通过配置我们可以实现两个需求 1、限制不允许第二个用户登录,2、第二个登陆用户踢掉前一个登陆用户
假设你的spring架构已经可以使用了(其他的主要功能完成),需要增加登录限制功能。
注:这里只写配置不写原理(不懂的就问度娘),其实个人认为先配置好跑起来再研究下原理最好了
- 第一步、使用注解加上
@Autowired
protected SessionRegistry sessionRegistry;
通过sessionRegistry可以获取系统当前在线人数和登录用户信息 - applicationContext-security.xml里你需要增加和修改的地方
<session-management invalid-session-url="/timeout.jsp" session-authentication-error-url="/s.jsp" session-authentication-strategy-ref="sas" /> ***<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" /> <b:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"><b:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> **<b:property name="maximumSessions" value="1" /></b:bean><!-- SESSION管理 --><b:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> ***<b:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"><b:property name="sessionRegistry" ref="sessionRegistry" /> **<b:property name="expiredUrl" value="/timeout.jsp" /><!-- 过期的Url --></b:bean><!-- 登录验证器 --><b:bean id="loginFilter" class="com.oms.core.security.MyUsernamePasswordAuthenticationFilter"><!-- 处理登录的action --><b:property name="filterProcessesUrl" value="/j_spring_security_check"/><!-- 验证成功后的处理--><b:property name="authenticationSuccessHandler" ref="loginLogAuthenticationSuccessHandler"/><!-- 验证失败后的处理--><b:property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler"/><b:property name="authenticationManager" ref="authenticationManager"/><!-- 注入DAO为了查询相应的用户 --><b:property name="agentsUserTblDao" ref="agentsUserTblDao"/><b:property name="passwordEncoder" ref="passwordEncoder"/><b:property name="sessionAuthenticationStrategy" ref="sas" />**</b:bean>
@Autowired protected SessionRegistry sessionRegistry;通过sessionRegistry可以获取系统当前在线人数和登录用户信息
<session-management invalid-session-url="/timeout.jsp" session-authentication-error-url="/s.jsp" session-authentication-strategy-ref="sas" /> ***<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" /> <b:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"><b:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> **<b:property name="maximumSessions" value="1" /></b:bean><!-- SESSION管理 --><b:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> ***<b:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"><b:property name="sessionRegistry" ref="sessionRegistry" /> **<b:property name="expiredUrl" value="/timeout.jsp" /><!-- 过期的Url --></b:bean><!-- 登录验证器 --><b:bean id="loginFilter" class="com.oms.core.security.MyUsernamePasswordAuthenticationFilter"><!-- 处理登录的action --><b:property name="filterProcessesUrl" value="/j_spring_security_check"/><!-- 验证成功后的处理--><b:property name="authenticationSuccessHandler" ref="loginLogAuthenticationSuccessHandler"/><!-- 验证失败后的处理--><b:property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler"/><b:property name="authenticationManager" ref="authenticationManager"/><!-- 注入DAO为了查询相应的用户 --><b:property name="agentsUserTblDao" ref="agentsUserTblDao"/><b:property name="passwordEncoder" ref="passwordEncoder"/><b:property name="sessionAuthenticationStrategy" ref="sas" />**</b:bean>
加*号的地方是需要注意的
附上我的 applicationContext-security.xml配置信息或许对你有帮助 <?xml version="1.0" encoding="UTF-8"?><b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"><global-method-security pre-post-annotations="enabled" /> <!-- 不要过滤图片等静态资源,其中**代表可以跨越目录,*不可以跨越目录。 --><http pattern="/static/**" security="none"/> <http pattern="/commons/**" security="none" /><http pattern="/images/**" security="none" /><http pattern="/js/**" security="none" /><http pattern="/themes/**" security="none" /><http use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint"><logout logout-url="/j_logout" logout-success-url="/user/login.do"/> <!-- 实现免登陆验证 --> <remember-me /> <!--
error-if-maximum-exceeded true限制不允许第二个用户登录,false第二个登陆用户踢掉前一个登陆用户
session-fixation-protection 防止伪造sessionid攻击,用户登录成功后会销毁用户当前的session。
