add session concurrency control

527515025 · 527515025 · commit 24f15adcd8cf · 2017-08-17T14:34:00.000+08:00
diff --git a/springboot-springSecurity2/src/main/java/com/us/example/config/WebSecurityConfig.java b/springboot-springSecurity2/src/main/java/com/us/example/config/WebSecurityConfig.java
@@ -2,14 +2,19 @@
 
 import com.us.example.security.CustomUserService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.context.embedded.ServletListenerRegistrationBean;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.session.SessionRegistry;
+import org.springframework.security.core.session.SessionRegistryImpl;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.web.session.HttpSessionEventPublisher;
 
 /**
  * Created by yangyibo on 17/1/18.
@@ -22,7 +27,6 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
     @Autowired
      private  CustomUserService customUserService;
 
-
     @Autowired
     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
         auth.userDetailsService(customUserService).passwordEncoder(new BCryptPasswordEncoder());
@@ -44,12 +48,13 @@ protected void configure(HttpSecurity http) throws Exception {
                 .antMatchers("/**")
                 .permitAll()
                 .and()
-                .sessionManagement()
-                .and()
-                .httpBasic();
+                .sessionManagement().maximumSessions(1).maxSessionsPreventsLogin(true);
+        http.httpBasic();
     }
 
-
-
+    @Bean
+    public ServletListenerRegistrationBean httpSessionEventPublisher() {
+        return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
+    }
 }
 
diff --git a/springboot-springSecurity2/src/main/java/com/us/example/controller/LoginController.java b/springboot-springSecurity2/src/main/java/com/us/example/controller/LoginController.java
@@ -1,29 +1,54 @@
 package com.us.example.controller;
 
 import com.us.example.domain.SysUser;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
+import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
-import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
 
 /**
  * Created by yangyibo on 17/3/1.
  */
-@RestController
+@Controller
 public class LoginController {
 
+    /**
+     * http://localhost:8080/login
+     * http://localhost:8080/logout
+     * @param loginedUser
+     * @param logout
+     * @return
+     */
     @RequestMapping(value = "/login")
     @ResponseBody
     //用户名密码是用base64 加密 原文为 admin:admin 即 用户名:密码  内容是放在request.getHeader 的 "authorization" 中
     public Object login(@AuthenticationPrincipal SysUser loginedUser, @RequestParam(name = "logout", required = false) String logout) {
         if (logout != null) {
-            return null;
+            return "logout";
         }
         if (loginedUser != null) {
             return loginedUser;
         }
         return null;
     }
+
+//    此方法未用到
+//    @RequestMapping(value="/logout", method = RequestMethod.GET)
+//    @ResponseBody
+//    public String logout (HttpServletRequest request, HttpServletResponse response) {
+//        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+//        if (auth != null){
+//            new SecurityContextLogoutHandler().logout(request, response, auth);
+//        }
+//        return "logout ok";
+//    }
 }
diff --git a/springboot-springSecurity2/src/main/java/com/us/example/domain/SysUser.java b/springboot-springSecurity2/src/main/java/com/us/example/domain/SysUser.java
@@ -98,4 +98,18 @@ public void setGrantedAuthorities(List<? extends GrantedAuthority> authorities)
         this.authorities = authorities;
     }
 
+    @Override
+    public String toString() {
+        return this.username;
+    }
+
+    @Override
+    public int hashCode() {
+        return username.hashCode();
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        return this.toString().equals(obj.toString());
+    }
 }
