1、功能实现
设置同一账号最大登录数,当达到最大登录数时,顶掉前面登录的账号
2、shiro07 子工程
本篇以 登录限制篇 为基础
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>com.yzm</groupId>
<artifactId>shiro</artifactId>
<version>0.0.1-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath> <!-- lookup parent from repository -->
</parent>
<artifactId>shiro07</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>shiro07</name>
<description>Demo project for Spring Boot</description>
<dependencies>
<dependency>
<groupId>com.yzm</groupId>
<artifactId>common</artifactId>
<version>0.0.1-SNAPSHOT</version>
</dependency>
<!-- redis -->
<dependency>
<groupId>org.crazycake</groupId>
<artifactId>shiro-redis</artifactId>
<version>3.2.3</version>
<exclusions>
<exclusion>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- 可以解决会话调度验证会话失效无法循环执行的问题 -->
<dependency>
<groupId>redis.clients</groupId>
<artifactId>jedis</artifactId>
<version>2.9.0</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
application.yml
spring:
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://192.168.192.128:3306/testdb2?useUnicode=true&characterEncoding=utf8&useSSL=false&allowMultiQueries=true&zeroDateTimeBehavior=convertToNull&serverTimezone=Asia/Shanghai
username: root
password: 1234
mybatis-plus:
mapper-locations: classpath:/mapper/*Mapper.xml
type-aliases-package: com.yzm.shiro07.entity
configuration:
map-underscore-to-camel-case: true
log-impl: org.apache.ibatis.logging.stdout.StdOutImpl
3、认证和授权
package com.yzm.shiro02.config;
import com.yzm.shiro02.entity.Permissions;
import com.yzm.shiro02.entity.Role;
import com.yzm.shiro02.entity.User;
import com.yzm.shiro02.service.PermissionsService;
import com.yzm.shiro02.service.RoleService;
import com.yzm.shiro02.service.UserService;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
/**
* 自定义Realm,实现认证和授权
* AuthorizingRealm 继承 AuthorizingRealm
* AuthorizingRealm 提供 授权方法 doGetAuthorizationInfo
* AuthorizingRealm 提供 认证方法 doGetAuthenticationInfo
*/
public class MyShiroRealm extends AuthorizingRealm {
private final UserService userService;
private final RoleService roleService;
private final PermissionsService permissionsService;
public MyShiroRealm(UserService userService, RoleService roleService, PermissionsService permissionsService) {
this.userService = userService;
this.roleService = roleService;
this.permissionsService = permissionsService;
}
@Override
public boolean supports(AuthenticationToken token) {
return token instanceof UsernamePasswordToken;
}
/**
* 授权
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
String username = (String) principalCollection.getPrimaryPrincipal();
// 查询用户,获取角色ids
User user = userService.lambdaQuery().eq(User::getUsername, username).one();
List<Integer> roleIds = Arrays.stream(user.getRIds().split(","))
.map(Integer::parseInt)
.collect(Collectors.toList());
// 查询角色,获取角色名、权限ids
List<Role> roles = roleService.listByIds(roleIds);
Set<String> roleNames = new HashSet<>(roles.size());
Set<Integer> permIds = new HashSet<>();
roles.forEach(role -> {
roleNames.add(role.getRName());
Set<Integer> collect = Arrays.stream(
role.getPIds().split(",")).map(Integer::parseInt).collect(Collectors.toSet());
permIds.addAll(collect);
});
// 获取权限名称
List<Permissions> permissions = permissionsService.listByIds(permIds);
List<String> permNames = permissions.stream().map(Permissions::getPName).collect(Collectors.toList());
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.addRoles(roleNames);
authorizationInfo.addStringPermissions(permNames);
return authorizationInfo;
}
/**
* 认证
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
// 获取用户名跟密码
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
String username = usernamePasswordToken.getUsername();
// 查询用户是否存在
User user = userService.lambdaQuery().eq(User::getUsername, username).one();
if (user == null) {
throw new UnknownAccountException();
}
return new SimpleAuthenticationInfo(
user.getUsername(),
user.getPassword(),
// 用户名 + 盐
ByteSource.Util.bytes(user.getUsername() + user.getSalt()),
getName()
);
}
}
4、ShiroConfig 配置类
package com.yzm.shiro07.config;
