【问题标题】:spring security, how to expire all sessions of a userspring security,如何使用户的所有会话过期
【发布时间】:2016-02-08 18:21:38
【问题描述】:

我必须解决以下场景,在 Spring Security 3.2.5-RELEASESpring Core 4.1.2-RELEASE 应用程序中,在 Wildfly 8.1 上运行 Java 1.7。

  1. 用户“bob”登录
  2. 并且管理员删除了“bob”
  3. 如果“bob”退出,他将无法再次登录,但他的当前会话仍处于活动状态。
  4. 我想把“鲍勃”踢出去

    //this doesn't work
    for (final SessionInformation session :    sessionRegistry.getAllSessions(user, true)) {
             session.expireNow();
    }
    

【问题讨论】:

    标签: spring spring-security weakhashmap


    【解决方案1】:
    1. 添加应用程序事件监听器来跟踪HttpSessionCreatedEventHttpSessionDestroyedEvent并将其注册为ApplicationListener,并为HttoSession维护一个SessionId的缓存。
    2. (可选)添加您自己的 ApplicationEvent 类AskToExpireSessionEvent -
    3. 在您的用户管理服务中添加对SessionRegistryApplicationEventPublisher 的依赖项,以便您可以列出当前活动的用户会话并找到对您正在寻找的用户有效的那些(因为可能有很多)即“鲍勃”
    4. 删除用户时,会为他的每个会话发送一个AskToExpireSessionEvent
    5. 使用弱引用 HashMap 来跟踪会话

    用户服务:

         @Service
         public class UserServiceImpl implements UserService {
    
          /** {@link SessionRegistry} does not exists in unit tests */
          @Autowired(required = false)
          private Set<SessionRegistry> sessionRegistries;
    
    
          @Autowired
          private ApplicationEventPublisher publisher;
    
    
         /**
          * destroys all active sessions.
          * @return <code>true</code> if any session was invalidated^
          * @throws IllegalArgumentException
          */
          @Override
          public boolean invalidateUserByUserName(final String userName) {
                  if(null == StringUtils.trimToNull(userName)) {
                          throw new IllegalArgumentException("userName must not be null or empty");
                  }
                  boolean expieredAtLeastOneSession = false;
                  for (final SessionRegistry sessionRegistry : safe(sessionRegistries)) {
                          findPrincipal: for (final Object principal : sessionRegistry.getAllPrincipals()) {
                                  if(principal instanceof IAuthenticatedUser) {
                                          final IAuthenticatedUser user = (IAuthenticatedUser) principal;
                                          if(userName.equals(user.getUsername())) {
                                                  for (final SessionInformation session : sessionRegistry.getAllSessions(user, true)) {
                                                          session.expireNow();
                                                          sessionRegistry.removeSessionInformation(session.getSessionId());
                                                          publisher.publishEvent(AskToExpireSessionEvent.of(session.getSessionId()));
                                                          expieredAtLeastOneSession = true;
                                                  }
                                                  break findPrincipal;
                                          }
                                  } else {
                                          logger.warn("encountered a session for a none user object {} while invalidating '{}' " , principal, userName);
                                  }
                          }
                  }
                  return expieredAtLeastOneSession;
          }
    
         }
    

    应用事件:

         import org.springframework.context.ApplicationEvent;
    
         public class AskToExpireSessionEvent extends ApplicationEvent {
    
                 private static final long serialVersionUID = -1915691753338712193L;
    
                 public AskToExpireSessionEvent(final Object source) {
                         super(source);
                 }
    
                 @Override
                 public String getSource() {
                         return (String)super.getSource();
                 }
    
    
                 public static AskToExpireSessionEvent of(final String sessionId) {
                         return new AskToExpireSessionEvent(sessionId);
                 }
         }
    

    http 会话缓存监听器:

         import java.util.Map;
         import java.util.WeakHashMap;
    
         import javax.servlet.http.HttpSession;
    
         import org.slf4j.Logger;
         import org.slf4j.LoggerFactory;
         import org.springframework.beans.factory.annotation.Autowired;
         import org.springframework.context.ApplicationListener;
         import org.springframework.security.web.session.HttpSessionCreatedEvent;
         import org.springframework.security.web.session.HttpSessionDestroyedEvent;
         import org.springframework.stereotype.Component;
    
         import com.cb4.base.service.event.AskToExpireSessionEvent;
    
