由于集成了spring session ,redis 共享session,导致SpringSecurity单节点的session并发控制失效,

springSession 号称 无缝整合httpsession,这个应该是没问题的,

但是为什么分布式情况下的session 并发依然是单节点呢?

因为session并发控制是第三方框架的 单节点缓存了session名单.我们要重写框架这一部分代码,把session名单存入到redis.

关于SpringSecruity的Session并发管理,看我另一篇随笔:

SpringBoot整合SpringSecurity,SESSION 并发管理,同账号只允许登录一次

废话说到,这里,看代码:

重写 SessionRegistry

**

 * Created by 为 on 2017-6-9.

 */

public class MySessionRegistryImpl implements SessionRegistry, ApplicationListener<SessionDestroyedEvent> {

    private static final String SESSIONIDS = "sessionIds";

    private static final String PRINCIPALS = "principals";

    @Resource

    private RedisTemplate redisTemplate;

    protected final Log logger = LogFactory.getLog(SessionRegistryImpl.class);

//    private final ConcurrentMap<Object, Set<String>> principals = new ConcurrentHashMap();

//    private final Map<String, SessionInformation> sessionIds = new ConcurrentHashMap();

    public MySessionRegistryImpl() {

    }

    public List<Object> getAllPrincipals() {

        return new ArrayList(this.getPrincipalsKeySet());

    }

    public List<SessionInformation> getAllSessions(Object principal, boolean includeExpiredSessions) {

        Set<String> sessionsUsedByPrincipal =  this.getPrincipals(((UserDetails)principal).getUsername());

        if (sessionsUsedByPrincipal == null) {

            return Collections.emptyList();

        } else {

            List<SessionInformation> list = new ArrayList(sessionsUsedByPrincipal.size());

            Iterator var5 = sessionsUsedByPrincipal.iterator();

            while (true) {

                SessionInformation sessionInformation;

                do {

                    do {

                        if (!var5.hasNext()) {

                            return list;

                        }

                        String sessionId = (String) var5.next();

                        sessionInformation = this.getSessionInformation(sessionId);

                    } while (sessionInformation == null);

                } while (!includeExpiredSessions && sessionInformation.isExpired());

                list.add(sessionInformation);

            }

        }

    }

    public SessionInformation getSessionInformation(String sessionId) {

        Assert.hasText(sessionId, "SessionId required as per interface contract");

        return (SessionInformation) this.getSessionInfo(sessionId);

    }

    public void onApplicationEvent(SessionDestroyedEvent event) {

        String sessionId = event.getId();

        this.removeSessionInformation(sessionId);

    }

    public void refreshLastRequest(String sessionId) {

        Assert.hasText(sessionId, "SessionId required as per interface contract");

        SessionInformation info = this.getSessionInformation(sessionId);

        if (info != null) {

            info.refreshLastRequest();

        }

    }

    public void registerNewSession(String sessionId, Object principal) {

        Assert.hasText(sessionId, "SessionId required as per interface contract");

        Assert.notNull(principal, "Principal required as per interface contract");

        if (this.logger.isDebugEnabled()) {

            this.logger.debug("Registering session " + sessionId + ", for principal " + principal);

        }

        if (this.getSessionInformation(sessionId) != null) {

            this.removeSessionInformation(sessionId);

        }

        this.addSessionInfo(sessionId, new SessionInformation(principal, sessionId, new Date()));

//        this.sessionIds.put(sessionId, new SessionInformation(principal, sessionId, new Date()));

        Set<String> sessionsUsedByPrincipal = (Set) this.getPrincipals(principal.toString());

        if (sessionsUsedByPrincipal == null) {

            sessionsUsedByPrincipal = new CopyOnWriteArraySet();

            Set<String> prevSessionsUsedByPrincipal = (Set) this.putIfAbsentPrincipals(principal.toString(), sessionsUsedByPrincipal);

            if (prevSessionsUsedByPrincipal != null) {

                sessionsUsedByPrincipal = prevSessionsUsedByPrincipal;

            }

        }

        ((Set) sessionsUsedByPrincipal).add(sessionId);

        this.putPrincipals(principal.toString(), sessionsUsedByPrincipal);

        if (this.logger.isTraceEnabled()) {

            this.logger.trace("Sessions used by '" + principal + "' : " + sessionsUsedByPrincipal);

