由于集成了spring session ,redis 共享session,导致SpringSecurity单节点的session并发控制失效,

springSession 号称 无缝整合httpsession,这个应该是没问题的,

但是为什么分布式情况下的session 并发依然是单节点呢?

因为session并发控制是第三方框架的 单节点缓存了session名单.我们要重写框架这一部分代码,把session名单存入到redis.

关于SpringSecruity的Session并发管理,看我另一篇随笔:

SpringBoot整合SpringSecurity,SESSION 并发管理,同账号只允许登录一次

废话说到,这里,看代码:

重写 SessionRegistry

**

 * Created by 为 on 2017-6-9.

 */

public class MySessionRegistryImpl implements SessionRegistry, ApplicationListener<SessionDestroyedEvent> {

    private static final String SESSIONIDS = "sessionIds";

    private static final String PRINCIPALS = "principals";

    @Resource

    private RedisTemplate redisTemplate;

    protected final Log logger = LogFactory.getLog(SessionRegistryImpl.class);

//    private final ConcurrentMap<Object, Set<String>> principals = new ConcurrentHashMap();

//    private final Map<String, SessionInformation> sessionIds = new ConcurrentHashMap();

    public MySessionRegistryImpl() {

    }

    public List<Object> getAllPrincipals() {

        return new ArrayList(this.getPrincipalsKeySet());

    }

    public List<SessionInformation> getAllSessions(Object principal, boolean includeExpiredSessions) {

        Set<String> sessionsUsedByPrincipal =  this.getPrincipals(((UserDetails)principal).getUsername());

        if (sessionsUsedByPrincipal == null) {

            return Collections.emptyList();

        } else {

            List<SessionInformation> list = new ArrayList(sessionsUsedByPrincipal.size());

            Iterator var5 = sessionsUsedByPrincipal.iterator();

            while (true) {

                SessionInformation sessionInformation;

                do {

                    do {

                        if (!var5.hasNext()) {

                            return list;

                        }

                        String sessionId = (String) var5.next();

                        sessionInformation = this.getSessionInformation(sessionId);

                    } while (sessionInformation == null);

                } while (!includeExpiredSessions && sessionInformation.isExpired());

                list.add(sessionInformation);

            }

        }

    }

    public SessionInformation getSessionInformation(String sessionId) {

        Assert.hasText(sessionId, "SessionId required as per interface contract");

        return (SessionInformation) this.getSessionInfo(sessionId);

    }

    public void onApplicationEvent(SessionDestroyedEvent event) {

        String sessionId = event.getId();

        this.removeSessionInformation(sessionId);

    }

    public void refreshLastRequest(String sessionId) {

        Assert.hasText(sessionId, "SessionId required as per interface contract");

        SessionInformation info = this.getSessionInformation(sessionId);

        if (info != null) {

            info.refreshLastRequest();

        }

    }

    public void registerNewSession(String sessionId, Object principal) {

        Assert.hasText(sessionId, "SessionId required as per interface contract");

        Assert.notNull(principal, "Principal required as per interface contract");

        if (this.logger.isDebugEnabled()) {

            this.logger.debug("Registering session " + sessionId + ", for principal " + principal);

        }

        if (this.getSessionInformation(sessionId) != null) {

            this.removeSessionInformation(sessionId);

        }

        this.addSessionInfo(sessionId, new SessionInformation(principal, sessionId, new Date()));

//        this.sessionIds.put(sessionId, new SessionInformation(principal, sessionId, new Date()));

        Set<String> sessionsUsedByPrincipal = (Set) this.getPrincipals(principal.toString());

        if (sessionsUsedByPrincipal == null) {

            sessionsUsedByPrincipal = new CopyOnWriteArraySet();

            Set<String> prevSessionsUsedByPrincipal = (Set) this.putIfAbsentPrincipals(principal.toString(), sessionsUsedByPrincipal);

            if (prevSessionsUsedByPrincipal != null) {

                sessionsUsedByPrincipal = prevSessionsUsedByPrincipal;

            }

        }

        ((Set) sessionsUsedByPrincipal).add(sessionId);

        this.putPrincipals(principal.toString(), sessionsUsedByPrincipal);

        if (this.logger.isTraceEnabled()) {

            this.logger.trace("Sessions used by '" + principal + "' : " + sessionsUsedByPrincipal);

