spring session 实现用户并发登录-过滤器

2019独角兽企业重金招聘Python工程师标准>>>

最近项目中使用了shiro做权限管理。然后加了spring sessioin做集群session控制（简单），并没有使用shiro redis管理session。

由于之前并发登录是用的spring security 。本项目中没有。

查看了 security和spring session的源码发现使用过滤器和session过期字段实现的。相当于解析spring security session管理源码了。

故将源码重写了勉强实现了。记录一下。

步骤：1.登录通过用户名这个唯一标识 上redis里通过index检索当前所有的符合相同用户名的session

          2.校验获取的session是否过期，根据条件判断是否满足并发条件。将符合条件的session的expire字段设置为过期 -即true。

          3.使用过滤器拦截当前session判断是否并发过期。--应该将过滤器放入shiro过滤链中。

推荐自己用缓存等第三方库保存唯一标识校验。

第一步 系列代码

package com.xxx.xxx.framework.common.session.registry;

import java.io.Serializable;
import java.util.Date;

import lombok.Data;

import org.springframework.util.Assert;

/**
 * 
 * ClassName : FastSessionInformation <br>
 * Description : session记录--- <br>
 * Create Time : 2019年2月23日 <br>
 * 参考 spring security SessionInformation
 *
 */
@Data
public class FastSessionInformation implements Serializable {

	/** TODO */
    private static final long serialVersionUID = -2078977003038133602L;

    
    private Date lastRequest;
	private final Object principal;
	private final String sessionId;
	private boolean expired = false;

	// ~ Constructors
	// ===================================================================================================

	public FastSessionInformation(Object principal, String sessionId, Date lastRequest) {
		Assert.notNull(principal, "Principal required");
		Assert.hasText(sessionId, "SessionId required");
		Assert.notNull(lastRequest, "LastRequest required");
		this.principal = principal;
		this.sessionId = sessionId;
		this.lastRequest = lastRequest;
	}

	// ~ Methods
	// ========================================================================================================

	public void expireNow() {
		this.expired = true;
	}

	public void refreshLastRequest() {
		this.lastRequest = new Date();
	}
}

package com.xxx.xxx.framework.common.session.registry;

import java.util.List;

public interface FastSessionRegistry {
	public abstract List<FastSessionInformation> getAllPrincipals();

	  public abstract List<FastSessionInformation> getAllSessions(String  paramObject, boolean paramBoolean);

	  public abstract FastSessionInformation getSessionInformation(String paramString);

	  public abstract void refreshLastRequest(String paramString);

	  public abstract void registerNewSession(String paramString, Object paramObject);

	  public abstract void removeSessionInformation(String paramString);
}

 

package com.xxx.xxx.framework.common.session.registry;

import java.util.Date;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.session.FindByIndexNameSessionRepository;
import org.springframework.session.Session;
import org.springframework.session.SessionRepository;

public class FastSpringSessionBackedSessionInformation<S extends Session> extends FastSessionInformation{
	/** TODO */
    private static final long serialVersionUID = 7021616588097878426L;

	static final String EXPIRED_ATTR = FastSpringSessionBackedSessionInformation.class
			.getName() + ".EXPIRED";

	private static final Log logger = LogFactory
			.getLog(FastSpringSessionBackedSessionInformation.class);


	private final SessionRepository<S> sessionRepository;

	FastSpringSessionBackedSessionInformation(S session,SessionRepository<S> sessionRepository) {
		super(resolvePrincipal(session), session.getId(),Date.from(session.getLastAccessedTime()));
		this.sessionRepository = sessionRepository;
		Boolean expired = session.getAttribute(EXPIRED_ATTR);
		if (Boolean.TRUE.equals(expired)) {
			super.expireNow();
		}
	}
	/**
	 * Tries to determine the principal's name from the given Session.
	 *
	 * @param session the session
	 * @return the principal's name, or empty String if it couldn't be determined
	 */
	private static String resolvePrincipal(Session session) {
		String principalName = session
				.getAttribute(FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME);
		if (principalName != null) {
			return principalName;
		}
		return "";
	}

