Session: In computers, especially in network applications, it is called “Session control”. The Session object stores properties and configuration information required for a specific user Session. This way, variables stored in the Session object will not be lost when the user jumps between Web pages of the application, but will persist throughout the user Session. When a user requests a Web page from an application, the Web server automatically creates a Session object if the user does not already have a Session. When a session expires or is abandoned, the server terminates the session. One of the most common uses of the Session object is to store user preferences.

Session management

This article mainly describes the following three types of Session management under Spring Security.

  1. Sessiontimeout
  2. SessionConcurrency strategy based on
  3. Cluster environmentSessionTo deal with

The Session timeout

  1. application.ymlConfiguring the Timeout Period
server:
  port: 80
  session:
    timeout: 60
Copy the code
  1. Configuration MerryyouSecurityConfig
http.
......
	       .sessionManagement()
            .invalidSessionUrl("/session/invalid")// The link to the broken session.Copy the code
  1. CotrollerIn the/session/invalid
@GetMapping("/session/invalid")
    @ResponseStatus(code = HttpStatus.UNAUTHORIZED)
    public Result<String> sessionInvalid(a) {
        return ResultUtil.error(HttpStatus.UNAUTHORIZED.value(), "The session failure");
    }
Copy the code

The effect is as follows:

https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2018/1/19/1610da788886d37b~tplv-t2oaga2asx-image.image

Session concurrency strategy

  1. Configuration MerryyouSecurityConfig
http.
......
	       .maximumSessions(1)// Maximum number of concurrent sessions 1
           .maxSessionsPreventsLogin(false)// False disables previous logins,true disallows subsequent logins
           .expiredSessionStrategy(new MerryyounExpiredSessionStrategy())// Custom action when login is kicked.Copy the code
  1. MerryyounExpiredSessionStrategy
@Slf4j
public class MerryyounExpiredSessionStrategy implements SessionInformationExpiredStrategy {
    @Override
    public void onExpiredSessionDetected(SessionInformationExpiredEvent event Ø) throws IOException, ServletException {event Ø. The method getResponse (). SetContentType ("application/json; charset=UTF-8"); Event Ø. The method getResponse (). GetWriter (), write ("Log in concurrently!"); }}Copy the code

The effect is as follows:

https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2018/1/19/1610da788874eadc~tplv-t2oaga2asx-image.image

When maxSessionsPreventsLogin(true) refer to spring-security and security-oauth2

Cluster environment Session processing

  1. Add the spring-session-data-redis dependency
<dependency>
			<groupId>org.springframework.session</groupId>
			<artifactId>spring-session-data-redis</artifactId>
			<version>1.3.1. The RELEASE</version>
		</dependency>
Copy the code
  1. Configure the Spring-Session storage policy
spring:
  redis:
    host: localhost
    port: 6379
  session:
    store-type: redis
Copy the code
  1. test8080and8081Port starts the project separately
java -jar spring-security.jar --server.port=8080
java -jar spring-security.jar --server.port=8081
Copy the code

The effect is as follows:

https://p1-jj.byteimg.com/tos-cn-i-t2oaga2asx/gold-user-assets/2018/1/19/1610da788866b600~tplv-t2oaga2asx-image.image

For more information about Spring Sessions, see: DD

The code download

Download it from my Github, github.com/longfeizhen…