限制用户的最大登陆数,防止一个账号被多人使用 --><custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" /> <session-management invalid-session-url="/timeout.jsp" session-authentication-error-url="/s.jsp" session-authentication-strategy-ref="sas" /><!-- 自定义的过滤器,要在FILTER_SECURITY_INTERCEPTOR过滤器之前 --><custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR" /><custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" /> </http><b:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"><b:constructor-arg name="sessionRegistry" ref="sessionRegistry" /><b:property name="maximumSessions" value="1" /><!--value="-1" 的时候不限制数量--></b:bean><authentication-manager alias="authManager"> <authentication-provider user-service-ref="myUserDetailService "> <password-encoder hash="md5"> </password-encoder> </authentication-provider> </authentication-manager> <!-- SESSION管理 --><b:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /><b:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"><b:property name="sessionRegistry" ref="sessionRegistry" /><b:property name="expiredUrl" value="/timeout.jsp" /><!-- 过期的Url --></b:bean><!-- 登录验证器 --> <b:bean id="loginFilter" class="com.web.security.MyUsernamePasswordAuthenticationFilter"> <!-- 处理登录的action --> <b:property name="filterProcessesUrl" value="/j_spring_security_check"/> <!-- 验证成功后的处理--> <b:property name="authenticationSuccessHandler" ref="loginLogAuthenticationSuccessHandler"/> <!-- 验证失败后的处理--> <b:property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler"/> <b:property name="authenticationManager" ref="authenticationManager"/><!-- 注入DAO为了查询相应的用户 --> <b:property name="userDao" ref="userDao"/> <b:property name="passwordEncoder" ref="passwordEncoder"/> <b:property name="sessionAuthenticationStrategy" ref="sas" /></b:bean> <b:bean id="loginLogAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler" > <b:property name="defaultTargetUrl" value="/user/login.do"/> </b:bean> <b:bean id="simpleUrlAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <!-- 可以配置相应的跳转方式。属性forwardToDestination为true采用forward false为sendRedirect --> <b:property name="defaultFailureUrl" value="/user/login.do?errorType=100"/> </b:bean> <!-- 认证过滤器 --> <!-- 自定义过滤器 :认证器、决策器、资源权限加载 --><b:bean id="myFilter" class="com.oms.core.security.MyFilterSecurityInterceptor"><!-- 用户拥有的权限 --> <b:property name="authenticationManager" ref="authenticationManager"/><!-- 用户是否拥有所请求资源的权限 --> <b:property name="accessDecisionManager" ref="accessDecisionManager"/><!-- 资源与权限对应关系 --> <b:property name="securityMetadataSource" ref="securityMetadataSource"/></b:bean><b:bean id="hibernateTemplate" class="org.springframework.orm.hibernate3.HibernateTemplate"><b:property name="sessionFactory" ref="sessionFactory"></b:property></b:bean><!-- 认证管理器:实现了UserDetailService接口主要根据用户名查找用户信息, --><!--然后把用户信息传给和资源加载信息一块传给决策器进行判断 --><authentication-manager alias="authenticationManager"><authentication-provider user-service-ref="myUserDetailService"></authentication-provider></authentication-manager><b:bean id="myUserDetailService" class="com.web.security.MyUserDetailService" /><!-- 决策管理器 --><b:bean id="accessDecisionManager" class="com.web.security.MyAccessDecisionManager"></b:bean><!-- 加载资源 和权限的关系数据 --><b:bean id="securityMetadataSource" class="com.web.security.MyInvocationSecurityMetadataSource"><b:constructor-arg name="userService" ref="userService"></b:constructor-arg></b:bean><!-- 未登录的切入点 --> <b:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <b:property name="loginFormUrl" value="/user/login.do"></b:property> </b:bean><!-- 国际化文件 --><b:bean id="messageSource"
class="org.springframework.context.support.ReloadableResourceBundleMessageSource"><b:property name="basename"
value="classpath:org/springframework/security/messages_zh_CN"/></b:bean></b:beans>参考文章: http://forum.spring.io/forum/spring-projects/security/130963-sessionregistry-getallprincipals-return-empty
http://dead-knight.iteye.com/blog/1517582
以上博客地址可以很好的帮助你理解
作者:loveme888 发表于2014-2-19 10:50:39 原文链接
阅读:83 评论:0 查看评论
