shiro实现单点登录(一个用户同一时刻只能在一个地方登录)

2020-06-08 11:46mrr JAVA教程

这篇文章主要介绍了shiro实现单点登录(一个用户同一时刻只能在一个地方登录)的相关资料，非常不错，具有参考借鉴价值，感兴趣的朋友一起学习吧

我这里 shiro 并没有集成 springMVC，直接使用 ini 配置文件。

shiro.ini

				?

									[main]

									# Objects and their properties are defined here,

									# Such as the securityManager, Realms and anything

									# else needed to build the SecurityManager

									authc.loginUrl = /login.jsp

									authc.successUrl = /web/index.jsp

									#cache manager

									builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager

									securityManager=org.apache.shiro.web.mgt.DefaultWebSecurityManager

									securityManager.cacheManager = $builtInCacheManager

									securityManager.sessionManager=$sessionManager

									#session 必须配置session，强制退出时，通过将session移除实现

									sessionManager=org.apache.shiro.web.session.mgt.DefaultWebSessionManager

									sessionManager.sessionDAO=$sessionDAO

									sessionDAO=org.apache.shiro.session.mgt.eis.MemorySessionDAO

									# Create ldap realm

									ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm

									#......

									# Configure JDBC realm datasource

									dataSource = org.postgresql.ds.PGPoolingDataSource

									#.......

									# Create JDBC realm.

									jdbcRealm.permissionsLookupEnabled = true

									jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm

									jdbcRealm.userRolesQuery = ......

									jdbcRealm.permissionsQuery = ......

									jdbcRealm.dataSource = $dataSource

									#self realm

									localAuthorizingRealm = com.redbudtek.shiro.LocalAuthorizingRealm

									securityManager.realms = $ldapRealm, $localAuthorizingRealm

在 LocalAuthorizingRealm 中，用户登录进行认证之前，先将该用户的其他session移除：

				?

									@Override

									protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {

									String userName = (String)authenticationToken.getPrincipal();

									//处理session

									DefaultWebSecurityManager securityManager = (DefaultWebSecurityManager) SecurityUtils.getSecurityManager();

									DefaultWebSessionManager sessionManager = (DefaultWebSessionManager)securityManager.getSessionManager();

									Collection<Session> sessions = sessionManager.getSessionDAO().getActiveSessions();//获取当前已登录的用户session列表

									for(Session session:sessions){

									//清除该用户以前登录时保存的session

									if(userName.equals(String.valueOf(session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY)))) {

									sessionManager.getSessionDAO().delete(session);

									}

									}

									String pwd = null;

									return new SimpleAuthenticationInfo(userName,pwd,getName());

									}