Spring Security OAuth2 实现登录互踢
工作中遇到的问题,通过网上查找资料,解决问题,记录一下,防止丢失。
1、重写DefaultTokenServices中的方法
自定义一个TokenService类继承DefaultTokenServices,重写里面的createAccessToken、setTokenStore和setTokenEnhancer方法,代码如下:
public class TokenService extends DefaultTokenServices {
private TokenEnhancer accessTokenEnhancer;
private TokenStore tokenStore;
@Transactional
@Override
public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication) throws AuthenticationException {
OAuth2AccessToken existingAccessToken = tokenStore.getAccessToken(authentication);
OAuth2RefreshToken refreshToken = null;
if (existingAccessToken != null) {
if (existingAccessToken.getRefreshToken() != null) {
refreshToken = existingAccessToken.getRefreshToken();
tokenStore.removeRefreshToken(refreshToken);
}
tokenStore.removeAccessToken(existingAccessToken);
}
if (refreshToken == null) {
refreshToken = createRefreshToken(authentication);
}
else if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
ExpiringOAuth2RefreshToken expiring = (ExpiringOAuth2RefreshToken) refreshToken;
if (System.currentTimeMillis() > expiring.getExpiration().getTime()) {
refreshToken = createRefreshToken(authentication);
}
}
OAuth2AccessToken accessToken = createAccessToken(authentication, refreshToken);
tokenStore.storeAccessToken(accessToken, authentication);
// In case it was modified
refreshToken = accessToken.getRefreshToken();
if (refreshToken != null) {
tokenStore.storeRefreshToken(refreshToken, authentication);
}
return accessToken;
}
private OAuth2RefreshToken createRefreshToken(OAuth2Authentication authentication) {
if (!isSupportRefreshToken(authentication.getOAuth2Request())) {
return null;
}
int validitySeconds = getRefreshTokenValiditySeconds(authentication.getOAuth2Request());
String value = UUID.randomUUID().toString();
if (validitySeconds > 0) {
return new DefaultExpiringOAuth2RefreshToken(value, new Date(System.currentTimeMillis()
+ (validitySeconds * 1000L)));
}
return new DefaultOAuth2RefreshToken(value);
}
private OAuth2AccessToken createAccessToken(OAuth2Authentication authentication, OAuth2RefreshToken refreshToken) {
DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(UUID.randomUUID().toString());
int validitySeconds = getAccessTokenValiditySeconds(authentication.getOAuth2Request());
if (validitySeconds > 0) {
token.setExpiration(new Date(System.currentTimeMillis() + (validitySeconds * 1000L)));
}
token.setRefreshToken(refreshToken);
token.setScope(authentication.getOAuth2Request().getScope());
return accessTokenEnhancer != null ? accessTokenEnhancer.enhance(token, authentication) : token;
}
@Override
public void setTokenStore(TokenStore tokenStore) {
super.setTokenStore(tokenStore);
this.tokenStore = tokenStore;
}
@Override
public void setTokenEnhancer(TokenEnhancer accessTokenEnhancer) {
super.setTokenEnhancer(accessTokenEnhancer);
this.accessTokenEnhancer = accessTokenEnhancer;
}
2、修改AuthServerConfig中的defaultTokenServices方法
public DefaultTokenServices defaultTokenServices(){
// DefaultTokenServices services = new DefaultTokenServices();
//新建一个TokenService继承并重写DefaultTokenServices中的方法,保证每次登录都会删除原来的token,达到一个账户不允许多端登录的效果
TokenService services = new TokenService();
//设置令牌2个小时过期,单位:秒
System.out.println("设置令牌过期时间:"+accessTokenValidity+"秒");
services.setAccessTokenValiditySeconds(accessTokenValidity == null ? 60*60*2:accessTokenValidity);
//设置刷新token的过期时间,单位:秒
System.out.println("设置刷新token过期时间:"+refreshTokenValidity+"秒");
services.setRefreshTokenValiditySeconds(refreshTokenValidity == null ? 60*60*24*30:refreshTokenValidity);
services.setSupportRefreshToken(true);
services.setReuseRefreshToken(false);
services.setTokenStore(tokenStore());
services.setTokenEnhancer(tokenEnhancer);
return services;
}
参考博客:https://my.oschina.net/giegie/blog/4258857