英文:
Not able to prevent multiple concurrent login from the same user in spring security with spring boot
问题
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser(username).password(password).roles("OPERATIONAL");
auth.inMemoryAuthentication().withUser(sysUsername).password(sysPassword).roles("OPERATIONAL");
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/initialPage").and().ignoring().antMatchers("/WEB-INF/**").and().ignoring()
.antMatchers("/sp/processRequest").antMatchers("/WEB-INF/**").and().ignoring()
.antMatchers("/sp/rest/getChannelCodeOnMID").antMatchers("/createRazorpayOrder").and().ignoring()
.antMatchers("/createRazorpayOrder").antMatchers("/sp/rest/getNonPreferredEntities").and().ignoring()
.antMatchers("/sp/rest/getNonPreferredEntities").antMatchers("/sp/rest/getChargesDetailsOnChannel")
.and().ignoring().antMatchers("/sp/rest/getChargesDetailsOnChannel").antMatchers("/paymentResponse")
.and().ignoring().antMatchers("/paymentResponse").antMatchers("/RedirectpaymentResponse").and()
.ignoring().antMatchers("/RedirectpaymentResponse").and().ignoring().antMatchers("/testMerchantPage")
.and().ignoring().antMatchers("/sp/rest/generateChecksum").and().ignoring().antMatchers("/pushResponse")
.and().ignoring().antMatchers("/sp/rest/getServiceDetails")
.and().ignoring().antMatchers("/errorPage")
.and().ignoring().antMatchers("/getResponse")
.and().ignoring().antMatchers("/css/**")
.and().ignoring().antMatchers("/js/**")
.and().ignoring().antMatchers("/img/qrcode/**")
.and().ignoring().antMatchers("/sp/rest/getCancelRequest")
.and().ignoring().antMatchers("/sp/rest/checkTxnStatusOnOrderId")
.and().ignoring().antMatchers("/pushResponse")
.and().ignoring().antMatchers("/paymentStatusApi");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("**/login")).and().authorizeRequests().antMatchers("**/api/v1/getPricingDtls").permitAll()
.antMatchers("/merchantCreationOrView").hasRole("OPERATIONAL").and().authorizeRequests()
.antMatchers("/merchantCreation").hasRole("OPERATIONAL")
.antMatchers("/merchantView").hasRole("OPERATIONAL")
.antMatchers("/merchantRenderedView").hasRole("OPERATIONAL")
.antMatchers("/viewMerchantDetails").hasRole("OPERATIONAL")
.antMatchers("/saveMerchantDetails").hasRole("OPERATIONAL")
.antMatchers("/download").hasRole("OPERATIONAL")
.antMatchers("/downloadSettlement").hasRole("OPERATIONAL")
.and().formLogin().loginPage("/login").
defaultSuccessUrl("/merchantCreationOrView",true).failureUrl("/login?error").permitAll()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.NEVER)
.maximumSessions(1)
.maxSessionsPreventsLogin(true).
sessionRegistry(sessionRegistry())
;
}
@Bean
SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
@Bean
public static ServletListenerRegistrationBean httpSessionEventPublisher() {
return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
}
@Bean
public CustomBasicAuthenticationEntryPoint getBasicAuthenticationEntryPoint() {
return new CustomBasicAuthenticationEntryPoint();
}
}
英文:
**
Here I have edited my code as to see that i'm currently using in memory authentication for this purpose
Here is my Security configuration file, What I want to achieve is for one user to not have concurrent sessions.
With this code I can login with same user on multiple tabs.