import com.yzm.shiro07.service.PermissionsService;
import com.yzm.shiro07.service.RoleService;
import com.yzm.shiro07.service.UserService;
import com.yzm.shiro07.utils.EncryptUtils;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.session.mgt.SessionManager;
import org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator;
import org.apache.shiro.session.mgt.eis.SessionDAO;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.crazycake.shiro.RedisCacheManager;
import org.crazycake.shiro.RedisManager;
import org.crazycake.shiro.RedisSessionDAO;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.handler.SimpleMappingExceptionResolver;
import javax.servlet.Filter;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Properties;
@Configuration
public class ShiroConfig {
private final UserService userService;
private final RoleService roleService;
private final PermissionsService permissionsService;
public ShiroConfig(UserService userService, RoleService roleService, PermissionsService permissionsService) {
this.userService = userService;
this.roleService = roleService;
this.permissionsService = permissionsService;
}
/**
* 凭证匹配器
*/
@Bean
public HashedCredentialsMatcher hashedCredentialsMatcher() {
HashedCredentialsMatcher hashedCredentialsMatcher = new RetryLimitHashedCredentialsMatcher(redisCacheManager(), sessionManager());
hashedCredentialsMatcher.setHashAlgorithmName(EncryptUtils.ALGORITHM_NAME);
hashedCredentialsMatcher.setHashIterations(EncryptUtils.HASH_ITERATIONS);
return hashedCredentialsMatcher;
}
/**
* 自定义Realm
*/
@Bean
public MyShiroRealm simpleShiroRealm() {
MyShiroRealm myShiroRealm = new MyShiroRealm(userService, roleService, permissionsService);
myShiroRealm.setCredentialsMatcher(hashedCredentialsMatcher());
// 开启缓存
myShiroRealm.setCachingEnabled(true);
//启用身份验证缓存,即缓存AuthenticationInfo信息,默认false
myShiroRealm.setAuthenticationCachingEnabled(true);
//缓存AuthenticationInfo信息的缓存名称 在ehcache-shiro.xml中有对应缓存的配置
myShiroRealm.setAuthenticationCacheName("authenticationCache");
//启用授权缓存,即缓存AuthorizationInfo信息,默认false
myShiroRealm.setAuthorizationCachingEnabled(true);
//缓存AuthorizationInfo信息的缓存名称 在ehcache-shiro.xml中有对应缓存的配置
myShiroRealm.setAuthorizationCacheName("authorizationCache");
return myShiroRealm;
}
/**
* redis缓存
*/
@Bean
public RedisManager redisManager() {
RedisManager redisManager = new RedisManager();
redisManager.setHost("127.0.0.1:6379");
redisManager.setPassword("1234");
redisManager.setDatabase(0);
return redisManager;
}
@Bean
public RedisCacheManager redisCacheManager() {
RedisCacheManager redisCacheManager = new RedisCacheManager();
redisCacheManager.setRedisManager(redisManager());
// redis中针对不同用户缓存
redisCacheManager.setPrincipalIdFieldName("username");
// 用户认证权限信息缓存时间
redisCacheManager.setExpire(200);
return redisCacheManager;
}
/**
* SessionDAO的作用是为Session提供CRUD并进行持久化的一个shiro组件
* MemorySessionDAO 直接在内存中进行会话维护
* EnterpriseCacheSessionDAO 提供了缓存功能的会话维护,默认情况下使用MapCache实现,内部使用ConcurrentHashMap保存缓存的会话。
*/
@Bean
public SessionDAO sessionDAO() {
RedisSessionDAO redisSessionDAO = new RedisSessionDAO();
redisSessionDAO.setRedisManager(redisManager());
redisSessionDAO.setSessionIdGenerator(new JavaUuidSessionIdGenerator());
//session在redis中的保存时间,最好大于session会话超时时间
redisSessionDAO.setExpire(300);
return redisSessionDAO;
}
/**
* 配置保存sessionId的cookie
* 注意:这里的cookie 不是上面的记住我 cookie 记住我需要一个cookie session管理 也需要自己的cookie
*/
@Bean
public SimpleCookie sessionIdCookie() {
SimpleCookie simpleCookie = new SimpleCookie("sid");
simpleCookie.setHttpOnly(true);
simpleCookie.setPath("/");
//maxAge=-1表示浏览器关闭时失效此Cookie
simpleCookie.setMaxAge(-1);
return simpleCookie;
}
/**
* 配置会话管理器,设定会话超时及保存
*/
@Bean
public SessionManager sessionManager() {
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
//监听
sessionManager.setSessionListeners(Collections.singletonList(new MySessionListener()));
sessionManager.setSessionIdCookieEnabled(true);
sessionManager.setSessionIdCookie(sessionIdCookie());
sessionManager.setCacheManager(redisCacheManager());
sessionManager.setSessionDAO(sessionDAO());
