配置spring-security對redis中session的同步處理,通過sessionRegistry統計在線用戶

問題描述:

登錄用戶的session在redis失效、清除或者用戶退出系統後,系統中的sessionRegistry中session依然存在,並未同步失效

系統架構:

Springboot2 + SpringSecurity + spring-session-data-redis + Redis

1. Redis配置(當然可以只加註解,使用默認配置)
/** redis配置 */
@Configuration
public class RedisConfig extends CachingConfigurerSupport {
    // 自定義緩存key生成策略
    @Override
    @Bean
    public KeyGenerator keyGenerator() {
        return new KeyGenerator() {
            @Override
            public Object generate(Object target, java.lang.reflect.Method method, Object... params) {
                StringBuffer sb = new StringBuffer();
                sb.append(target.getClass().getName());
                sb.append(method.getName());
                for (Object obj : params) {
                    sb.append(obj.toString());
                }
                return sb.toString();
            }
        };
    }

    // 緩存管理器
    @Bean
    public CacheManager cacheManager(RedisConnectionFactory redisConnectionFactory) {
        RedisSerializer<String> redisSerializer = new StringRedisSerializer();
        Jackson2JsonRedisSerializer jackson2JsonRedisSerializer = new Jackson2JsonRedisSerializer(Object.class);

        //反序列化問題
        ObjectMapper om = new ObjectMapper();
        om.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY);
        om.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL);
        jackson2JsonRedisSerializer.setObjectMapper(om);

        // 解決存儲亂碼問題
        RedisCacheConfiguration config = RedisCacheConfiguration.defaultCacheConfig()
                // 緩存過期時間1hours  以application.yml配置文件中的優先級更高
                .entryTtl(Duration.ofHours(1))
                .serializeKeysWith(RedisSerializationContext.SerializationPair.fromSerializer(redisSerializer))
                .serializeValuesWith(RedisSerializationContext.SerializationPair.fromSerializer(jackson2JsonRedisSerializer))
                .disableCachingNullValues();

        RedisCacheManager cacheManager = RedisCacheManager.builder(redisConnectionFactory)
                .cacheDefaults(config)
                .build();
        return cacheManager;
    }
    
    @Bean
    public RedisTemplate<String, Object> redisTemplate(RedisConnectionFactory factory) {

        RedisTemplate<String, Object> template = new RedisTemplate<>();

        RedisSerializer<String> redisSerializer = new StringRedisSerializer();

        Jackson2JsonRedisSerializer jackson2JsonRedisSerializer = new Jackson2JsonRedisSerializer(Object.class);
        ObjectMapper om = new ObjectMapper();
        om.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY);
        om.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL);
        jackson2JsonRedisSerializer.setObjectMapper(om);

        template.setConnectionFactory(factory);
        //key序列化方式
        template.setKeySerializer(redisSerializer);
        //value序列化
        template.setValueSerializer(jackson2JsonRedisSerializer);
        //value hashmap序列化
        template.setHashValueSerializer(jackson2JsonRedisSerializer);

        return template;
    }
}

2. WebSecurity的配置 (重點)

@Configuration
@EnableWebSecurity
@Slf4j
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

	// 此處只貼出了與sessionRegistry()相關的代碼,其餘配置還請自行在網上搜索。
	
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .sessionManagement()
                 // 無效session跳轉
                 .invalidSessionUrl("/login")
                 .maximumSessions(1)
                 // session過期跳轉
                 .expiredUrl("/login")
                 .sessionRegistry(sessionRegistry());
    }

    /**
     * 解決session失效後 sessionRegistry中session沒有同步失效的問題,啓用併發session控制,首先需要在配置中增加下面監聽器
     * @return
     */
    @Bean
    public HttpSessionEventPublisher httpSessionEventPublisher() {
        return new HttpSessionEventPublisher();
    }
    
 	 /**
     * 註冊bean sessionRegistry 
     */
    @Bean
    public SessionRegistry sessionRegistry() {
        return new SessionRegistryImpl();
    }
}

3. 獲取在線登錄用戶數量的方法

	/**
     * 獲取系統在線用戶數量
     * @return
     */
	public Integer getOnlineUserNum(SessionRegistry sessionRegistry){
        List<String> list = sessionRegistry.getAllPrincipals().stream()
                .filter(u -> !sessionRegistry.getAllSessions(u, false).isEmpty())
                .map(Object::toString)
                .collect(Collectors.toList());
        return list.size();
    }

4. 移除登出用戶的session

import com.cebon.cdjcy.common.config.IApplicationConfig;
import com.cebon.cdjcy.common.util.IPUtils;
import com.cebon.cdjcy.common.utils.restResult.RestResult;
import com.cebon.cdjcy.common.utils.restResult.ResultCode;
import com.cebon.cdjcy.log.domain.SysLog;
import com.cebon.cdjcy.log.service.SysLogService;
import com.cebon.cdjcy.security.utils.ResponseUtils;
import com.cebon.cdjcy.sysconfig.service.SysconfigService;
import com.cebon.cdjcy.user.dto.LoginUserDTO;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.stereotype.Component;

import javax.annotation.Resource;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Date;

@Component("securityLogoutSuccessHandler")
@Slf4j
public class SecurityLogoutSuccessHandler implements LogoutSuccessHandler {
	@Autowired
	private IApplicationConfig applicationConfig;
	@Resource
	private SysconfigService sysconfigService;
	@Resource
	private SysLogService sysLogService;
	@Override
	public void onLogoutSuccess(HttpServletRequest request , HttpServletResponse response , Authentication authentication) throws IOException,
            ServletException {

		// 清除登錄的session
		this.removeSesion(request);
		// 記錄登出日誌
        if (null != authentication) {
            this.saveLog(request, authentication);
        }
		log.info("退出成功");
		String originHeader = request.getHeader("Origin");
		ResponseUtils.addResponseHeader(response, applicationConfig.getOrigins(), originHeader);
		RestResult result = new RestResult(ResultCode.SUCCESS.getCode(),"退出成功");
		response.setCharacterEncoding("UTF-8");
		response.setContentType("text/html; charset=UTF-8");
		PrintWriter writer = response.getWriter();
		writer.print(result.toJson());
		writer.flush();
	}

	/**
	 * 移除登錄用戶的session
	 * @param request
	 */
	private void removeSesion(HttpServletRequest request) {
		HttpSession session = request.getSession();
		// 手動讓系統中的session失效 。
		session.invalidate();
	}

	/**
	 * 記錄登出日誌
	 * @param request
	 */
	private void saveLog(HttpServletRequest request, Authentication authentication) {
        LoginUserDTO user = (LoginUserDTO) authentication.getPrincipal();
        SysLog sysLog = new SysLog();
		sysLog.setOperation(6);
		sysLog.setLogUser(user.getId());
		sysLog.setCreateTime(new Date());
		sysLog.setLogIp(IPUtils.getIpAddr(request));
		sysLog.setLogDesc(user.getUsername() + " 退出了系統 ");
		sysLog.setLogMethod(request.getMethod());
		sysLog.setLogType(0);
		sysLogService.saveLog(sysLog);
	}
}

最後附上源碼鏈接吧,GitHub源碼地址
歡迎各位老鐵star

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章