V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
yodhcn
V2EX  ›  Java

[SpringSecurity6] 自己扩展的 UsernamePasswordAuthenticationFilter 该怎样配置并发会话控制?

  •  
  •   yodhcn ·
    yodhcn · 2023-03-08 00:23:19 +08:00 · 1043 次点击
    这是一个创建于 678 天前的主题,其中的信息可能已经有所发展或是发生改变。

    自己扩展的 UsernamePasswordAuthenticationFilter 该怎样配置并发会话控制?

    自己谷歌了半天,应该是需要为自定义的 Filter 配置 SessionAuthenticationStrategy ,请老哥们帮我看看,是我哪里配的不对吗?

    https://github.com/yodhcn/security-demo

    public class MyUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    
        @Override
        public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
            return super.attemptAuthentication(request, response);
        }
    }
    
    @Configuration
    @EnableWebSecurity
    public class SecurityConfig {
        @Bean
        public HttpSessionEventPublisher httpSessionEventPublisher() {
            return new HttpSessionEventPublisher();
        }
    
        @Bean
        public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
            return authenticationConfiguration.getAuthenticationManager();
        }
    
        @Bean
        public SecurityContextRepository securityContextRepository() {
            return new DelegatingSecurityContextRepository(
                    new HttpSessionSecurityContextRepository(),
                    new RequestAttributeSecurityContextRepository()
            );
        }
    
        @Bean
        public SessionRegistry sessionRegistry() {
            return new SessionRegistryImpl();
        }
    
        @Bean
        public SessionAuthenticationStrategy authStrategy(SessionRegistry sessionRegistry) {
            List<SessionAuthenticationStrategy> delegateStrategies = new ArrayList<>();
    
            ConcurrentSessionControlAuthenticationStrategy concurrentSessionControlAuthenticationStrategy =
                    new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry);
            concurrentSessionControlAuthenticationStrategy.setMaximumSessions(1); // maximumSessions
    
            delegateStrategies.add(concurrentSessionControlAuthenticationStrategy);
            return new CompositeSessionAuthenticationStrategy(delegateStrategies);
        }
    
        @Bean
        MyUsernamePasswordAuthenticationFilter myUsernamePasswordAuthenticationFilter(
                AuthenticationManager authenticationManager,
                SecurityContextRepository securityContextRepository) {
            MyUsernamePasswordAuthenticationFilter filter = new MyUsernamePasswordAuthenticationFilter();
            filter.setAuthenticationManager(authenticationManager);
            filter.setSecurityContextRepository(securityContextRepository);
            return filter;
        }
    
        @Bean
        public SecurityFilterChain filterChain(
                HttpSecurity http,
                MyUsernamePasswordAuthenticationFilter myUsernamePasswordAuthenticationFilter,
                SecurityContextRepository securityContextRepository
        ) throws Exception {
            http.authorizeHttpRequests()
                    .anyRequest().authenticated();
            http.sessionManagement().maximumSessions(1); // maximumSessions
            http.formLogin();
            http.addFilterAt(myUsernamePasswordAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
    
            return http.build();
        }
    
        @Bean
        public UserDetailsService userDetailsService() {
            UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER")
                    .build();
            return new InMemoryUserDetailsManager(user);
        }
    
    }
    
    2 条回复    2023-03-08 12:30:59 +08:00
    yodhcn
        1
    yodhcn  
    OP
       2023-03-08 01:15:36 +08:00
    找到配置方法了 需要在 Configurer 里配置,才能拿到 SessionAuthenticationStrategy sessionAuthenticationStrategy = http
    .getSharedObject(SessionAuthenticationStrategy.class);

    https://stackoverflow.com/questions/65182973/not-able-to-implement-session-limiting-in-spring-security-with-custom-filter
    mmdsun
        2
    mmdsun  
       2023-03-08 12:30:59 +08:00 via iPhone
    filter 有个 setSessionAuthenticationStrategy ,我是直接用这个 set 进去的登录并发控制策略。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1115 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 41ms · UTC 19:01 · PVG 03:01 · LAX 11:01 · JFK 14:01
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.