    
         @Component
         public class HttpSessionCachingListener {
    
                 private static final Logger logger = LoggerFactory.getLogger(HttpSessionCachingListener.class);
    
                 private final Map<String, HttpSession> sessionCache = new WeakHashMap<>();
    
                 void onHttpSessionCreatedEvent(final HttpSessionCreatedEvent event){
                         if (event != null && event.getSession() != null && event.getSession().getId() != null) {
                                 sessionCache.put(event.getSession().getId(), event.getSession());
                         }
                 }
    
                 void onHttpSessionDestroyedEvent(final HttpSessionDestroyedEvent event){
                         if (event != null && event.getSession() != null && event.getSession().getId() != null){
                                 sessionCache.remove(event.getSession().getId());
                         }
                 }
    
                 public void timeOutSession(final String sessionId){
                         if(sessionId != null){
                                 final HttpSession httpSession = sessionCache.get(sessionId);
                                 if(null != httpSession){
                                         logger.debug("invalidating session {} in 1 second", sessionId);
                                         httpSession.setMaxInactiveInterval(1);
                                 }
                         }
                 }
    
                 @Component
                 static class HttpSessionCreatedLisener implements ApplicationListener<HttpSessionCreatedEvent> {
    
                         @Autowired
                         HttpSessionCachingListener parent;
    
                         @Override
                         public void onApplicationEvent(final HttpSessionCreatedEvent event) {
                                 parent.onHttpSessionCreatedEvent(event);
                         }
                 }
    
                 @Component
                 static class HttpSessionDestroyedLisener implements ApplicationListener<HttpSessionDestroyedEvent> {
    
                         @Autowired
                         HttpSessionCachingListener parent;
    
                         @Override
                         public void onApplicationEvent(final HttpSessionDestroyedEvent event) {
                                 parent.onHttpSessionDestroyedEvent(event);
                         }
                 }
    
                 @Component
                 static class AskToTimeOutSessionLisener implements ApplicationListener<AskToExpireSessionEvent> {
    
                         @Autowired
                         HttpSessionCachingListener parent;
    
                         @Override
                         public void onApplicationEvent(final AskToExpireSessionEvent event) {
                                 if(event != null){
                                         parent.timeOutSession(event.getSource());
                                 }
                         }
                 }
    
         }
    

    【讨论】:

    • 能否分享一下IAuthenticatedUser,请问IAuthenticatedUser是什么?
    【解决方案2】:

    使用 java config 在您的扩展类中添加以下代码 WebSecurityConfigurerAdapter

          @Bean
    public SessionRegistry sessionRegistry( ) {
        SessionRegistry sessionRegistry = new SessionRegistryImpl( );
        return sessionRegistry;
    }
    
    @Bean
    public RegisterSessionAuthenticationStrategy registerSessionAuthStr( ) {
        return new RegisterSessionAuthenticationStrategy( sessionRegistry( ) );
    }
    

    并在您的 configure( HttpSecurity http ) 方法中添加以下内容:

        http.sessionManagement( ).maximumSessions( -1 ).sessionRegistry( sessionRegistry( ) );
        http.sessionManagement( ).sessionFixation( ).migrateSession( )
                .sessionAuthenticationStrategy( registerSessionAuthStr( ) );
    

    另外,在您的自定义身份验证 bean 中设置 registerSessionAuthenticationStratergy,如下所示:

        usernamePasswordAuthenticationFilter
                .setSessionAuthenticationStrategy( registerSessionAuthStr( ) );
    

    注意:在自定义身份验证 bean 中设置 registerSessionAuthenticationStratergy 会导致填充主体列表,因此当您尝试从 sessionRegistry (sessionRegistry.getAllPrinicpals() ),列表不为空。

    【讨论】:

      猜你喜欢
      • 2011-11-06
      • 2011-03-21
      • 2015-12-19
      • 1970-01-01
      • 2017-06-07
      • 2017-12-09
      • 2019-09-13
      • 1970-01-01
      • 2016-03-03
      相关资源
      最近更新 更多