        }

    }

    public void removeSessionInformation(String sessionId) {

        Assert.hasText(sessionId, "SessionId required as per interface contract");

        SessionInformation info = this.getSessionInformation(sessionId);

        if (info != null) {

            if (this.logger.isTraceEnabled()) {

                this.logger.debug("Removing session " + sessionId + " from set of registered sessions");

            }

            this.removeSessionInfo(sessionId);

            Set<String> sessionsUsedByPrincipal = (Set) this.getPrincipals(info.getPrincipal().toString());

            if (sessionsUsedByPrincipal != null) {

                if (this.logger.isDebugEnabled()) {

                    this.logger.debug("Removing session " + sessionId + " from principal's set of registered sessions");

                }

                sessionsUsedByPrincipal.remove(sessionId);

                if (sessionsUsedByPrincipal.isEmpty()) {

                    if (this.logger.isDebugEnabled()) {

                        this.logger.debug("Removing principal " + info.getPrincipal() + " from registry");

                    }

                    this.removePrincipal(((UserDetails)info.getPrincipal()).getUsername());

                }

                if (this.logger.isTraceEnabled()) {

                    this.logger.trace("Sessions used by '" + info.getPrincipal() + "' : " + sessionsUsedByPrincipal);

                }

            }

        }

    }

    public void addSessionInfo(final String sessionId, final SessionInformation sessionInformation) {

        BoundHashOperations<String, String, SessionInformation> hashOperations = redisTemplate.boundHashOps(SESSIONIDS);

        hashOperations.put(sessionId, sessionInformation);

    }

    public SessionInformation getSessionInfo(final String sessionId) {

        BoundHashOperations<String, String, SessionInformation> hashOperations = redisTemplate.boundHashOps(SESSIONIDS);

        return hashOperations.get(sessionId);

    }

    public void removeSessionInfo(final String sessionId) {

        BoundHashOperations<String, String, SessionInformation> hashOperations = redisTemplate.boundHashOps(SESSIONIDS);

        hashOperations.delete(sessionId);

    }

    public Set<String> putIfAbsentPrincipals(final String key, final Set<String> set) {

        BoundHashOperations<String, String, Set<String>> hashOperations = redisTemplate.boundHashOps(PRINCIPALS);

        hashOperations.putIfAbsent(key, set);

        return hashOperations.get(key);

    }

    public void putPrincipals(final String key, final Set<String> set) {

        BoundHashOperations<String, String, Set<String>> hashOperations = redisTemplate.boundHashOps(PRINCIPALS);

        hashOperations.put(key,set);

    }

    public Set<String> getPrincipals(final String key) {

        BoundHashOperations<String, String, Set<String>> hashOperations = redisTemplate.boundHashOps(PRINCIPALS);

        return hashOperations.get(key);

    }

    public Set<String> getPrincipalsKeySet() {

        BoundHashOperations<String, String, Set<String>> hashOperations = redisTemplate.boundHashOps(PRINCIPALS);

        return hashOperations.keys();

    }

    public void removePrincipal(final String key) {

        BoundHashOperations<String, String, Set<String>> hashOperations = redisTemplate.boundHashOps(PRINCIPALS);

        hashOperations.delete(key);

    }

}

重写ConcurrentSessionControlAuthenticationStrategy

/**

 * Created by 为 on 2017-6-14.

 */

public class MyConcurrentSessionControlAuthenticationStrategy extends ConcurrentSessionControlAuthenticationStrategy {

    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();

    private final SessionRegistry sessionRegistry;

    private boolean exceptionIfMaximumExceeded = false;

    private int maximumSessions = 1;

    public MyConcurrentSessionControlAuthenticationStrategy(SessionRegistry sessionRegistry) {

        super(sessionRegistry);

        Assert.notNull(sessionRegistry, "The sessionRegistry cannot be null");

        this.sessionRegistry = sessionRegistry;

