[SpringSecurity6] 自己扩展的 UsernamePasswordAuthenticationFilter 该怎样配置并发会话控制？

This topic created in 1163 days ago, the information mentioned may be changed or developed.

自己扩展的 UsernamePasswordAuthenticationFilter 该怎样配置并发会话控制？

自己谷歌了半天，应该是需要为自定义的 Filter 配置 SessionAuthenticationStrategy ，请老哥们帮我看看，是我哪里配的不对吗？

public class MyUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter { @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { return super.attemptAuthentication(request, response); } }

@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public HttpSessionEventPublisher httpSessionEventPublisher() { return new HttpSessionEventPublisher(); } @Bean public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception { return authenticationConfiguration.getAuthenticationManager(); } @Bean public SecurityContextRepository securityContextRepository() { return new DelegatingSecurityContextRepository( new HttpSessionSecurityContextRepository(), new RequestAttributeSecurityContextRepository() ); } @Bean public SessionRegistry sessionRegistry() { return new SessionRegistryImpl(); } @Bean public SessionAuthenticationStrategy authStrategy(SessionRegistry sessionRegistry) { List<SessionAuthenticationStrategy> delegateStrategies = new ArrayList<>(); ConcurrentSessionControlAuthenticationStrategy cOncurrentSessionControlAuthenticationStrategy= new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry); concurrentSessionControlAuthenticationStrategy.setMaximumSessions(1); // maximumSessions delegateStrategies.add(concurrentSessionControlAuthenticationStrategy); return new CompositeSessionAuthenticationStrategy(delegateStrategies); } @Bean MyUsernamePasswordAuthenticationFilter myUsernamePasswordAuthenticationFilter( AuthenticationManager authenticationManager, SecurityContextRepository securityContextRepository) { MyUsernamePasswordAuthenticationFilter filter = new MyUsernamePasswordAuthenticationFilter(); filter.setAuthenticationManager(authenticationManager); filter.setSecurityContextRepository(securityContextRepository); return filter; } @Bean public SecurityFilterChain filterChain( HttpSecurity http, MyUsernamePasswordAuthenticationFilter myUsernamePasswordAuthenticationFilter, SecurityContextRepository securityContextRepository ) throws Exception { http.authorizeHttpRequests() .anyRequest().authenticated(); http.sessionManagement().maximumSessions(1); // maximumSessions http.formLogin(); http.addFilterAt(myUsernamePasswordAuthenticationFilter, UsernamePasswordAuthenticationFilter.class); return http.build(); } @Bean public UserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER") .build(); return new InMemoryUserDetailsManager(user); } }

2 replies 2023-03-08 12:30:59 +08:00

yodhcn

Mar 8, 2023

找到配置方法了需要在 Configurer 里配置，才能拿到 SessionAuthenticationStrategy sessiOnAuthenticationStrategy= http
.getSharedObject(SessionAuthenticationStrategy.class);

https://stackoverflow.com/questions/65182973/not-able-to-implement-session-limiting-in-spring-security-with-custom-filter

mmdsun

Mar 8, 2023 via iPhone

filter 有个 setSessionAuthenticationStrategy ，我是直接用这个 set 进去的登录并发控制策略。