        }

    }

    public void removeSessionInformation(String sessionId) {

        Assert.hasText(sessionId, "SessionId required as per interface contract");

        SessionInformation info = this.getSessionInformation(sessionId);

        if (info != null) {

            if (this.logger.isTraceEnabled()) {

                this.logger.debug("Removing session " + sessionId + " from set of registered sessions");

            }

            this.removeSessionInfo(sessionId);

            Set<String> sessionsUsedByPrincipal = (Set) this.getPrincipals(info.getPrincipal().toString());

            if (sessionsUsedByPrincipal != null) {

                if (this.logger.isDebugEnabled()) {

                    this.logger.debug("Removing session " + sessionId + " from principal's set of registered sessions");

                }

                sessionsUsedByPrincipal.remove(sessionId);

                if (sessionsUsedByPrincipal.isEmpty()) {

                    if (this.logger.isDebugEnabled()) {

                        this.logger.debug("Removing principal " + info.getPrincipal() + " from registry");

                    }

                    this.removePrincipal(((UserDetails)info.getPrincipal()).getUsername());

                }

                if (this.logger.isTraceEnabled()) {

                    this.logger.trace("Sessions used by '" + info.getPrincipal() + "' : " + sessionsUsedByPrincipal);

                }

            }

        }

    }

    public void addSessionInfo(final String sessionId, final SessionInformation sessionInformation) {

        BoundHashOperations<String, String, SessionInformation> hashOperations = redisTemplate.boundHashOps(SESSIONIDS);

        hashOperations.put(sessionId, sessionInformation);

    }

    public SessionInformation getSessionInfo(final String sessionId) {

        BoundHashOperations<String, String, SessionInformation> hashOperations = redisTemplate.boundHashOps(SESSIONIDS);

        return hashOperations.get(sessionId);

    }

    public void removeSessionInfo(final String sessionId) {

        BoundHashOperations<String, String, SessionInformation> hashOperations = redisTemplate.boundHashOps(SESSIONIDS);

        hashOperations.delete(sessionId);

    }

    public Set<String> putIfAbsentPrincipals(final String key, final Set<String> set) {

        BoundHashOperations<String, String, Set<String>> hashOperations = redisTemplate.boundHashOps(PRINCIPALS);

        hashOperations.putIfAbsent(key, set);

        return hashOperations.get(key);

    }

    public void putPrincipals(final String key, final Set<String> set) {

        BoundHashOperations<String, String, Set<String>> hashOperations = redisTemplate.boundHashOps(PRINCIPALS);

        hashOperations.put(key,set);

    }

    public Set<String> getPrincipals(final String key) {

        BoundHashOperations<String, String, Set<String>> hashOperations = redisTemplate.boundHashOps(PRINCIPALS);

        return hashOperations.get(key);

    }

    public Set<String> getPrincipalsKeySet() {

        BoundHashOperations<String, String, Set<String>> hashOperations = redisTemplate.boundHashOps(PRINCIPALS);

        return hashOperations.keys();

    }

    public void removePrincipal(final String key) {

        BoundHashOperations<String, String, Set<String>> hashOperations = redisTemplate.boundHashOps(PRINCIPALS);

        hashOperations.delete(key);

    }

}

重写ConcurrentSessionControlAuthenticationStrategy

/**

 * Created by 为 on 2017-6-14.

 */

public class MyConcurrentSessionControlAuthenticationStrategy extends ConcurrentSessionControlAuthenticationStrategy {

    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();

    private final SessionRegistry sessionRegistry;

    private boolean exceptionIfMaximumExceeded = false;

    private int maximumSessions = 1;

    public MyConcurrentSessionControlAuthenticationStrategy(SessionRegistry sessionRegistry) {

        super(sessionRegistry);

        Assert.notNull(sessionRegistry, "The sessionRegistry cannot be null");

        this.sessionRegistry = sessionRegistry;

    }

    public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {

        List<SessionInformation> sessions = this.sessionRegistry.getAllSessions(authentication.getPrincipal(), false);

        int sessionCount = sessions.size();

        int allowedSessions = this.getMaximumSessionsForThisUser(authentication);

        if(sessionCount >= allowedSessions) {

            if(allowedSessions != -1) {

                if(sessionCount == allowedSessions) {

                    HttpSession session = request.getSession(false);

                    if(session != null) {

                        Iterator var8 = sessions.iterator();

