应用程序上的 Spring 最大会话数,而不是应用程序上用户的最大会话数
我正在使用 jhipster 编写一个网络应用程序.它正在使用弹簧.我试图限制同一用户可以登录到我的应用程序的次数,并使用以下命令处理名为 ServerConfiguration.java 的文件:
Im writting a web app using jhipster. And it is using spring. I was trying to limit the number of times the same user can log in into my application and got that to work on a file named ServerConfiguration.java with this:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.and()
.formLogin()
.loginProcessingUrl("/api/authentication")
.successHandler(ajaxAuthenticationSuccessHandler)
.failureHandler(ajaxAuthenticationFailureHandler)
.usernameParameter("j_username")
.passwordParameter("j_password")
.permitAll()
.
.
.
.
.and()
.sessionManagement()
.maximumSessions(Integer.parseInt(env.getProperty("spring.maxuser.sessions")))
.maxSessionsPreventsLogin(true);
}
@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
return new HttpSessionEventPublisher();
}
这使得特定用户只能在我的应用程序中登录这么多次.
This makes a particular user only log in so many times into my application.
现在,我的问题是如何使我的应用程序仅对 x 个不同 用户开放/访问.例如,我希望我的应用程序只能被 200 个用户访问.而当用户 201 出现并想要登录时,则无法登录.
Now, The question that i have is how do I make my application only be open/accessible for x number of different users. For example, I want my application to only be accessed by 200 users. And when user 201 comes along and wants to log in, then it cannot.
我在另一个帖子中看到 spring 限制最大会话数;限制最大用户 一个答案,但我不知道将这段代码确切放在哪里.
I saw on this other post spring limit max sessions ; limit max users an answer but I do not know where to put this code exactly.
public class MySessionAuthenticationStrategy extends ConcurrentSessionControlStrategy {
int MAX_USERS = 1000; // Whatever
SessionRegistry sr;
public MySessionAuthenticationStrategy(SessionRegistry sr) {
super(sr);
this.sr = sr;
}
@Override
public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
if (sr.getAllPrincipals().size() > MAX_USERS) {
throw new SessionAuthenticationException("Maximum number of users exceeded");
}
super.onAuthentication(authentication, request, response);
}
}
我是否应该创建这个新类 MySessionAuthenticationStrategy 以及如何从我的 httpConfigure 类转到这个新类 MySessionAuthenticationStrategy
Were should I create this new class MySessionAuthenticationStrategy And how do I go from my httpConfigure class to this new class MySessionAuthenticationStrategy
非常感谢.
试试这个.创建一个类来扩展默认会话注册表:
Try this. Create a class to extend the default session registry:
@Component
public class MySessionRegistry extends org.springframework.security.core.session.SessionRegistryImpl {
}
将您的配置方法更新为如下所示.
Update your configure method to look like this.
@Autowired
MySessionRegistry sessionRegistry;
void configure(HttpSecurity http) throws Exception {
http.formLogin()
.loginProcessingUrl("/api/authentication")
.successHandler(ajaxAuthenticationSuccessHandler)
.failureHandler(ajaxAuthenticationFailureHandler)
.usernameParameter("j_username")
.passwordParameter("j_password")
.permitAll().and()
.sessionManagement()
.maximumSessions(Integer.parseInt(env.getProperty("spring.maxuser.sessions")))
.sessionRegistry(sessionRegistry)
.maxSessionsPreventsLogin(true);
}
然后在登录/验证期间,试试这个:
Then during login/authentication, try this:
@Autowired
MySessionRegistry sessionRegistry;
public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
if (calculateMaxSessions(sessionRegistry) > MAX_USERS) {
throw new SessionAuthenticationException("Maximum number of users exceeded");
} else {
//Authenticate
}
}
public int calculateMaxSessions(SessionRegistry sessionRegistry){
final List<Object> principals = sessionRegistry.getAllPrincipals();
if (principals != null) {
List<SessionInformation> sessions = new ArrayList<>();
for (Object principal : principals) {
sessions.addAll(sessionRegistry.getAllSessions(principal, false));
}
return sessions.size();
}
return 0;
}
我希望这会有所帮助.干杯!
I hope this helps. Cheers!