	@Override
	public void expireNow() {
		if (logger.isDebugEnabled()) {
			logger.debug("Expiring session " + getSessionId() + " for user '"
					+ getPrincipal() + "', presumably because maximum allowed concurrent "
					+ "sessions was exceeded");
		}
		super.expireNow();
		S session = this.sessionRepository.findById(getSessionId());
		if (session != null) {
			session.setAttribute(EXPIRED_ATTR, Boolean.TRUE);
			this.sessionRepository.save(session);
		}
		else {
			logger.info("Could not find Session with id " + getSessionId()
					+ " to mark as expired");
		}
	}
}

package com.xxx.xxx.framework.common.session.registry;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

import org.springframework.session.FindByIndexNameSessionRepository;
import org.springframework.session.Session;
import org.springframework.util.Assert;


public class FastSpringSessionBackedSessionRegistry<S extends Session> implements FastSessionRegistry {

	private final FindByIndexNameSessionRepository<S> sessionRepository;

	public FastSpringSessionBackedSessionRegistry(
			FindByIndexNameSessionRepository<S> sessionRepository) {
		Assert.notNull(sessionRepository, "sessionRepository cannot be null");
		this.sessionRepository = sessionRepository;
	}

	@Override
	public List<FastSessionInformation> getAllPrincipals() {
		throw new UnsupportedOperationException("SpringSessionBackedSessionRegistry does "
				+ "not support retrieving all principals, since Spring Session provides "
				+ "no way to obtain that information");
	}

	@Override
	public List<FastSessionInformation> getAllSessions(String principal,
			boolean includeExpiredSessions) {
		Collection<S> sessions = this.sessionRepository.findByIndexNameAndIndexValue(
				FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME,
				principal).values();
		List<FastSessionInformation> infos = new ArrayList<>();
		for (S session : sessions) {
			if (includeExpiredSessions || !Boolean.TRUE.equals(session
					.getAttribute(FastSpringSessionBackedSessionInformation.EXPIRED_ATTR))) {
				infos.add(new FastSpringSessionBackedSessionInformation<>(session,
						this.sessionRepository));
			}
		}
		return infos;
	}

	@Override
	public FastSessionInformation getSessionInformation(String sessionId) {
		S session = this.sessionRepository.findById(sessionId);
		if (session != null) {
			return new FastSpringSessionBackedSessionInformation<>(session,
					this.sessionRepository);
		}
		return null;
	}

	/*
	 * This is a no-op, as we don't administer sessions ourselves.
	 */
	@Override
	public void refreshLastRequest(String sessionId) {
	}

	/*
	 * This is a no-op, as we don't administer sessions ourselves.
	 */
	@Override
	public void registerNewSession(String sessionId, Object principal) {
	}

	/*
	 * This is a no-op, as we don't administer sessions ourselves.
	 */
	@Override
	public void removeSessionInformation(String sessionId) {
	}

}

以上代码 参考 重写  spring security+spring session 并发登录部分。可以上 spring session官网查看。这部分是使session过期部分。

@Autowired
    private FastSessionAuthenticationStrategy fastConcurrentSessionStrategy;

fastConcurrentSessionStrategy.onAuthentication(user.getAccount(), req, res);

在登录方法中调用如上代码即可将同用户名的已登录session标记为过期了。我用的唯一标识是用户名 ，页可以用别的 对象都行 看重写代码传啥都行。

 

第二步  过滤器拦截 实现并发操作。提示 当前用户已在其他地方登录

@Bean
    public FilterRegistrationBean concurrentSessionFilterRegistration(FastSessionRegistry sessionRegistry) {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setFilter(new ConcurrentSessionFilter(sessionRegistry));
        registration.addUrlPatterns("/*");
        registration.setName("concurrentSessionFilter");
        registration.setOrder(Integer.MAX_VALUE-2);
        return registration;
    }


spring boot自己配置过滤器 记得启动顺序不能比shrio低

过滤器代码 纯copy spring security

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.util.Assert;
import org.springframework.web.filter.GenericFilterBean;
import com.asdc.fast.framework.common.session.registry.FastSessionInformation;
import com.asdc.fast.framework.common.session.registry.FastSessionRegistry;
import com.asdc.fast.framework.common.utils.HttpContextUtils;
import com.asdc.fast.framework.common.utils.R;
import com.google.gson.Gson;

public class ConcurrentSessionFilter extends GenericFilterBean {

	
	private final FastSessionRegistry fastSessionRegistry;
    

	public ConcurrentSessionFilter(FastSessionRegistry fastSessionRegistry) {
	    this.fastSessionRegistry=fastSessionRegistry;
    }