    }

    public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {

        List<SessionInformation> sessions = this.sessionRegistry.getAllSessions(authentication.getPrincipal(), false);

        int sessionCount = sessions.size();

        int allowedSessions = this.getMaximumSessionsForThisUser(authentication);

        if(sessionCount >= allowedSessions) {

            if(allowedSessions != -1) {

                if(sessionCount == allowedSessions) {

                    HttpSession session = request.getSession(false);

                    if(session != null) {

                        Iterator var8 = sessions.iterator();

                        while(var8.hasNext()) {

                            SessionInformation si = (SessionInformation)var8.next();

                            if(si.getSessionId().equals(session.getId())) {

                                return;

                            }

                        }

                    }

                }

                this.allowableSessionsExceeded(sessions, allowedSessions, this.sessionRegistry);

            }

        }

    }

    protected int getMaximumSessionsForThisUser(Authentication authentication) {

        return this.maximumSessions;

    }

    protected void allowableSessionsExceeded(List<SessionInformation> sessions, int allowableSessions, SessionRegistry registry) throws SessionAuthenticationException {

        if(!this.exceptionIfMaximumExceeded && sessions != null) {

            SessionInformation leastRecentlyUsed = null;

            Iterator var5 = sessions.iterator();

            while(true) {

                SessionInformation session;

                do {

                    if(!var5.hasNext()) {

                        leastRecentlyUsed.expireNow();

                        ((MySessionRegistryImpl)sessionRegistry).addSessionInfo(leastRecentlyUsed.getSessionId(),leastRecentlyUsed);

                        return;

                    }

                    session = (SessionInformation)var5.next();

                } while(leastRecentlyUsed != null && !session.getLastRequest().before(leastRecentlyUsed.getLastRequest()));

                leastRecentlyUsed = session;

            }

        } else {

            throw new SessionAuthenticationException(this.messages.getMessage("ConcurrentSessionControlAuthenticationStrategy.exceededAllowed", new Object[]{Integer.valueOf(allowableSessions)}, "Maximum sessions of {0} for this principal exceeded"));

        }

    }

    public void setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded) {

        this.exceptionIfMaximumExceeded = exceptionIfMaximumExceeded;

    }

    public void setMaximumSessions(int maximumSessions) {

        Assert.isTrue(maximumSessions != 0, "MaximumLogins must be either -1 to allow unlimited logins, or a positive integer to specify a maximum");

        this.maximumSessions = maximumSessions;

    }

    public void setMessageSource(MessageSource messageSource) {

        Assert.notNull(messageSource, "messageSource cannot be null");

        this.messages = new MessageSourceAccessor(messageSource);

    }

}
WebSecurityConfigurerAdapter

   @Bean

    public MyUsernamePasswordAuthenticationFilter myUsernamePasswordAuthenticationFilter() throws Exception {

        MyUsernamePasswordAuthenticationFilter myUsernamePasswordAuthenticationFilter = new MyUsernamePasswordAuthenticationFilter();

        myUsernamePasswordAuthenticationFilter.setPostOnly(true);

        myUsernamePasswordAuthenticationFilter.setAuthenticationManager(this.authenticationManager());

        myUsernamePasswordAuthenticationFilter.setUsernameParameter("name_key");

        myUsernamePasswordAuthenticationFilter.setPasswordParameter("pwd_key");

        myUsernamePasswordAuthenticationFilter.setVerificationCodeParameter("verification_code");

        myUsernamePasswordAuthenticationFilter.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/checkLogin", "POST"));

        myUsernamePasswordAuthenticationFilter.setAuthenticationFailureHandler(simpleUrlAuthenticationFailureHandler());

        myUsernamePasswordAuthenticationFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler());

        myUsernamePasswordAuthenticationFilter.setSessionAuthenticationStrategy(new MyConcurrentSessionControlAuthenticationStrategy(sessionRegistry));

        return myUsernamePasswordAuthenticationFilter;

    }

开启两个服务,同一个账户登录不同的端口测试,能否被T下线

SpringBoot,Security4, redis共享session,分布式SESSION并发控制,同账号只能登录一次的更多相关文章

  1. SpringBoot系列: Redis 共享Session

    Web项目Session管理是一个很重要的话题, 涉及到系统横向扩展, SpringBoot已经为共享Session很好的解决方案, 这篇文章关注使用Redis共享会话, 同时这也是最常用的方法. = ...

