如何检查该用户已经登录使用Apache四郎? [英] How to check that user has already logged in using Apache Shiro?
问题描述
这个问题很简单。我想限制从不同的机器/浏览器相同的登录用户访问:只有一个活的用户会话可能
阿帕奇四郎
库用于用户认证和同治。
当然,这可以用简单的synchornized地图等完成,但问题是:对于具有阿帕奇四郎
特别机制或不?
这个问题的另一种变体:如何reveice使用系统登录谁所有科目列表阿帕奇四郎
UPD:
要澄清我的问题。我的愿望是有一些code这样的(我知,那有没有这种特例,但这个想法必须更干净):
主题的currentUser = SecurityUtils.getSubject();
UsernamePasswordToken令牌=新UsernamePasswordToken(登录名,密码);
尝试{
currentUser.login(标记);
}赶上(AAE AlreadyAuthenticatedException){
ERRORMSG =你应该注销另一台机器上!
}
四郎会话存储在 SessionDAO
与的sessionId
作为关键字。如果没有额外的努力,你不能访问由委托人(用户名)的会话。但是,您可以扩展 DefaultSecurityManager
,并检查通过 SessionDAO.getActiveSessions
所有活动会话。
下面codeS可以是一个简单的例子(假设你没有使用 WebSubject
)
公共类UniquePrincipalSecurityManager扩展org.apache.shiro.mgt.DefaultSecurityManager { @覆盖
公共科目登录(主题标题,AuthenticationToken令牌)抛出的AuthenticationException { 字符串loginPrincipal =(字符串)token.getPrincipal();
DefaultSessionManager SM =(DefaultSessionManager)getSessionManager();
对于(会话的会话:sm.getSessionDAO()getActiveSessions()){
SimplePrincipalCollection P =(SimplePrincipalCollection)会议
.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);
如果(P = NULL&放大器;!&安培; loginPrincipal.equals(p.getPrimaryPrincipal())){
抛出新AlreadyAuthenticatedException();
} }
返回super.login(主题,令牌);
}}
The question is very simple. I'd like to restrict user access with same login from different machines/browsers: only one live user session is possible.
Apache shiro
library is used for user authentification and managment.
Of course this could be done using simple synchornized maps and etc. But the question is: Has Apache Shiro
special mechanisms for that or not?
Another variant of this question: how to reveice the list of all subjects who are logged in the system using apache shiro
?
UPD:
To clarify my question. My desire is to have some code like this (I known, that there isn't such class exception, but the idea must be more clean):
Subject currentUser = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(login, password);
try {
currentUser.login(token);
} catch (AlreadyAuthenticatedException aae) {
errorMsg = "You should logoff on another machine!";
}
The Shiro sessions are stored in SessionDAO
with sessionId
as keys. Without extra effort you cannot access a session by a principal (user name). However, you could extend DefaultSecurityManager
and check all active sessions by SessionDAO.getActiveSessions
.
The following codes could be a simple example (suppose you are not using WebSubject
):
public class UniquePrincipalSecurityManager extends org.apache.shiro.mgt.DefaultSecurityManager {
@Override
public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {
String loginPrincipal = (String) token.getPrincipal();
DefaultSessionManager sm = (DefaultSessionManager) getSessionManager();
for (Session session : sm.getSessionDAO().getActiveSessions()) {
SimplePrincipalCollection p = (SimplePrincipalCollection) session
.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);
if (p != null && loginPrincipal.equals(p.getPrimaryPrincipal())) {
throw new AlreadyAuthenticatedException();
}
}
return super.login(subject, token);
}
}
这篇关于如何检查该用户已经登录使用Apache四郎?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!