[SpringSecurity6] 自己扩展的 UsernamePasswordAuthenticationFilter 该怎样配置并发会话控制？

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

已注册用户请登录

这是一个创建于 414 天前的主题，其中的信息可能已经有所发展或是发生改变。

自己扩展的 UsernamePasswordAuthenticationFilter 该怎样配置并发会话控制？

自己谷歌了半天，应该是需要为自定义的 Filter 配置 SessionAuthenticationStrategy ，请老哥们帮我看看，是我哪里配的不对吗？

public class MyUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        return super.attemptAuthentication(request, response);
    }
}

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public HttpSessionEventPublisher httpSessionEventPublisher() {
        return new HttpSessionEventPublisher();
    }

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
        return authenticationConfiguration.getAuthenticationManager();
    }

    @Bean
    public SecurityContextRepository securityContextRepository() {
        return new DelegatingSecurityContextRepository(
                new HttpSessionSecurityContextRepository(),
                new RequestAttributeSecurityContextRepository()
        );
    }

    @Bean
    public SessionRegistry sessionRegistry() {
        return new SessionRegistryImpl();
    }

    @Bean
    public SessionAuthenticationStrategy authStrategy(SessionRegistry sessionRegistry) {
        List<SessionAuthenticationStrategy> delegateStrategies = new ArrayList<>();

        ConcurrentSessionControlAuthenticationStrategy concurrentSessionControlAuthenticationStrategy =
                new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry);
        concurrentSessionControlAuthenticationStrategy.setMaximumSessions(1); // maximumSessions

        delegateStrategies.add(concurrentSessionControlAuthenticationStrategy);
        return new CompositeSessionAuthenticationStrategy(delegateStrategies);
    }

    @Bean
    MyUsernamePasswordAuthenticationFilter myUsernamePasswordAuthenticationFilter(
            AuthenticationManager authenticationManager,
            SecurityContextRepository securityContextRepository) {
        MyUsernamePasswordAuthenticationFilter filter = new MyUsernamePasswordAuthenticationFilter();
        filter.setAuthenticationManager(authenticationManager);
        filter.setSecurityContextRepository(securityContextRepository);
        return filter;
    }

    @Bean
    public SecurityFilterChain filterChain(
            HttpSecurity http,
            MyUsernamePasswordAuthenticationFilter myUsernamePasswordAuthenticationFilter,
            SecurityContextRepository securityContextRepository
    ) throws Exception {
        http.authorizeHttpRequests()
                .anyRequest().authenticated();
        http.sessionManagement().maximumSessions(1); // maximumSessions
        http.formLogin();
        http.addFilterAt(myUsernamePasswordAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);

        return http.build();
    }

    @Bean
    public UserDetailsService userDetailsService() {
        UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER")
                .build();
        return new InMemoryUserDetailsManager(user);
    }

}

2 条回复 • 2023-03-08 12:30:59 +08:00

yodhcn

2023-03-08 01:15:36 +08:00

找到配置方法了需要在 Configurer 里配置，才能拿到 SessionAuthenticationStrategy sessionAuthenticationStrategy = http
.getSharedObject(SessionAuthenticationStrategy.class);

https://stackoverflow.com/questions/65182973/not-able-to-implement-session-limiting-in-spring-security-with-custom-filter

mmdsun

2023-03-08 12:30:59 +08:00 via iPhone

filter 有个 setSessionAuthenticationStrategy ，我是直接用这个 set 进去的登录并发控制策略。