add session Concurrent

springboot-springSecurity2/src/main/java/com/us/example/config/WebSecurityConfig.java

@@ -50,7 +50,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
                 .antMatchers("/**")
                 .permitAll()
                 .and()
-                .sessionManagement().maximumSessions(1).maxSessionsPreventsLogin(true).sessionRegistry(sessionRegistry);
+                .sessionManagement().maximumSessions(1).sessionRegistry(sessionRegistry);
         http.httpBasic();
     }
 
@@ -60,9 +60,5 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
         return sessionRegistry;
     }
 
-    @Bean
-    public ServletListenerRegistrationBean httpSessionEventPublisher() {
-        return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
-    }
 }
 

springboot-springSecurity2/src/main/java/com/us/example/controller/LoginController.java

 package com.us.example.controller;
 
 import com.us.example.domain.SysUser;
+import com.us.example.util.SessionUtil;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.session.SessionRegistry;
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -20,7 +23,8 @@ import javax.servlet.http.HttpServletResponse;
  */
 @Controller
 public class LoginController {
-
+    @Autowired
+    private SessionRegistry sessionRegistry;
     /**
      * http://localhost:8080/login
      * http://localhost:8080/logout
@@ -31,11 +35,12 @@ public class LoginController {
     @RequestMapping(value = "/login")
     @ResponseBody
     //用户名密码是用base64 加密 原文为 admin:admin 即 用户名:密码  内容是放在request.getHeader 的 "authorization" 中
-    public Object login(@AuthenticationPrincipal SysUser loginedUser, @RequestParam(name = "logout", required = false) String logout) {
+    public Object login(@AuthenticationPrincipal SysUser loginedUser, @RequestParam(name = "logout", required = false) String logout,HttpServletRequest request) {
         if (logout != null) {
             return "logout";
         }
         if (loginedUser != null) {
+            SessionUtil.dropPreviousUser(request,sessionRegistry,loginedUser);
             return loginedUser;
         }
         return null;

springboot-springSecurity2/src/main/java/com/us/example/domain/SysUser.java

@@ -97,19 +97,4 @@ public class SysUser implements UserDetails {  // implements UserDetails 用于
     public void setGrantedAuthorities(List<? extends GrantedAuthority> authorities) {
         this.authorities = authorities;
     }
-
-    @Override
-    public String toString() {
-        return this.username;
-    }
-
-    @Override
-    public int hashCode() {
-        return username.hashCode();
-    }
-
-    @Override
-    public boolean equals(Object obj) {
-        return this.toString().equals(obj.toString());
-    }
 }

