I have a requirement to enable concurrent session validation when login a user. I have to log off the existing users and let the new one login.
I have a custom AuthenticationSuccessHandler
public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler{
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
public static final String LOGIN_CONTEXT = "/login";
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
HttpSession session = request.getSession(true);
CurrentUser currentUser = (CurrentUser) authentication.getPrincipal();
session.setAttribute("userInfo", currentUser.getUserInfo());
redirectStrategy.sendRedirect(request, response, currentUser.getUserInfo().getDefaultUrl()!=null && !currentUser.getUserInfo().getDefaultUrl().isEmpty() ? currentUser.getUserInfo().getDefaultUrl() : "/");
}}
And WebSecurityCofnig
is as below.
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
public static final String LOGIN_CONTEXT = "/login";
@Autowired
private CustomAuthenticationProvider authProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider);
}
@Bean
public AuthenticationSuccessHandler authenticationSuccessHandler() {
return new CustomAuthenticationSuccessHandler();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().configurationSource(corsConfigurationSource()).and().csrf().disable().formLogin()
.loginPage(LOGIN_CONTEXT).failureUrl(LOGIN_CONTEXT + "?login_error=true")
.successHandler(authenticationSuccessHandler()).loginProcessingUrl(LOGIN_CONTEXT).and()
.authorizeRequests().antMatchers(LOGIN_CONTEXT, "/assets/**", "/vendor/**", "/scripts/**").permitAll()
.anyRequest().authenticated().and().logout().deleteCookies("JSESSIONID").invalidateHttpSession(true)
.logoutSuccessUrl(LOGIN_CONTEXT).logoutUrl("/logout");
http.sessionManagement().maximumSessions(1).sessionRegistry(sessionRegistry());
http.headers().frameOptions().disable();
}
@Bean
public CorsConfigurationSource corsConfigurationSource() {
final CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("*"));
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
configuration.setAllowCredentials(true);
// the below three lines will add the relevant CORS response headers
configuration.addAllowedOrigin("*");
configuration.addAllowedHeader("*");
configuration.addAllowedMethod("*");
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
return new HttpSessionEventPublisher();
}
}
I have tried to achieve this by http.sessionManagement().maximumSessions(1)
. But It's not working as expected. I have also followed this article, But Couldn't made it work. Am I missing something here?
question from:
https://stackoverflow.com/questions/65868731/concurrent-session-handling-with-spring-mvc-4-and-spring-security-not-working 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…