[SpringSecurity6] 自己扩展的 UsernamePasswordAuthenticationFilter 该怎样配置并发会话控制?

2023-03-08 00:23:19 +08:00
 yodhcn

自己扩展的 UsernamePasswordAuthenticationFilter 该怎样配置并发会话控制?

自己谷歌了半天,应该是需要为自定义的 Filter 配置 SessionAuthenticationStrategy ,请老哥们帮我看看,是我哪里配的不对吗?

https://github.com/yodhcn/security-demo

public class MyUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        return super.attemptAuthentication(request, response);
    }
}

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public HttpSessionEventPublisher httpSessionEventPublisher() {
        return new HttpSessionEventPublisher();
    }

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
        return authenticationConfiguration.getAuthenticationManager();
    }

    @Bean
    public SecurityContextRepository securityContextRepository() {
        return new DelegatingSecurityContextRepository(
                new HttpSessionSecurityContextRepository(),
                new RequestAttributeSecurityContextRepository()
        );
    }

    @Bean
    public SessionRegistry sessionRegistry() {
        return new SessionRegistryImpl();
    }

    @Bean
    public SessionAuthenticationStrategy authStrategy(SessionRegistry sessionRegistry) {
        List<SessionAuthenticationStrategy> delegateStrategies = new ArrayList<>();

        ConcurrentSessionControlAuthenticationStrategy concurrentSessionControlAuthenticationStrategy =
                new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry);
        concurrentSessionControlAuthenticationStrategy.setMaximumSessions(1); // maximumSessions

        delegateStrategies.add(concurrentSessionControlAuthenticationStrategy);
        return new CompositeSessionAuthenticationStrategy(delegateStrategies);
    }

    @Bean
    MyUsernamePasswordAuthenticationFilter myUsernamePasswordAuthenticationFilter(
            AuthenticationManager authenticationManager,
            SecurityContextRepository securityContextRepository) {
        MyUsernamePasswordAuthenticationFilter filter = new MyUsernamePasswordAuthenticationFilter();
        filter.setAuthenticationManager(authenticationManager);
        filter.setSecurityContextRepository(securityContextRepository);
        return filter;
    }

    @Bean
    public SecurityFilterChain filterChain(
            HttpSecurity http,
            MyUsernamePasswordAuthenticationFilter myUsernamePasswordAuthenticationFilter,
            SecurityContextRepository securityContextRepository
    ) throws Exception {
        http.authorizeHttpRequests()
                .anyRequest().authenticated();
        http.sessionManagement().maximumSessions(1); // maximumSessions
        http.formLogin();
        http.addFilterAt(myUsernamePasswordAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);

        return http.build();
    }

    @Bean
    public UserDetailsService userDetailsService() {
        UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER")
                .build();
        return new InMemoryUserDetailsManager(user);
    }

}
907 次点击
所在节点    Java
2 条回复
yodhcn
2023-03-08 01:15:36 +08:00
找到配置方法了 需要在 Configurer 里配置,才能拿到 SessionAuthenticationStrategy sessionAuthenticationStrategy = http
.getSharedObject(SessionAuthenticationStrategy.class);

https://stackoverflow.com/questions/65182973/not-able-to-implement-session-limiting-in-spring-security-with-custom-filter
mmdsun
2023-03-08 12:30:59 +08:00
filter 有个 setSessionAuthenticationStrategy ,我是直接用这个 set 进去的登录并发控制策略。

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/922070

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX