用户只能单设备登录

有时候在同一个系统中，只允许一个用户在一个设备登录。

之前的登陆者被顶掉

将最大会话数设置为1就可以保证用户只能同时在一个设备上登录

java">@Override
protected void configure(HttpSecurity http) throws Exception {http..anyRequest().authenticated() // 其他需要认证.and().csrf().disable() // 关闭csrf跨站请求伪造防护// 设置一个用户只能在一个设备上登录 设置最大会话数.sessionManagement().maximumSessions(1);}

不允许后来者登录

java">@Override
protected void configure(HttpSecurity http) throws Exception {http..anyRequest().authenticated() // 其他需要认证.and().csrf().disable() // 关闭csrf跨站请求伪造防护// 设置一个用户只能在一个设备上登录 设置最大会话数.sessionManagement().maximumSessions(1).maxSessionsPreventsLogin(true) // 禁止后来者登录;}

源码解读

ConcurrentSessionControlAuthenticationStrategy类

java">public void onAuthentication(Authentication authentication,HttpServletRequest request, HttpServletResponse response) {// 获取当前用户的所有sessionfinal List<SessionInformation> sessions = sessionRegistry.getAllSessions(authentication.getPrincipal(), false);int sessionCount = sessions.size();// 同时允许几个session存在int allowedSessions = getMaximumSessionsForThisUser(authentication);
// 当前登录的数量小于允许的数量if (sessionCount < allowedSessions) {// They haven't got too many login sessions running at presentreturn;}
// 不进行限制if (allowedSessions == -1) {// We permit unlimited loginsreturn;}
// 已经达到允许数量了if (sessionCount == allowedSessions) {// 当前session 是否为nullHttpSession session = request.getSession(false);if (session != null) { // 不为null则判断一下是否有与当前session同一个sessionId的// Only permit it though if this request is associated with one of the// already registered sessionsfor (SessionInformation si : sessions) {if (si.getSessionId().equals(session.getId())) {return;}}}// If the session is null, a new one will be created by the parent class,// exceeding the allowed number}// 这里说明session已超过限制数量了allowableSessionsExceeded(sessions, allowedSessions, sessionRegistry);
}protected void allowableSessionsExceeded(List<SessionInformation> sessions,int allowableSessions, SessionRegistry registry)throws SessionAuthenticationException {// exceptionIfMaximumExceeded该值就是配置的maxSessionsPreventsLoginif (exceptionIfMaximumExceeded || (sessions == null)) {throw new SessionAuthenticationException(messages.getMessage("ConcurrentSessionControlAuthenticationStrategy.exceededAllowed",new Object[] { Integer.valueOf(allowableSessions) },"Maximum sessions of {0} for this principal exceeded"));}// Determine least recently used session, and mark it for invalidationSessionInformation leastRecentlyUsed = null;for (SessionInformation session : sessions) {if ((leastRecentlyUsed == null)|| session.getLastRequest().before(leastRecentlyUsed.getLastRequest())) {leastRecentlyUsed = session;}}leastRecentlyUsed.expireNow();}

https://zhhll.icu/2023/框架/springSecurity/6.用户只能单设备登录/