  2. spring+redis+nginx 实现分布式session共享

    1,spring 必须是4.3以上版本的 2,maven配置 添加两个重要的依赖 <dependency> <groupId>org.springframework.sessi ...

  3. SpringBoot使用Redis共享用户session信息

    SpringBoot引入Redis依赖: <dependency> <groupId>org.springframework.boot</groupId> < ...

  4. SpringBoot SpringSession redis 共享 SESSION

    号称无缝整合httpsession 共享, 但注意如果存在第三方框架,例如SESSION并发控制,这个是需要自己重写session名单的. 关于redis session 共享 的session并发控 ...

  5. SpringBoot+Shiro+Redis共享Session入门小栗子

    在单机版的Springboot+Shiro的基础上,这次实现共享Session. 这里没有自己写RedisManager.SessionDAO.用的 crazycake 写的开源插件 pom.xml ...

  6. springboot 整合 redis 共享Session-spring-session-data-redis

    参考:https://www.cnblogs.com/ityouknow/p/5748830.html 如何使用 1.引入 spring-boot-starter-redis <dependen ...

  7. springboot集成redis(mybatis、分布式session)

    安装Redis请参考:<CentOS快速安装Redis> 一.springboot集成redis并实现DB与缓存同步 1.添加redis及数据库相关依赖(pom.xml) <depe ...

  8. 基于redis解决session分布式一致性问题

    1.session是什么 当用户在前端发起请求时,服务器会为当前用户建立一个session,服务器将sessionId回写给客户端,只要用户浏览器不关闭,再次请求服务器时,将sessionId传给服务 ...

  9. ASP.NET Core中间件实现分布式 Session

    1. ASP.NET Core中间件详解 1.1. 中间件原理 1.1.1. 什么是中间件 1.1.2. 中间件执行过程 1.1.3. 中间件的配置 1.2. 依赖注入中间件 1.3. Cookies ...

随机推荐

  1. mybatis自动生成java代码

    SSM框架没有DB+Record模式,写起来特别费劲,只能用下面的方法勉强凑合. 上图中,*.jar为下载的,src为新建的空白目录,.xml配置如下. <?xml version=" ...

  2. Oracle 视图 (待更新, 缓存)

    参考: 视图.索引.存储过程优缺点: http://www.cnblogs.com/SanMaoSpace/p/3147059.html oracle视图总结(转):http://tianwei013 ...

  3. records.config文件参数解释

    # Process Records Config File # # <RECORD-TYPE> <NAME> <TYPE> <VALUE (till end ...

  4. hdu3507 Print Article

    Print Article Time Limit: 9000/3000 MS (Java/Others)    Memory Limit: 131072/65536 K (Java/Others) P ...

  5. 前端之基础css

    一.anchor伪类,用于阅读文章. a:link(没有接触过的链接),用于链接常规状态 (末访问的链接)a:hover(鼠标放在链接上的状态) 用于产生视觉效果(已访问的链接)a:visited(访 ...

  6. Hexo中添加本地图片

    First 1 把主页配置文件_config.yml 里的post_asset_folder:这个选项设置为true 2 在你的hexo目录下执行这样一句话npm install hexo-asset ...

  7. handlebars.js模版引擎随记

    前台的模版引擎有许多种,相比较而言 我个人更觉得handlebars更为轻便 首先github上下载自新版本的handelbars.js http://handlebarsjs.com 下载下来之后呢 ...

  8. 不使用Math.random实现随机数

    不使用Math.random实现随机数 var rand = (function(){ var today = new Date(); var seed = today.getTime(); func ...

  9. iOS-Runtime之关于页面跳转的捷径【Runtime获取当前ViewController】

    写在前面 在我们操作页面跳转时,如果当前的类不是UIViewcontroller(下面用VC表示),你会不会写一个代理,或者block给VC传递信息,然后在VC里面进行 ///假如targetVc是将 ...

  10. iOS-获取通讯录联系人信息

    头文件 #import <AddressBook/AddressBook.h> #import <AddressBookUI/AddressBookUI.h> 授权 关于通讯录 ...