Fatal编程技术网
  • spring-boot/
  • Spring boot 无法在Spring引导中停止并发会话(KeyClope身份验证服务器)

Spring boot 无法在Spring引导中停止并发会话(KeyClope身份验证服务器)

spring-boot spring-security keycloak

Spring boot 无法在Spring引导中停止并发会话(KeyClope身份验证服务器),spring-boot,spring-security,spring-security-oauth2,keycloak,Spring Boot,Spring Security,Spring Security Oauth2,Keycloak,我能够使用Spring Security和KeyClope实现身份验证功能(按预期工作)。但是,当我试图在Spring安全配置中停止并发登录时,它不起作用。我也尝试过KeyClope配置,但是我知道没有这样的内置功能/配置来停止并发登录 Spring Boot密钥斗篷配置如下: SessionRegistry sesionregistry=new SessionRegistryImpl(); @Autowired public void configureGlobal(Authenticati

我能够使用Spring Security和KeyClope实现身份验证功能(按预期工作)。但是,当我试图在Spring安全配置中停止并发登录时,它不起作用。我也尝试过KeyClope配置,但是我知道没有这样的内置功能/配置来停止并发登录

Spring Boot密钥斗篷配置如下:

SessionRegistry sesionregistry=new SessionRegistryImpl();

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
    keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());

    auth.authenticationProvider(keycloakAuthenticationProvider);

}

@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
    return new RegisterSessionAuthenticationStrategy(sesionregistry);
}

@Bean
public KeycloakConfigResolver KeycloakConfigResolver() {return new KeycloakSpringBootConfigResolver();}

@Override
protected void configure(HttpSecurity http) throws Exception
{
    super.configure(http);

    http
            .authorizeRequests()
            .antMatchers("/login").hasRole("user")
            .antMatchers("/app/*").hasRole("user")
            //.antMatchers("/logout").permitAll()
            .anyRequest().permitAll()
            .and()
            .authorizeRequests()
            .antMatchers("/admin*").hasRole("admin")
            .anyRequest().permitAll()
            .and()
            .logout().logoutUrl("/logout")
            .and()
            .sessionManagement().maximumSessions(1)
            .maxSessionsPreventsLogin(true)

            ; //for maximum 1 session for any user

}

org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken@87138d52: Principal: c8827230-1916-4026-923c-642be90d0d38; Credentials: [PROTECTED]; Authenticated: true; Details: org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount@1e21cde6; Granted Authorities: ROLE_user, ROLE_uma_authorization
使用此配置,我可以登录,但不会禁用并发登录

我尝试打印同一用户不同登录名的主体对象,发现: 第1课时:

org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken@ec24d1c4:Principal: c8827230-1916-4026-923c-642be90d0d38; Credentials: [PROTECTED]; Authenticated: true; Details: org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount@7f2460bd; Granted Authorities: ROLE_user, ROLE_uma_authorization
第二课时:

SessionRegistry sesionregistry=new SessionRegistryImpl();

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
    keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());

    auth.authenticationProvider(keycloakAuthenticationProvider);

}

@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
    return new RegisterSessionAuthenticationStrategy(sesionregistry);
}

@Bean
public KeycloakConfigResolver KeycloakConfigResolver() {return new KeycloakSpringBootConfigResolver();}

@Override
protected void configure(HttpSecurity http) throws Exception
{
    super.configure(http);

    http
            .authorizeRequests()
            .antMatchers("/login").hasRole("user")
            .antMatchers("/app/*").hasRole("user")
            //.antMatchers("/logout").permitAll()
            .anyRequest().permitAll()
            .and()
            .authorizeRequests()
            .antMatchers("/admin*").hasRole("admin")
            .anyRequest().permitAll()
            .and()
            .logout().logoutUrl("/logout")
            .and()
            .sessionManagement().maximumSessions(1)
            .maxSessionsPreventsLogin(true)

            ; //for maximum 1 session for any user

}

org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken@87138d52: Principal: c8827230-1916-4026-923c-642be90d0d38; Credentials: [PROTECTED]; Authenticated: true; Details: org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount@1e21cde6; Granted Authorities: ROLE_user, ROLE_uma_authorization
甚至2个主要对象的哈希值也不同:

Session 1: Printing Principal HAsh Value: -1854104148
Session 2:     Printing Principal HAsh Value: -1904262684
我不知道如何解决并发登录问题。谢谢你的帮助

谢谢

Keyclope版本:服务器版本3.4.3。最终春季启动版本:1.5.10。发布您是否尝试让其他人尝试启动同一用户会话(相同登录)来自不同的机器?是的。在不同的机器上,它也不工作。请尝试将sessionManagement和maxSessionsPreventsLogin移到最上面的authorizeRequest()行上方的行中,看看这是否有什么变化。@Adam确定我会尝试一下