Spring Security 防止多次登录

y53ybaqx 于 2021-07-22 发布在 Java

关注(0)|答案(1)|浏览(349)

我正在创建一个restapi，我想阻止同一个用户登录到spring启动应用程序。我的配置如下

@Override
    protected void configure(HttpSecurity http) throws Exception{
        http.cors().and().csrf().disable()
            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
            .authorizeRequests().antMatchers("/api/auth/**").permitAll()
            .antMatchers("/api/**").permitAll()
            .anyRequest().authenticated()
            .and().httpBasic()
            .and().sessionManagement()
            .maximumSessions(1);

        http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
    }

另外，如果用户已经登录，如何向前端发送响应。目前，我可以使用多个选项卡在同一个浏览器上登录应用程序。我想禁用这个。
这是我的控制器

@PostMapping("/signin")
    public ResponseEntity<?> authenticateUser(@Valid @RequestBody LoginRequest loginRequest){
        try {

            Optional<User> _user = userRepository.findByUsername(loginRequest.getUsername());

            if(_user.get().isActive()) {
                if(_user.get().isPasswordReset()) {
                    return ResponseEntity
                            .badRequest()
                            .body(new MessageResponse("Password Rest Required"));
                } else {

                    Authentication authentication = authenticationManager.authenticate(
                            new UsernamePasswordAuthenticationToken(loginRequest.getUsername(), loginRequest.getPassword()));

                    SecurityContextHolder.getContext().setAuthentication(authentication);
                    String jwt = jwtUtils.generateJWTToken(authentication);

                    UserDetailsImpl userDetails = (UserDetailsImpl) authentication.getPrincipal();
                    List<String> roles = userDetails.getAuthorities().stream()
                            .map(item -> item.getAuthority())
                            .collect(Collectors.toList());

                    return ResponseEntity.ok(new JwtResponse(jwt, userDetails.getId(), 
                            userDetails.getUsername(), 
                            userDetails.getEmail(), roles, 
                            userDetails.getCompany().getId())); 
                }               
            }else {
                return ResponseEntity
                        .badRequest()
                        .body(new MessageResponse("Current user is inactive! Please contact support team"));
            }

        } catch (Exception e) {
            return ResponseEntity
                    .badRequest()
                    .body(new MessageResponse("Bad credentials"));
        }
    }

spring spring-boot Angular

来源：https://stackoverflow.com/questions/66607288/spring-security-prevent-multiple-logins

1条答案

按热度按时间

y1aodyip1#

它不仅针对一个用户，还控制每个用户的最大会话数：

sessionManagement()
    .maximumSessions(1)
    .maxSessionsPreventsLogin(true);

参考文件：https://docs.spring.io/spring-security/site/docs/4.2.7.release/apidocs/org/springframework/security/config/annotation/web/configurers/sessionmanagementconfigurer.html

赞(0）回复(0）举报 2021-07-22

我来回答

Spring Security 防止多次登录

1条答案

相关问题

热门标签

最新问答