//如果用户如果不点注销,直接关闭浏览器,不能够进行session的清空处理,所以为了防止这样的问题,还需要增加有一个会话的验证调度。
//全局会话超时时间(单位毫秒),默认30分钟
sessionManager.setGlobalSessionTimeout(120 * 1000L);
//定时调度器进行检测过期session 默认为true
sessionManager.setSessionValidationSchedulerEnabled(true);
//设置session失效的扫描时间, 清理用户直接关闭浏览器造成的孤立会话 默认为 1个小时
sessionManager.setSessionValidationInterval(60 * 1000L);
//删除无效的session对象 默认为true
sessionManager.setDeleteInvalidSessions(true);
// 取消 JSESSIONID cookie
sessionManager.setSessionIdUrlRewritingEnabled(false);
return sessionManager;
}
/**
* 安全管理
*/
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
// 配置单个realm
securityManager.setRealm(simpleShiroRealm());
// 缓存
securityManager.setCacheManager(redisCacheManager());
// session
securityManager.setSessionManager(sessionManager());
SecurityUtils.setSecurityManager(securityManager);
return securityManager;
}
/**
* 开启注解
*/
@Bean
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator defaultAAP = new DefaultAdvisorAutoProxyCreator();
defaultAAP.setProxyTargetClass(true);
return defaultAAP;
}
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor() {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager());
return authorizationAttributeSourceAdvisor;
}
@Bean
public ShiroFilterFactoryBean shiroFilter() {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager());
// 自定义拦截器
Map<String, Filter> filters = new LinkedHashMap<>();
filters.put("kickOut", new KickOutSessionControlFilter());
shiroFilterFactoryBean.setFilters(filters);
// 拦截url
Map<String, String> definitionMap = new LinkedHashMap<>();
definitionMap.put("/**", "kickOut");
shiroFilterFactoryBean.setFilterChainDefinitionMap(definitionMap);
return shiroFilterFactoryBean;
}
/**
* 问题:未登录不会自动跳转到登录页、无权访问页面不跳转
* 原因:Shiro注解模式下,登录失败与没有权限都是通过抛出异常,并且默认并没有去处理或者捕获这些异常。
* 解决:通过在SpringMVC下配置捕获相应异常来通知用户信息
*/
@Bean
public SimpleMappingExceptionResolver simpleMappingExceptionResolver() {
SimpleMappingExceptionResolver simpleMappingExceptionResolver = new SimpleMappingExceptionResolver();
Properties properties = new Properties();
// 未登录访问接口跳转到/login、登录后没有权限跳转到/401
properties.setProperty("org.apache.shiro.authz.UnauthenticatedException", "redirect:/login");
properties.setProperty("org.apache.shiro.authz.UnauthorizedException", "redirect:/401");
simpleMappingExceptionResolver.setExceptionMappings(properties);
return simpleMappingExceptionResolver;
}
}
5、限制并发在线人数
修改 RetryLimitHashedCredentialsMatcher
package com.yzm.shiro07.config;
import com.yzm.common.utils.HttpUtils;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.cache.Cache;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.mgt.DefaultSessionKey;
import org.apache.shiro.session.mgt.SessionManager;
import org.apache.shiro.web.util.WebUtils;
import java.io.Serializable;
import java.util.Date;
import java.util.Deque;
import java.util.LinkedList;
import java.util.concurrent.atomic.AtomicInteger;
/**
* 自定义登陆次数限制
*/
@Slf4j
public class RetryLimitHashedCredentialsMatcher extends HashedCredentialsMatcher {
private final Cache<String, AtomicInteger> limitCache;
private final Cache<String, Date> timeCache;
// 踢出最先/最后登录的用户 默认踢出第最先登录的用户
private boolean kickOutFirst = true;
// 同一个帐号最大会话数 默认1
private int maxSession = 1;
private final SessionManager sessionManager;
private final Cache<String, Deque<Serializable>> activeSession;
public RetryLimitHashedCredentialsMatcher(CacheManager cacheManager, SessionManager sessionManager) {
this.limitCache = cacheManager.getCache("limitCache");
this.timeCache = cacheManager.getCache("timeCache");
this.activeSession = cacheManager.getCache("activeSession");
this.sessionManager = sessionManager;
}
public void setKickOutFirst(boolean kickOutFirst) {
this.kickOutFirst = kickOutFirst;
}
public void setMaxSession(int maxSession) {
this.maxSession = maxSession;
}
/**
* 重写密码校验
*/
@Override
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
String username = (String) token.getPrincipal();
String usernameTime = username + "_time";
// 获取用户登录次数
AtomicInteger retryCount = limitCache.get(username);
if (retryCount == null) {
//如果用户没有登陆过,登陆次数加1 并放入缓存
