add session concurrency control

24f15adc · 杨伊博 · a21e66db · 24f15adc · 24f15adc · 24f15adc
Commit 24f15adc authored Aug 17, 2017 by 杨伊博
3 changed files
--- a/springboot-springSecurity2/src/main/java/com/us/example/config/WebSecurityConfig.java
+++ b/springboot-springSecurity2/src/main/java/com/us/example/config/WebSecurityConfig.java
@@ -2,6 +2,8 @@ package com.us.example.config;

 import com.us.example.security.CustomUserService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.context.embedded.ServletListenerRegistrationBean;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
@@ -9,7 +11,10 @@ import org.springframework.security.config.annotation.method.configuration.Enabl
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.session.SessionRegistry;
+import org.springframework.security.core.session.SessionRegistryImpl;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.web.session.HttpSessionEventPublisher;

 /**
 * Created by yangyibo on 17/1/18.
@@ -22,7 +27,6 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
     private  CustomUserService customUserService;

-
    @Autowired
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(customUserService).passwordEncoder(new BCryptPasswordEncoder());
@@ -44,12 +48,13 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
                .antMatchers("/**")
                .permitAll()
                .and()
-                .sessionManagement()
-                .and()
-                .httpBasic();
+                .sessionManagement().maximumSessions(1).maxSessionsPreventsLogin(true);
+        http.httpBasic();
    }

-
-
+    @Bean
+    public ServletListenerRegistrationBean httpSessionEventPublisher() {
+        return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
+    }
 }

--- a/springboot-springSecurity2/src/main/java/com/us/example/controller/LoginController.java
+++ b/springboot-springSecurity2/src/main/java/com/us/example/controller/LoginController.java
 package com.us.example.controller;

 import com.us.example.domain.SysUser;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
+import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
-import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;


 /**
 * Created by yangyibo on 17/3/1.
 */
-@RestController
+@Controller
 public class LoginController {

+    /**
+     * http://localhost:8080/login
+     * http://localhost:8080/logout
+     * @param loginedUser
+     * @param logout
+     * @return
+     */
    @RequestMapping(value = "/login")
    @ResponseBody
    //用户名密码是用base64 加密 原文为 admin:admin 即 用户名:密码  内容是放在request.getHeader 的 "authorization" 中
    public Object login(@AuthenticationPrincipal SysUser loginedUser, @RequestParam(name = "logout", required = false) String logout) {
        if (logout != null) {
-            return null;
+            return "logout";
        }
        if (loginedUser != null) {
            return loginedUser;
        }
        return null;
    }
+
+//    此方法未用到
+//    @RequestMapping(value="/logout", method = RequestMethod.GET)
+//    @ResponseBody
+//    public String logout (HttpServletRequest request, HttpServletResponse response) {
+//        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+//        if (auth != null){
+//            new SecurityContextLogoutHandler().logout(request, response, auth);
+//        }
+//        return "logout ok";
+//    }
 }
--- a/springboot-springSecurity2/src/main/java/com/us/example/domain/SysUser.java
+++ b/springboot-springSecurity2/src/main/java/com/us/example/domain/SysUser.java
@@ -98,4 +98,18 @@ public class SysUser implements UserDetails {  // implements UserDetails 用于
        this.authorities = authorities;
    }

+    @Override
+    public String toString() {
+        return this.username;
+    }
+
+    @Override
+    public int hashCode() {
+        return username.hashCode();
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        return this.toString().equals(obj.toString());
+    }
 }