间件原理 1.1.1. 什么是中间件 1.1.2. 中间件执行过程 1.1.3. 中间件的配置 1.2. 依赖注入中间件 1.3. Cookies ...

随机推荐

  1. hibernate解读之session--基于最新稳定版5.2.12

    前言 hibernate是一个实现了JPA标准的,用于对象持久化的orm框架.博主近一年开发都在使用. 前段时间在工作中遇到了一个hibernate的问题,从数据库查找得到对象后,修改了其中部分字段值 ...

  2. 08_jquery基础应用第一天

    视频来源:麦子学院 讲师:李景山

  3. PHP中文网上的无限极分类

    原文地址:http://www.php.cn/code/3966.html fenlei.php <?php class fenlei { public $db; //构造函数,构造函数没有返回 ...

  4. 【转】shell学习笔记(三)——引用变量、内部变量、条件测试、字符串比较、整数比较等

    1.env显示当前的环境变量 2.PS1='[\u@\h \w \A] \$' 可以设置bash的命令与提示符. 3.echo $$ 显示当前bash的PID号 4.echo $?显示上一条指令的回传 ...

  5. 使用sed替换一行内多个括号内的值

    1. 括号在同一行 # cat test2good morning (good afternoon) (good evening) (goodgood) (good morning) # cat se ...

  6. Docker最佳实践-部署LNMP环境

    标签(linux): docker 笔者Q:972581034 交流群:605799367.有任何疑问可与笔者或加群交流 环境准备 [root@docker ~]# cat /etc/redhat-r ...

  7. python--批量下载豆瓣图片之升级版本

    周末下雨没法出门,刷刷豆瓣看看妹子,本想拿以前脚本下载点图片,结果发现运行失败,之前版本为<python--批量下载豆瓣图片>,报错HTTP Error 403: Forbidden,网上 ...

  8. C++ explicit关键字详解(转载)

    转载:https://www.cnblogs.com/ymy124/p/3632634.html 首先, C++中的explicit关键字只能用于修饰只有一个参数的类构造函数, 它的作用是表明该构造函 ...

  9. MOBA 游戏技能系统设计 2.0

    随着游戏开发的完整度提升,技能系统的设计复杂性也越来越高,导致了用模板方式的配置方法和处理方法会导致以下几个问题: 代码冗余 排错困难 配置项冗余 熟悉业务流程时间长 扩展性低 经过我思考决定重写之. ...

  10. Java设计模式——代理模式

    public interface People { public void work(); } public class RealPeople implements People { public v ...