应用程序上的 Spring 最大会话数，而不是应用程序上用户的最大会话数 [英] Spring Max Sessions on Application, NOT Max Sessions for a User on an Application

问题描述

我正在使用 jhipster 编写一个网络应用程序.它正在使用弹簧.我试图限制同一用户可以登录到我的应用程序的次数，并使用以下命令处理名为 ServerConfiguration.java 的文件:

Im writting a web app using jhipster. And it is using spring. I was trying to limit the number of times the same user can log in into my application and got that to work on a file named ServerConfiguration.java with this:

 @Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .and()
        .formLogin()
        .loginProcessingUrl("/api/authentication")
        .successHandler(ajaxAuthenticationSuccessHandler)
        .failureHandler(ajaxAuthenticationFailureHandler)
        .usernameParameter("j_username")
        .passwordParameter("j_password")
        .permitAll()
    .
    .
    .
    .
    .and()            
        .sessionManagement()
        .maximumSessions(Integer.parseInt(env.getProperty("spring.maxuser.sessions")))
                 .maxSessionsPreventsLogin(true);
    }


@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
    return new HttpSessionEventPublisher();
}

这使得特定用户只能在我的应用程序中登录这么多次.

This makes a particular user only log in so many times into my application.

现在，我的问题是如何使我的应用程序仅对 x 个不同 用户开放/访问.例如，我希望我的应用程序只能被 200 个用户访问.而当用户 201 出现并想要登录时，则无法登录.

Now, The question that i have is how do I make my application only be open/accessible for x number of different users. For example, I want my application to only be accessed by 200 users. And when user 201 comes along and wants to log in, then it cannot.

我在另一个帖子中看到 spring 限制最大会话数；限制最大用户 一个答案，但我不知道将这段代码确切放在哪里.

I saw on this other post spring limit max sessions ; limit max users an answer but I do not know where to put this code exactly.

public class MySessionAuthenticationStrategy extends ConcurrentSessionControlStrategy {
int MAX_USERS = 1000; // Whatever
SessionRegistry sr;

public MySessionAuthenticationStrategy(SessionRegistry sr) {
    super(sr);
    this.sr = sr;
}

@Override
public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
    if (sr.getAllPrincipals().size() > MAX_USERS) {
        throw new SessionAuthenticationException("Maximum number of users exceeded");
    }
    super.onAuthentication(authentication, request, response);
}

}

我是否应该创建这个新类 MySessionAuthenticationStrategy 以及如何从我的 httpConfigure 类转到这个新类 MySessionAuthenticationStrategy

Were should I create this new class MySessionAuthenticationStrategy And how do I go from my httpConfigure class to this new class MySessionAuthenticationStrategy

非常感谢.

推荐答案

试试这个.创建一个类来扩展默认会话注册表:

Try this. Create a class to extend the default session registry:

@Component
public class MySessionRegistry extends org.springframework.security.core.session.SessionRegistryImpl {    
}

将您的配置方法更新为如下所示.

Update your configure method to look like this.

    @Autowired
    MySessionRegistry sessionRegistry; 
    void configure(HttpSecurity http) throws Exception {
        http.formLogin()
                .loginProcessingUrl("/api/authentication")
                .successHandler(ajaxAuthenticationSuccessHandler)
                .failureHandler(ajaxAuthenticationFailureHandler)
                .usernameParameter("j_username")
                .passwordParameter("j_password")
                .permitAll().and()
                .sessionManagement()
                .maximumSessions(Integer.parseInt(env.getProperty("spring.maxuser.sessions")))
                .sessionRegistry(sessionRegistry)
                .maxSessionsPreventsLogin(true);
    }

然后在登录/验证期间，试试这个:

Then during login/authentication, try this:

    @Autowired
    MySessionRegistry sessionRegistry; 

    public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
        if (calculateMaxSessions(sessionRegistry) > MAX_USERS) {
            throw new SessionAuthenticationException("Maximum number of users exceeded");
        } else {
            //Authenticate
        }
    }

    public int calculateMaxSessions(SessionRegistry sessionRegistry){
        final List<Object> principals = sessionRegistry.getAllPrincipals();
        if (principals != null) {
            List<SessionInformation> sessions = new ArrayList<>();
            for (Object principal : principals) {
                sessions.addAll(sessionRegistry.getAllSessions(principal, false));
            }
            return sessions.size();
        }
        return 0;
    }

我希望这会有所帮助.干杯！

I hope this helps. Cheers!

这篇关于应用程序上的 Spring 最大会话数，而不是应用程序上用户的最大会话数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！