                        while(var8.hasNext()) {

                            SessionInformation si = (SessionInformation)var8.next();

                            if(si.getSessionId().equals(session.getId())) {

                                return;

                            }

                        }

                    }

                }

                this.allowableSessionsExceeded(sessions, allowedSessions, this.sessionRegistry);

            }

        }

    }

    protected int getMaximumSessionsForThisUser(Authentication authentication) {

        return this.maximumSessions;

    }

    protected void allowableSessionsExceeded(List<SessionInformation> sessions, int allowableSessions, SessionRegistry registry) throws SessionAuthenticationException {

        if(!this.exceptionIfMaximumExceeded && sessions != null) {

            SessionInformation leastRecentlyUsed = null;

            Iterator var5 = sessions.iterator();

            while(true) {

                SessionInformation session;

                do {

                    if(!var5.hasNext()) {

                        leastRecentlyUsed.expireNow();

                        ((MySessionRegistryImpl)sessionRegistry).addSessionInfo(leastRecentlyUsed.getSessionId(),leastRecentlyUsed);

                        return;

                    }

                    session = (SessionInformation)var5.next();

                } while(leastRecentlyUsed != null && !session.getLastRequest().before(leastRecentlyUsed.getLastRequest()));

                leastRecentlyUsed = session;

            }

        } else {

            throw new SessionAuthenticationException(this.messages.getMessage("ConcurrentSessionControlAuthenticationStrategy.exceededAllowed", new Object[]{Integer.valueOf(allowableSessions)}, "Maximum sessions of {0} for this principal exceeded"));

        }

    }

    public void setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded) {

        this.exceptionIfMaximumExceeded = exceptionIfMaximumExceeded;

    }

    public void setMaximumSessions(int maximumSessions) {

        Assert.isTrue(maximumSessions != 0, "MaximumLogins must be either -1 to allow unlimited logins, or a positive integer to specify a maximum");

        this.maximumSessions = maximumSessions;

    }

    public void setMessageSource(MessageSource messageSource) {

        Assert.notNull(messageSource, "messageSource cannot be null");

        this.messages = new MessageSourceAccessor(messageSource);

    }

}
WebSecurityConfigurerAdapter

   @Bean

    public MyUsernamePasswordAuthenticationFilter myUsernamePasswordAuthenticationFilter() throws Exception {

        MyUsernamePasswordAuthenticationFilter myUsernamePasswordAuthenticationFilter = new MyUsernamePasswordAuthenticationFilter();

        myUsernamePasswordAuthenticationFilter.setPostOnly(true);

        myUsernamePasswordAuthenticationFilter.setAuthenticationManager(this.authenticationManager());

        myUsernamePasswordAuthenticationFilter.setUsernameParameter("name_key");

        myUsernamePasswordAuthenticationFilter.setPasswordParameter("pwd_key");

        myUsernamePasswordAuthenticationFilter.setVerificationCodeParameter("verification_code");

        myUsernamePasswordAuthenticationFilter.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/checkLogin", "POST"));

        myUsernamePasswordAuthenticationFilter.setAuthenticationFailureHandler(simpleUrlAuthenticationFailureHandler());

        myUsernamePasswordAuthenticationFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler());

        myUsernamePasswordAuthenticationFilter.setSessionAuthenticationStrategy(new MyConcurrentSessionControlAuthenticationStrategy(sessionRegistry));

        return myUsernamePasswordAuthenticationFilter;

    }

开启两个服务,同一个账户登录不同的端口测试,能否被T下线

SpringBoot,Security4, redis共享session,分布式SESSION并发控制,同账号只能登录一次的更多相关文章

  1. SpringBoot系列: Redis 共享Session

    Web项目Session管理是一个很重要的话题, 涉及到系统横向扩展, SpringBoot已经为共享Session很好的解决方案, 这篇文章关注使用Redis共享会话, 同时这也是最常用的方法. = ...

  2. spring+redis+nginx 实现分布式session共享

    1,spring 必须是4.3以上版本的 2,maven配置 添加两个重要的依赖 <dependency> <groupId>org.springframework.sessi ...

  3. SpringBoot使用Redis共享用户session信息

    SpringBoot引入Redis依赖: <dependency> <groupId>org.springframework.boot</groupId> < ...

