Shiro enables single-user logon. A single user can only log on to one location at a time. shiro users log on

Shiro enables single-user logon. A single user can only log on to one location at a time. shiro users log on

Here, shiro does not integrate springMVC and uses the ini configuration file directly.

Shiro. ini

[Main] # Objects and their properties are defined here, # Such as the securityManager, Realms and anything # else needed to build the SecurityManagerauthc. loginUrl =/login. jspauthc. successUrl =/web/index. jsp # cache managerbuiltInCacheManager = org. apache. shiro. cache. memoryConstrainedCacheManagersecurityManager = org. apache. shiro. web. mgt. defaultWebSecurityManagersecurityManager. cacheManager = $ builtInCacheManagersecurityManager. sessionManager = $ sessionManager # the session must be configured. During forced exit, sessionManager = org is implemented by removing the session. apache. shiro. web. session. mgt. defaultWebSessionManagersessionManager. sessionDAO = $ sessionDAOsessionDAO = org. apache. shiro. session. mgt. eis. memorySessionDAO # Create ldap realmldapRealm = org. apache. shiro. realm. ldap. jndiLdapRealm #...... # Configure JDBC realm performancedatasource = org. postgresql. ds. PGPoolingDataSource #....... # Create JDBC realm. jdbcRealm. permissionsLookupEnabled = truejdbcRealm = org. apache. shiro. realm. jdbc. jdbcRealmjdbcRealm. userRolesQuery = ...... jdbcRealm. permissionsQuery = ...... jdbcRealm. dataSource = $ dataSource # self realmlocalAuthorizingRealm = com. redbudtek. shiro. localAuthorizingRealmsecurityManager. realms = $ ldapRealm, $ localAuthorizingRealm

 

In LocalAuthorizingRealm, remove other sessions of the user before Logon:

@ Override protected AuthenticationInfo doGetAuthenticationInfo (AuthenticationToken authenticationToken) throws AuthenticationException {String userName = (String) authenticationToken. getPrincipal (); // process session DefaultWebSecurityManager securityManager = (DefaultWebSecurityManager) SecurityUtils. getSecurityManager (); DefaultWebSessionManager sessionManager = (DefaultWebSessionManager) securityManager. getSessionManager (); Collection <Session> sessions = sessionManager. getSessionDAO (). getActiveSessions (); // obtain the list of currently logged-on user sessions for (session Session: sessions) {// clear the session (userName. equals (String. valueOf (session. getAttribute (defasubsubjectcontext. PRINCIPALS_SESSION_KEY) {sessionManager. getSessionDAO (). delete (session) ;}} String pwd = null; return new SimpleAuthenticationInfo (userName, pwd, getName ());}

 

After a session is deleted, shiro can perform authentication and judgment only when the client interacts with the server. When interacting with the server, the subject information is as follows:

At this time, the login user authentication has expired and the client can respond.