retryCount = new AtomicInteger(0);
limitCache.put(username, retryCount);
}
// 如果用户登陆失败次数大于3次 锁住3分钟
if (retryCount.incrementAndGet() > 3) {
Date date = timeCache.get(usernameTime);
if (date == null) {
date = new Date();
timeCache.put(usernameTime, date);
}
long time = (System.currentTimeMillis() - date.getTime()) / 1000;
if (time <= 180) {
log.info("锁定用户" + username);
try {
WebUtils.issueRedirect(HttpUtils.getHttpServletRequest(), HttpUtils.getHttpServletResponse(), "login?time=" + (180 - time));
} catch (Exception e) {
//
}
return false;
} else {
log.info("解锁用户" + username);
limitCache.remove(username);
timeCache.remove(usernameTime);
}
}
// 判断用户账号和密码是否正确
boolean matches = super.doCredentialsMatch(token, info);
if (matches) {
// 如果正确,从缓存中将用户登录计数 清除
limitCache.remove(username);
// 密码校验成功之后,踢出之前登录过的同一账号
kickOut(username);
return true;
} else {
try {
log.info("密码错误:" + token.getCredentials());
// 更新
limitCache.put(username, retryCount);
WebUtils.issueRedirect(HttpUtils.getHttpServletRequest(), HttpUtils.getHttpServletResponse(), "login?failure");
} catch (Exception e) {
//
}
return false;
}
}
private void kickOut(String username) {
Session session = SecurityUtils.getSubject().getSession();
Serializable sessionId = session.getId();
Deque<Serializable> deque = activeSession.get(username);
deque = deque != null ? deque : new LinkedList<>();
if (!deque.contains(sessionId)) {
deque.add(sessionId);
// 存入数据是放在最右的
activeSession.put(username, deque);
}
// 如果队列里的sessionId数超出最大会话数,开始踢人
while (deque.size() > maxSession) {
Serializable kickOutSessionId;
if (kickOutFirst) {
// 要踢出第一个登录的账号,应该拿最左边的
kickOutSessionId = deque.removeFirst();
} else {
// 要踢出最后一个登录的账号,应该拿最右边的
kickOutSessionId = deque.removeLast();
}
// 更新deque
activeSession.put(username, deque);
try {
Session kickOutSession = sessionManager.getSession(new DefaultSessionKey(kickOutSessionId));
if (kickOutSession != null) {
//设置会话的 kickOut 属性表示踢出了
kickOutSession.setAttribute("kickOut", true);
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
}
6、踢出拦截器
拦截请求,判断当前登录用户是否需要退出
package com.yzm.shiro07.config;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.AccessControlFilter;
import org.apache.shiro.web.util.WebUtils;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
/**
* 并发人数控制
*/
public class KickOutSessionControlFilter extends AccessControlFilter {
/**
* 踢出后跳转url
*/
private static final String kickOutUrl = "/home?kickOut";
public KickOutSessionControlFilter() {
}
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
return false;
}
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
Subject subject = SecurityUtils.getSubject();
if (!subject.isAuthenticated() && !subject.isRemembered()) {
//如果没有登录,直接进行之后的流程
return true;
}
// 如果被踢出了,直接退出,重定向到踢出后的地址
Session session = subject.getSession();
if (session.getAttribute("kickOut") != null) {
try {
subject.logout();
} catch (Exception e) {
//
}
WebUtils.issueRedirect(request, response, kickOutUrl);
return false;
}
return true;
}
}
在ShiroConfig#shiroFilter中
@Bean
public ShiroFilterFactoryBean shiroFilter() {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager());
// 自定义拦截器
Map<String, Filter> filters = new LinkedHashMap<>();
filters.put("kickOut", new KickOutSessionControlFilter());
shiroFilterFactoryBean.setFilters(filters);
// 拦截url
Map<String, String> definitionMap = new LinkedHashMap<>();
definitionMap.put("/**", "kickOut");
shiroFilterFactoryBean.setFilterChainDefinitionMap(definitionMap);
return shiroFilterFactoryBean;
}
home.html 提示异地登录
<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>首页</title>
</head>
<body>
<h1>当前登录状态:<span th:text="${subject ?: '未登录 '}"></span></h1>
<h2>当前在线人数:<span th:text="${count ?: '0'}"></span></h2>
...
<script type="text/javascript">
function kickOut() {
const href = location.href;
if (href.indexOf("kickOut") > 0) {
alert("您的账号在另一台设备上登录,如非本人操作,请立即修改密码!");
}
}
window.onload = kickOut();
</script>
</body>
</html>
7、测试
启动项目,火狐登录yzm
谷歌再次登录yzm
这时刷新火狐yzm,提示被踢出了并且缓存数据也更新了
只剩下谷歌yzm的缓存
扫一扫
279
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
