Spring-security源码-Filter之ConcurrentSessionFilter(十五)

合集 - spring-security源码阅读(28)

1.Spring-Security系列导航2021-11-152.spring-security使用-登录(一)2020-12-103.spring-security使用-自定义数据源(二)2020-12-224.spring-security使用-更友好的方式扩展登录AuthenticationProvider(三)2021-01-045.spring-security使用-获得当前用户信息(四)2021-01-056.spring-security使用-同一个账号只允许登录一次(五)2021-01-067.spring-security使用-session共享(六)2021-01-078.spring-security使用-安全防护HttpFirewall(七)2021-01-299.spring-security使用-权限控制(八)2021-11-0310.spring-security源码-初始化(九)2021-11-0411.spring-security源码-如何初始化SecurityFilterChain到Servlet2024-03-1012.spring-security源码-FilterChainProxy2024-03-1013.spring-security源码-Filter之WebAsyncManagerIntegrationFilter(十)2021-11-0914.Spring-security源码-Filter之SecurityContextPersistenceFilter(十一)2021-11-0915.Spring-security源码-Filter之HeaderWriterFilter(十二)2021-11-1016.Spring-security源码-Filter之LogoutFilter(十三)2021-11-1017.Spring-security源码-Filter之UsernamePasswordAuthenticationFilter(十四)2021-11-10

18.Spring-security源码-Filter之ConcurrentSessionFilter(十五)2021-11-10

19.Spring-security源码-Filter之SessionManagementFilter(十六)2021-11-1120.Spring-security源码-Filter之RememberMeAuthenticationFilter(十七)2021-11-1121.Spring-security源码-Filter之ExceptionTranslationFilter(十八)2021-11-1222.Spring-security源码-Filter之FilterSecurityInterceptor(十九)2021-11-1323.Spring-security源码-注解权限原理(二十)2021-11-1324.Spring-security源码-注解权限原理之MethodSecurityInterceptor(二十一)2021-11-1525.Spring-Security基于源码扩展-一套系统多套登录逻辑(二十二)2021-11-1526.Spring-Security基于源码扩展-自定义登录(二十三)2021-11-1527.Spring-Security基于源码扩展-自定义认证失败返回(二十四)2021-11-1528.Spring-Security基于源码扩展-自定义授权注解(二十五)2021-11-15

收起

用于校验session是否过期 过期移除

初始化处:org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer#configure

  public void configure(H http) {
        SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
        SessionManagementFilter sessionManagementFilter = new SessionManagementFilter(securityContextRepository,
                getSessionAuthenticationStrategy(http));
        if (this.sessionAuthenticationErrorUrl != null) {
            sessionManagementFilter.setAuthenticationFailureHandler(
                    new SimpleUrlAuthenticationFailureHandler(this.sessionAuthenticationErrorUrl));
        }
        InvalidSessionStrategy strategy = getInvalidSessionStrategy();
        if (strategy != null) {
            sessionManagementFilter.setInvalidSessionStrategy(strategy);
        }
        AuthenticationFailureHandler failureHandler = getSessionAuthenticationFailureHandler();
        if (failureHandler != null) {
            sessionManagementFilter.setAuthenticationFailureHandler(failureHandler);
        }
        AuthenticationTrustResolver trustResolver = http.getSharedObject(AuthenticationTrustResolver.class);
        if (trustResolver != null) {
            sessionManagementFilter.setTrustResolver(trustResolver);
        }
        sessionManagementFilter = postProcess(sessionManagementFilter);
        http.addFilter(sessionManagementFilter);
        //如果return this.maximumSessions != null;
        if (isConcurrentSessionControlEnabled()) {
            ConcurrentSessionFilter concurrentSessionFilter = createConcurrencyFilter(http);

            concurrentSessionFilter = postProcess(concurrentSessionFilter);
            http.addFilter(concurrentSessionFilter);
        }
    }

 

继承WebSecurityConfigurerAdapter 重写

com.liqiang.demo.config.SecurityConfig#configure

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest()
                .authenticated()
                .and().rememberMe()//记住登录
                .tokenRepository(new InMemoryTokenRepositoryImpl())
                .and()
                .formLogin()// rm表单的方式
                .loginPage("/login")//登录页面路径
                .loginProcessingUrl("/doLogin")
                //自定义登录请求地址
                .defaultSuccessUrl("/hello")
                .usernameParameter("loginName")
                .passwordParameter("loginPassword")
                .permitAll(true)//不拦截
                .and()
                .csrf()//记得关闭
                .disable()
                .sessionManagement().
                 maximumSessions(1) //需要这个字段设置为1
                .maxSessionsPreventsLogin(true);
    }

org.springframework.security.web.session.ConcurrentSessionFilter#doFilte

  private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        //获取当前session
        HttpSession session = request.getSession(false);
        if (session != null) {
            //根据session id 从sessionRegistry 获取sessionInfo
            SessionInformation info = this.sessionRegistry.getSessionInformation(session.getId());
            if (info != null) {
                //判断是否过期 如果过期则触发doLogout逻辑
                if (info.isExpired()) {
                    // Expired - abort processing
                    this.logger.debug(LogMessage
                            .of(() -> "Requested session ID " + request.getRequestedSessionId() + " has expired."));
                    doLogout(request, response);
                    this.sessionInformationExpiredStrategy
                            .onExpiredSessionDetected(new SessionInformationExpiredEvent(info, request, response));
                    return;
                }
                // 刷新最后一次访问时间
                this.sessionRegistry.refreshLastRequest(info.getSessionId());
            }
        }
        chain.doFilter(request, response);
    }