我必须解决以下场景,在 Spring Security3.2.5-RELEASE中,Spring Core 4.1.2-RELEASE应用程序在 Wildfly 8.1 上运行 Java 1.7。
我想把“鲍勃”踢出去
//this doesn't work
for (final SessionInformation session : sessionRegistry.getAllSessions(user, true)) {
session.expireNow();
}
HttpSessionCreatedEvent并将HttpSessionDestroyedEvent其注册为ApplicationListener并维护 SessionId 到 HttoSession 的缓存。AskToExpireSessionEvent-SessionRegistry,ApplicationEventPublisher以便您可以列出当前活动的用户会话并找到对您正在寻找的用户有效的会话(因为可能有很多),即“bob”AskToExpireSessionEvent为他的每个会话发送一个。用户服务:
@Service
public class UserServiceImpl implements UserService {
/** {@link SessionRegistry} does not exists in unit tests */
@Autowired(required = false)
private Set<SessionRegistry> sessionRegistries;
@Autowired
private ApplicationEventPublisher publisher;
/**
* destroys all active sessions.
* @return <code>true</code> if any session was invalidated^
* @throws IllegalArgumentException
*/
@Override
public boolean invalidateUserByUserName(final String userName) {
if(null == StringUtils.trimToNull(userName)) {
throw new IllegalArgumentException("userName must not be null or empty");
}
boolean expieredAtLeastOneSession = false;
for (final SessionRegistry sessionRegistry : safe(sessionRegistries)) {
findPrincipal: for (final Object principal : sessionRegistry.getAllPrincipals()) {
if(principal instanceof IAuthenticatedUser) {
final IAuthenticatedUser user = (IAuthenticatedUser) principal;
if(userName.equals(user.getUsername())) {
for (final SessionInformation session : sessionRegistry.getAllSessions(user, true)) {
session.expireNow();
sessionRegistry.removeSessionInformation(session.getSessionId());
publisher.publishEvent(AskToExpireSessionEvent.of(session.getSessionId()));
expieredAtLeastOneSession = true;
}
break findPrincipal;
}
} else {
logger.warn("encountered a session for a none user object {} while invalidating '{}' " , principal, userName);
}
}
}
return expieredAtLeastOneSession;
}
}
申请事件:
import org.springframework.context.ApplicationEvent;
public class AskToExpireSessionEvent extends ApplicationEvent {
private static final long serialVersionUID = -1915691753338712193L;
public AskToExpireSessionEvent(final Object source) {
super(source);
}
@Override
public String getSource() {
return (String)super.getSource();
}
public static AskToExpireSessionEvent of(final String sessionId) {
return new AskToExpireSessionEvent(sessionId);
}
}
http会话缓存监听器:
import java.util.Map;
import java.util.WeakHashMap;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationListener;
import org.springframework.security.web.session.HttpSessionCreatedEvent;
import org.springframework.security.web.session.HttpSessionDestroyedEvent;
import org.springframework.stereotype.Component;
import com.cb4.base.service.event.AskToExpireSessionEvent;
@Component
public class HttpSessionCachingListener {
private static final Logger logger = LoggerFactory.getLogger(HttpSessionCachingListener.class);
private final Map<String, HttpSession> sessionCache = new WeakHashMap<>();
void onHttpSessionCreatedEvent(final HttpSessionCreatedEvent event){
if (event != null && event.getSession() != null && event.getSession().getId() != null) {
sessionCache.put(event.getSession().getId(), event.getSession());
}
}
void onHttpSessionDestroyedEvent(final HttpSessionDestroyedEvent event){
if (event != null && event.getSession() != null && event.getSession().getId() != null){
sessionCache.remove(event.getSession().getId());
}
}
public void timeOutSession(final String sessionId){
if(sessionId != null){
final HttpSession httpSession = sessionCache.get(sessionId);
if(null != httpSession){
logger.debug("invalidating session {} in 1 second", sessionId);
httpSession.setMaxInactiveInterval(1);
}
}
}
@Component
static class HttpSessionCreatedLisener implements ApplicationListener<HttpSessionCreatedEvent> {
@Autowired
HttpSessionCachingListener parent;
@Override
public void onApplicationEvent(final HttpSessionCreatedEvent event) {
parent.onHttpSessionCreatedEvent(event);
}
}
@Component
static class HttpSessionDestroyedLisener implements ApplicationListener<HttpSessionDestroyedEvent> {
@Autowired
HttpSessionCachingListener parent;
@Override
public void onApplicationEvent(final HttpSessionDestroyedEvent event) {
parent.onHttpSessionDestroyedEvent(event);
}
}
@Component
static class AskToTimeOutSessionLisener implements ApplicationListener<AskToExpireSessionEvent> {
@Autowired
HttpSessionCachingListener parent;
@Override
public void onApplicationEvent(final AskToExpireSessionEvent event) {
if(event != null){
parent.timeOutSession(event.getSource());
}
}
}
}
使用 java config 在扩展WebSecurityConfigurerAdapter的类中添加以下代码 :
@Bean
public SessionRegistry sessionRegistry( ) {
SessionRegistry sessionRegistry = new SessionRegistryImpl( );
return sessionRegistry;
}
@Bean
public RegisterSessionAuthenticationStrategy registerSessionAuthStr( ) {
return new RegisterSessionAuthenticationStrategy( sessionRegistry( ) );
}
并在您的configure( HttpSecurity http )方法中添加以下内容:
http.sessionManagement( ).maximumSessions( -1 ).sessionRegistry( sessionRegistry( ) );
http.sessionManagement( ).sessionFixation( ).migrateSession( )
.sessionAuthenticationStrategy( registerSessionAuthStr( ) );
此外,在您的自定义身份验证 bean 中设置registerSessionAuthenticationStratergy,如下所示:
usernamePasswordAuthenticationFilter
.setSessionAuthenticationStrategy( registerSessionAuthStr( ) );
注意:在您的自定义身份验证 bean 中设置registerSessionAuthenticationStratergy会导致填充主体列表,因此当您尝试从 sessionRegistry ( sessionRegistry.getAllPrinicpals() ) 获取所有主体列表时,该列表不为空。