spring security + spring session 增加session 监听器 

# spring security 为了避免重启服务后session过期,把session信息存到了redis中。但是找了网上好多资料,都不能正确监听session创建和销毁。特此记录:
package com.lenovo.biportal.utils.springsecurity;

import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;

public class RedisSessionListener implements HttpSessionListener {
    @Override
    public void sessionCreated(HttpSessionEvent se) {
        System.out.println("sessionCreated-->" + se.getSession().getId());
    }

    @Override
    public void sessionDestroyed(HttpSessionEvent se) {
        System.out.println("sessionDestroyed-->" + se.getSession().getId());
    }
}

package com.lenovo.biportal.utils.springsecurity;

import com.lenovo.biportal.PortalConfig;
import com.lenovo.biportal.utils.redis.Config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.redis.connection.RedisStandaloneConfiguration;
import org.springframework.data.redis.connection.jedis.JedisConnectionFactory;
import org.springframework.session.data.redis.config.annotation.web.http.EnableRedisHttpSession;

@Configuration
@EnableRedisHttpSession(maxInactiveIntervalInSeconds = 7200)
public class SessionRedisConfig {

    @Bean
    public JedisConnectionFactory connectionFactory() {
        return new JedisConnectionFactory(getConfig());
    }

    private RedisStandaloneConfiguration getConfig() {
        Config redis = PortalConfig.getPortalConfig().getRedis();
        RedisStandaloneConfiguration redisStandaloneConfiguration = new RedisStandaloneConfiguration();
        redisStandaloneConfiguration.setHostName(redis.getServerConfig().getHost());
        redisStandaloneConfiguration.setDatabase(redis.getDatabaseIndex());
        redisStandaloneConfiguration.setPassword(redis.getPassword());
        redisStandaloneConfiguration.setPort(redis.getServerConfig().getPort());
        return redisStandaloneConfiguration;
    }

    @Bean
    RedisSessionListener redisSessionListener() {
        return new RedisSessionListener();
    }

}

package com.lenovo.biportal.utils.springsecurity;

import com.lenovo.biportal.Application;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Import;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.session.FindByIndexNameSessionRepository;
import org.springframework.session.Session;
import org.springframework.session.security.SpringSessionBackedSessionRegistry;

@org.springframework.context.annotation.Configuration
@Import({ SessionRedisConfig.class })
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class Configuration<S extends Session> extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Bean
    PasswordEncoder password() {
        return new BCryptPasswordEncoder();
    }

    @Autowired
    private FindByIndexNameSessionRepository<S> sessionRepository;

    @Bean
    SpringSessionBackedSessionRegistry<S> sessionRegistry() {
        return new SpringSessionBackedSessionRegistry<S>(this.sessionRepository);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
                .loginPage("/default/adfs/login/page")
                .permitAll()
                .and().authorizeRequests()
                .antMatchers("/swagger-ui.html").hasRole("developer")
                .antMatchers("/default/adfs/login",
                        "/default/adfs/login/page",
                        "/default/adfs/logout",
                        "/default/adfs/userinfo",
                        "/default/adfs/user/photo",
                        "/api/auth/pseudo/login",
                        "/app/status",
                        "/favicon.ico",
                        "/pbi/oauth",
                        "/statistics/prelogin",
                        "/statistics/today/prelogin",
                        "/*.js",
                        "/*.css",
                        "/*.png",
                        "/*.woff",
                        "/*.jpg",
                        "/*.eot",
                        "/*.ttf",
                        "/*.svg",
                        "/*.map",
                        "/*.txt",
                        "/index.html"
                ).permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .sessionManagement()
                .maximumSessions(1)
                .sessionRegistry(sessionRegistry())
        ;

        if (Application.isInTestMode()) {
            http.csrf().disable();
        }
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(password());
    }
}

以上三个文件保证了用户登录的session信息写入redis,并且能正确监听session创建和销毁的事件。

posted @ 2021-03-31 17:39  练武不练功到头一场空  阅读(713)  评论(0)    收藏  举报