Eventhough the user has an active session
Can anyone help me with this.I'm a newbie at Spring security
Thanks in Advance**
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser(username).password(password).roles("OPERATIONAL");
auth.inMemoryAuthentication().withUser(sysUsername).password(sysPassword).roles("OPERATIONAL");
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/initialPage").and().ignoring().antMatchers("/WEB-INF/**").and().ignoring()
.antMatchers("/sp/processRequest").antMatchers("/WEB-INF/**").and().ignoring()
.antMatchers("/sp/rest/getChannelCodeOnMID").antMatchers("/createRazorpayOrder").and().ignoring()
.antMatchers("/createRazorpayOrder").antMatchers("/sp/rest/getNonPreferredEntities").and().ignoring()
.antMatchers("/sp/rest/getNonPreferredEntities").antMatchers("/sp/rest/getChargesDetailsOnChannel")
.and().ignoring().antMatchers("/sp/rest/getChargesDetailsOnChannel").antMatchers("/paymentResponse")
.and().ignoring().antMatchers("/paymentResponse").antMatchers("/RedirectpaymentResponse").and()
.ignoring().antMatchers("/RedirectpaymentResponse").and().ignoring().antMatchers("/testMerchantPage")
.and().ignoring().antMatchers("/sp/rest/generateChecksum").and().ignoring().antMatchers("/pushResponse")
.and().ignoring().antMatchers("/sp/rest/getServiceDetails")
.and().ignoring().antMatchers("/errorPage")
.and().ignoring().antMatchers("/getResponse")
.and().ignoring().antMatchers("/css/**")
.and().ignoring().antMatchers("/js/**")
.and().ignoring().antMatchers("/img/qrcode/**")
.and().ignoring().antMatchers("/sp/rest/getCancelRequest")
.and().ignoring().antMatchers("/sp/rest/checkTxnStatusOnOrderId")
.and().ignoring().antMatchers("/pushResponse")
.and().ignoring().antMatchers("/paymentStatusApi");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("**/login")).and().authorizeRequests().antMatchers("**/api/v1/getPricingDtls").permitAll()
.antMatchers("/merchantCreationOrView").hasRole("OPERATIONAL").and().authorizeRequests()
.antMatchers("/merchantCreation").hasRole("OPERATIONAL")
.antMatchers("/merchantView").hasRole("OPERATIONAL")
.antMatchers("/merchantRenderedView").hasRole("OPERATIONAL")
.antMatchers("/viewMerchantDetails").hasRole("OPERATIONAL")
.antMatchers("/saveMerchantDetails").hasRole("OPERATIONAL")
.antMatchers("/download").hasRole("OPERATIONAL")
.antMatchers("/downloadSettlement").hasRole("OPERATIONAL")
.and().formLogin().loginPage("/login").
defaultSuccessUrl("/merchantCreationOrView",true).failureUrl("/login?error").permitAll()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.NEVER)
.maximumSessions(1)
.maxSessionsPreventsLogin(true).
sessionRegistry(sessionRegistry())
;
}
@Bean
SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
@Bean
public static ServletListenerRegistrationBean httpSessionEventPublisher() { //(5)
return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
}
@Bean
public CustomBasicAuthenticationEntryPoint getBasicAuthenticationEntryPoint() {
return new CustomBasicAuthenticationEntryPoint();
}
}
答案1
得分: 0
以下是翻译好的部分:
简单的检查可以帮助您在这里达到类似的问题。
最有可能的是,您没有在您的登录的User类中实现/覆盖正确的hashCode和equals方法。
您需要像这样做,取决于您如何在逻辑上确定所谓的“相同”用户:
public class User implements UserDetails, Serializable {
private static final long serialVersionUID = 1L;
// ...
@Override
public boolean equals(Object obj) {
if (obj instanceof User) {
return username.equals(((User) obj).getUsername());
}
return false;
}
@Override
public int hashCode() {
return username != null ? username.hashCode() : 0;
}
}
英文:
Simple check can help you reach similar question here.
Most likely you didn't implement/override correct hashCode and equals methods in your logined User class.
You have to do something like this, depend how logically you determine the so-called "same" user:
public class User implements UserDetails, Serializable {
private static final long serialVersionUID = 1L;
// ...
@Override
public boolean equals(Object obj) {
if (obj instanceof User) {
return username.equals( ((User) obj).getUsername() );
}
return false;
}
@Override
public int hashCode() {
return username != null ? username.hashCode() : 0;
}
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论