问题描述:

登录用户的 session 在 redis 失效、清除或者用户退出系统后,系统中的 sessionRegistry 中 session 依然存在,并未同步失效

系统架构:

Springboot2 + SpringSecurity + spring-session-data-redis + Redis

1. Redis 配置 (当然可以只加注解,使用默认配置)
/** redis配置 */
@Configuration
public class RedisConfig extends CachingConfigurerSupport {
    // 自定义缓存key生成策略
    @Override
    @Bean
    public KeyGenerator keyGenerator() {
        return new KeyGenerator() {
            @Override
            public Object generate(Object target, java.lang.reflect.Method method, Object... params) {
                StringBuffer sb = new StringBuffer();
                sb.append(target.getClass().getName());
                sb.append(method.getName());
                for (Object obj : params) {
                    sb.append(obj.toString());
                }
                return sb.toString();
            }
        };
    }

    // 缓存管理器
    @Bean
    public CacheManager cacheManager(RedisConnectionFactory redisConnectionFactory) {
        RedisSerializer<String> redisSerializer = new StringRedisSerializer();
        Jackson2JsonRedisSerializer jackson2JsonRedisSerializer = new Jackson2JsonRedisSerializer(Object.class);

        //反序列化问题
        ObjectMapper om = new ObjectMapper();
        om.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY);
        om.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL);
        jackson2JsonRedisSerializer.setObjectMapper(om);

        // 解决存储乱码问题
        RedisCacheConfiguration config = RedisCacheConfiguration.defaultCacheConfig()
                // 缓存过期时间1hours  以application.yml配置文件中的优先级更高
                .entryTtl(Duration.ofHours(1))
                .serializeKeysWith(RedisSerializationContext.SerializationPair.fromSerializer(redisSerializer))
                .serializeValuesWith(RedisSerializationContext.SerializationPair.fromSerializer(jackson2JsonRedisSerializer))
                .disableCachingNullValues();

        RedisCacheManager cacheManager = RedisCacheManager.builder(redisConnectionFactory)
                .cacheDefaults(config)
                .build();
        return cacheManager;
    }
    
    @Bean
    public RedisTemplate<String, Object> redisTemplate(RedisConnectionFactory factory) {

        RedisTemplate<String, Object> template = new RedisTemplate<>();

        RedisSerializer<String> redisSerializer = new StringRedisSerializer();

        Jackson2JsonRedisSerializer jackson2JsonRedisSerializer = new Jackson2JsonRedisSerializer(Object.class);
        ObjectMapper om = new ObjectMapper();
        om.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY);
        om.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL);
        jackson2JsonRedisSerializer.setObjectMapper(om);

        template.setConnectionFactory(factory);
        //key序列化方式
        template.setKeySerializer(redisSerializer);
        //value序列化
        template.setValueSerializer(jackson2JsonRedisSerializer);
        //value hashmap序列化
        template.setHashValueSerializer(jackson2JsonRedisSerializer);

        return template;
    }
}

2. WebSecurity 的配置 (重点)

@Configuration
@EnableWebSecurity
@Slf4j
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

	// 此处只贴出了与sessionRegistry()相关的代码,其余配置还请自行在网上搜索。
	
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .sessionManagement()
                 // 无效session跳转
                 .invalidSessionUrl("/login")
                 .maximumSessions(1)
                 // session过期跳转
                 .expiredUrl("/login")
                 .sessionRegistry(sessionRegistry());
    }

    /**
     * 解决session失效后 sessionRegistry中session没有同步失效的问题,启用并发session控制,首先需要在配置中增加下面监听器
     * @return
     */
    @Bean
    public HttpSessionEventPublisher httpSessionEventPublisher() {
        return new HttpSessionEventPublisher();
    }
    
 	 /**
     * 注册bean sessionRegistry 
     */
    @Bean
    public SessionRegistry sessionRegistry() {
        return new SessionRegistryImpl();
    }
}

3. 获取在线登录用户数量的方法

	/**
     * 获取系统在线用户数量
     * @return
     */
	public Integer getOnlineUserNum(SessionRegistry sessionRegistry){
        List<String> list = sessionRegistry.getAllPrincipals().stream()
                .filter(u -> !sessionRegistry.getAllSessions(u, false).isEmpty())
                .map(Object::toString)
                .collect(Collectors.toList());
        return list.size();
    }

4. 移除登出用户的 session

import com.cebon.cdjcy.common.config.IApplicationConfig;
import com.cebon.cdjcy.common.util.IPUtils;
import com.cebon.cdjcy.common.utils.restResult.RestResult;
import com.cebon.cdjcy.common.utils.restResult.ResultCode;
import com.cebon.cdjcy.log.domain.SysLog;
import com.cebon.cdjcy.log.service.SysLogService;
import com.cebon.cdjcy.security.utils.ResponseUtils;
import com.cebon.cdjcy.sysconfig.service.SysconfigService;
import com.cebon.cdjcy.user.dto.LoginUserDTO;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.stereotype.Component;

import javax.annotation.Resource;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Date;

@Component("securityLogoutSuccessHandler")
@Slf4j
public class SecurityLogoutSuccessHandler implements LogoutSuccessHandler {
	@Autowired
	private IApplicationConfig applicationConfig;
	@Resource
	private SysconfigService sysconfigService;
	@Resource
	private SysLogService sysLogService;
	@Override
	public void onLogoutSuccess(HttpServletRequest request , HttpServletResponse response , Authentication authentication) throws IOException,
            ServletException {

		// 清除登录的session
		this.removeSesion(request);
		// 记录登出日志
        if (null != authentication) {
            this.saveLog(request, authentication);
        }
		log.info("退出成功");
		String originHeader = request.getHeader("Origin");
		ResponseUtils.addResponseHeader(response, applicationConfig.getOrigins(), originHeader);
		RestResult result = new RestResult(ResultCode.SUCCESS.getCode(),"退出成功");
		response.setCharacterEncoding("UTF-8");
		response.setContentType("text/html; charset=UTF-8");
		PrintWriter writer = response.getWriter();
		writer.print(result.toJson());
		writer.flush();
	}

	/**
	 * 移除登录用户的session
	 * @param request
	 */
	private void removeSesion(HttpServletRequest request) {
		HttpSession session = request.getSession();
		// 手动让系统中的session失效 。
		session.invalidate();
	}

	/**
	 * 记录登出日志
	 * @param request
	 */
	private void saveLog(HttpServletRequest request, Authentication authentication) {
        LoginUserDTO user = (LoginUserDTO) authentication.getPrincipal();
        SysLog sysLog = new SysLog();
		sysLog.setOperation(6);
		sysLog.setLogUser(user.getId());
		sysLog.setCreateTime(new Date());
		sysLog.setLogIp(IPUtils.getIpAddr(request));
		sysLog.setLogDesc(user.getUsername() + " 退出了系统 ");
		sysLog.setLogMethod(request.getMethod());
		sysLog.setLogType(0);
		sysLogService.saveLog(sysLog);
	}
}


最后附上源码链接吧,GitHub 源码地址
欢迎各位老铁 star