	@Override
	public void afterPropertiesSet() {
		Assert.notNull(fastSessionRegistry, "FastSessionRegistry required");
	}

	public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
			throws IOException, ServletException {
		HttpServletRequest request = (HttpServletRequest) req;
		HttpServletResponse response = (HttpServletResponse) res;

		HttpSession session = request.getSession(false);
		if (session != null) {
			FastSessionInformation info = fastSessionRegistry.getSessionInformation(session
					.getId());

			if (info != null) {
				if (info.isExpired()) {
					// Expired - abort processing
					if (logger.isDebugEnabled()) {
						logger.debug("Requested session ID "
								+ request.getRequestedSessionId() + " has expired.");
					}
					//doLogout(request, response);
					response.setContentType("application/json;charset=utf-8");
					response.setHeader("Access-Control-Allow-Credentials", "true");
					response.setHeader("Access-Control-Allow-Origin", HttpContextUtils.getOrigin());
		            String json = new Gson().toJson(R.error(455, "当前用户已其他地方登录"));//给前端一个特定返回错误码规定并发操作--455。

		            response.getWriter().print(json);
					//this.sessionInformationExpiredStrategy.onExpiredSessionDetected(new SessionInformationExpiredEvent(info, request, response));
					return;
				}
				else {
					// Non-expired - update last request date/time
					fastSessionRegistry.refreshLastRequest(info.getSessionId());
				}
			}
		}

		chain.doFilter(request, response);
	}



/*	private void doLogout(HttpServletRequest request, HttpServletResponse response) {
		Authentication auth = SecurityContextHolder.getContext().getAuthentication();

		this.handlers.logout(request, response, auth);
	}

	public void setLogoutHandlers(LogoutHandler[] handlers) {
		this.handlers = new CompositeLogoutHandler(handlers);
	}*/



	/**
	 * A {@link SessionInformationExpiredStrategy} that writes an error message to the response body.
	 * @since 4.2
	 */
	/*private static final class ResponseBodySessionInformationExpiredStrategy
			implements SessionInformationExpiredStrategy {
		@Override
		public void onExpiredSessionDetected(SessionInformationExpiredEvent event)
				throws IOException, ServletException {
			HttpServletResponse response = event.getResponse();
			response.getWriter().print(
					"This session has been expired (possibly due to multiple concurrent "
							+ "logins being attempted as the same user).");
			response.flushBuffer();
		}
	}*/
}

忘了第一步的关键操作 spring 注册 策略

@Configuration/*
@EnableRedisHttpSession*/
public class SpringSessionRedisConfig {
/*	@Bean
	public LettuceConnectionFactory connectionFactory() {
		return new LettuceConnectionFactory(); 
	}
*/
	//redisfactory 使用 RedisConnectionFactory yaml默认提供的
	@Bean
	public HttpSessionIdResolver httpSessionIdResolver() {
		HeaderHttpSessionIdResolver headerHttpSessionIdResolver = new HeaderHttpSessionIdResolver("token");
		return headerHttpSessionIdResolver; 
	}
	
	
	@Bean
	public FastSessionRegistry sessionRegistry(FindByIndexNameSessionRepository sessionRepository){
		return new FastSpringSessionBackedSessionRegistry<Session>(sessionRepository);
	}
	
	@Bean
	public FastConcurrentSessionStrategy fastConcurrentSessionStrategy(FastSessionRegistry sessionRegistry){
		return new FastConcurrentSessionStrategy(sessionRegistry);
	}
}

基本上 就完成了一个简单的并发登录操作。

转载于:https://my.oschina.net/u/3065626/blog/3021013