  4. SpringBoot SpringSession redis 共享 SESSION

    号称无缝整合httpsession 共享, 但注意如果存在第三方框架,例如SESSION并发控制,这个是需要自己重写session名单的. 关于redis session 共享 的session并发控 ...

  5. SpringBoot+Shiro+Redis共享Session入门小栗子

    在单机版的Springboot+Shiro的基础上,这次实现共享Session. 这里没有自己写RedisManager.SessionDAO.用的 crazycake 写的开源插件 pom.xml ...

  6. springboot 整合 redis 共享Session-spring-session-data-redis

    参考:https://www.cnblogs.com/ityouknow/p/5748830.html 如何使用 1.引入 spring-boot-starter-redis <dependen ...

  7. springboot集成redis(mybatis、分布式session)

    安装Redis请参考:<CentOS快速安装Redis> 一.springboot集成redis并实现DB与缓存同步 1.添加redis及数据库相关依赖(pom.xml) <depe ...

  8. 基于redis解决session分布式一致性问题

    1.session是什么 当用户在前端发起请求时,服务器会为当前用户建立一个session,服务器将sessionId回写给客户端,只要用户浏览器不关闭,再次请求服务器时,将sessionId传给服务 ...

  9. ASP.NET Core中间件实现分布式 Session

    1. ASP.NET Core中间件详解 1.1. 中间件原理 1.1.1. 什么是中间件 1.1.2. 中间件执行过程 1.1.3. 中间件的配置 1.2. 依赖注入中间件 1.3. Cookies ...

随机推荐

  1. 渲染引擎(The rendering engine)

    渲染引擎的职责就是渲染,即在浏览器窗口中显示所请求的内容.这是每一个浏览器的核心部分,所以渲染引擎也称为浏览器内核. 渲染引擎一开始会从网络层获取请求文档的内容. 获取文档后,渲染引擎开始解析 htm ...

  2. fread和fwrite的使用

    fread和fwrite的使用 fread和fwrite一般用于二进制文件的输入/输出,要不然你打开fwrite写入的文件就是乱码. 1.fread和fwrite函数 数据块I/O fread与fwr ...

  3. 文本与二进制关于\n的问题

    文本文件中: text = open(path, "r");windows中的换行符\n,在文件中windows在存储的时候会将它看成\r\n存储,用r在读取大小时会忽略\r的大小 ...

  4. select标签实现二级联动

    效果如下图所示: 实现的原理:使用onchange事件,原理见代码 html代码: <select id="select" class="sel"> ...

  5. Spring-shiro源码陶冶-AuthorizingRealm用户认证以及授权

    阅读源码有助于陶冶情操,本文旨在简单的分析shiro在Spring中的使用 简单介绍 Shiro是一个强大易用的Java安全框架,提供了认证.授权.加密和会话管理等功能 AuthorizingReal ...

  6. Linux 下编写服务器程序时关于Address already in use 的小错误

    新手,,学习linux服务器编程的时候,bind()函数出现了Address already in use 的错误,这是因为上一次bind过后,还未释放,,只要在socket和bind之间加一个函数就 ...

  7. 运行所选代码生成器时出错:“预期具有协定名称 "NuGet.VisualStudio.IVsPackageInstallerServices" 的1导出 ——VS2015错误记录

    在编写ASP.NET MVC控制器后,右键添加视图时,VS2015报出错误: 运行所选代码生成器时出错:“预期具有协定名称 "NuGet.VisualStudio.IVsPackageIns ...

  8. Missing artifact net.sf.json-lib:json-lib:jar:2.4错误和Eclipse安装Maven插件错误

    微信公众号:compassblog 欢迎关注.转发,互相学习,共同进步! 有任何问题,请后台留言联系! 1.配置Maven项目的pom.xml文件报错 (1).错误描述:Missing artifac ...

  9. 【IT人】如何提高阅读源代码的效率

    1.最近刚到公司,公司就发一架构代码自己看,看了几天看的想吐,也在网上找了下相关的技巧吧,不是有句话叫做:成功必有方法,失败总是借口! 2.借鉴别人的方法来看看如下: 记得在开源流行之前,我看过的代码 ...

  10. 自兴人工智能——Python运算符和操作对象

    在Python中支持以下7种运算符: 1.算数运算符: +(加),-(减),*(乘),/(除),%(取余),**(幂):返回x的y次幂,//(取整除):返回商的整数部分 2.比较运算符:(返回的是一个 ...