springboot-springSecurity2/src/main/java/com/us/example/util/SessionUtil.java

+package com.us.example.util;
+
+import com.us.example.domain.SysUser;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.session.SessionInformation;
+import org.springframework.security.core.session.SessionRegistry;
+import org.springframework.security.web.authentication.session.SessionAuthenticationException;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.List;
+
+/**
+ * Created by yangyibo on 8/23/17.
+ */
+public class SessionUtil {
+    /**
+     * 辨别用户是否已经登录
+     *
+     * @param request
+     * @param sessionRegistry
+     * @param loginedUser
+     */
+    public static void deleteSameUser(HttpServletRequest request, SessionRegistry sessionRegistry, SysUser loginedUser) {
+        SecurityContext sc = (SecurityContext) request.getSession().getAttribute("SPRING_SECURITY_CONTEXT");
+        List<SessionInformation> sessionsInfo;
+        sessionsInfo = sessionRegistry.getAllSessions(sc.getAuthentication().getPrincipal(), true);
+        String currentSessionId;
+        if (null != sessionsInfo && sessionsInfo.size() == 0) {
+            sessionRegistry.registerNewSession(request.getSession().getId(), sc.getAuthentication().getPrincipal());
+            sessionsInfo = sessionRegistry.getAllSessions(sc.getAuthentication().getPrincipal(), false);
+        }
+        currentSessionId = sessionsInfo.get(0).getSessionId();
+        List<Object> o = sessionRegistry.getAllPrincipals();
+        for (Object principal : o) {
+            if (principal instanceof SysUser && (loginedUser.getUsername().equals(((SysUser) principal).getUsername()))) {
+                List<SessionInformation> oldSessionsInfo = sessionRegistry.getAllSessions(principal, false);
+                if (null != oldSessionsInfo && oldSessionsInfo.size() > 0 && !oldSessionsInfo.get(0).getSessionId().equals(currentSessionId)) {
+                    for (SessionInformation sessionInformation : sessionsInfo) {
+                        //当前session失效
+                        sessionInformation.expireNow();
+                        sc.setAuthentication(null);
+                        sessionRegistry.removeSessionInformation(currentSessionId);
+                        throw new SessionAuthenticationException("当前用户已经在线，登录失败！！！");
+                    }
+                }
+            }
+        }
+    }
+
+    /**
+     * 剔除前一个用户
+     *
+     * @param request
+     * @param sessionRegistry
+     * @param loginedUser
+     */
+    public static void dropPreviousUser(HttpServletRequest request, SessionRegistry sessionRegistry, SysUser loginedUser) {
+        SecurityContext sc = (SecurityContext) request.getSession().getAttribute("SPRING_SECURITY_CONTEXT");
+        List<SessionInformation> sessionsInfo;
+        sessionsInfo = sessionRegistry.getAllSessions(sc.getAuthentication().getPrincipal(), true);
+        String currentSessionId;
+        currentSessionId = sessionsInfo.get(0).getSessionId();
+        List<Object> o = sessionRegistry.getAllPrincipals();
+        for (Object principal : o) {
+            if (principal instanceof SysUser && (loginedUser.getUsername().equals(((SysUser) principal).getUsername()))) {
+                List<SessionInformation> oldSessionsInfo = sessionRegistry.getAllSessions(principal, false);
+                if (null != oldSessionsInfo && oldSessionsInfo.size() > 0 && !oldSessionsInfo.get(0).getSessionId().equals(currentSessionId)) {
+                    for (SessionInformation sessionInformation : oldSessionsInfo) {
+                        //发送消息通知
+                        //当前session失效
+                        sessionInformation.expireNow();
+                    }
+                }
+            }
+        }
+    }
+
+
+    /**
+     * session 失效
+     *
+     * @param request
+     * @param sessionRegistry
+     */
+    public static void expireSession(HttpServletRequest request, SysUser user, SessionRegistry sessionRegistry) {
+        List<SessionInformation> sessionsInfo = null;
+        if (null != user) {
+            List<Object> o = sessionRegistry.getAllPrincipals();
+            for (Object principal : o) {
+                if (principal instanceof SysUser && (user.getUsername().equals(((SysUser) principal).getUsername()))) {
+                    sessionsInfo = sessionRegistry.getAllSessions(principal, false);
+                }
+            }
+        } else if (null != request) {
+            SecurityContext sc = (SecurityContext) request.getSession().getAttribute("SPRING_SECURITY_CONTEXT");
+            if (null != sc.getAuthentication().getPrincipal()) {
+                sessionsInfo = sessionRegistry.getAllSessions(sc.getAuthentication().getPrincipal(), false);
+                sc.setAuthentication(null);
+            }
+        }
+        if (null != sessionsInfo && sessionsInfo.size() > 0) {
+            for (SessionInformation sessionInformation : sessionsInfo) {
+                //当前session失效
+                sessionInformation.expireNow();
+                sessionRegistry.removeSessionInformation(sessionInformation.getSessionId());
+            }
+        }
+    }
+}

springboot-springSecurity2/src/main/resources/application.properties

@@ -3,7 +3,7 @@ ms.db.url=jdbc:mysql://localhost:3306/cache?characterEncoding=utf-8&useSSL=false
 ms.db.username=root
 ms.db.password=admin
 ms.db.maxActive=500
-server.port=8099
+server.port=8080
 
 logging.level.org.springframework.security= INFO
 spring.thymeleaf.cache=false