The basic implementation of Java Web User single sign-on scheme __web

In the lab just finished project, there is such a requirement, an account can only be logged in one place at a time, if you log in elsewhere, you are prompted to log in elsewhere until the logged in account is invalidated or exited, and the same browser can only log on to one user at a time.

First, consider the problem of not being able to repeat logins. In the project, I use the session to store the user's information, when the user logs in, create a session, the user name, user logic ID, login time and other attributes into the session. Consider using application to prevent duplicate logons. Defines a variable loginusermap for a map<long,string> type. Each of its records stores the logical ID of the logged-on user and the SessionID of the corresponding session. This way, each time the user logs in to traverse Loginusermap, if there is no corresponding userlogicid or SessionID to allow logon, otherwise prompted to log in elsewhere.

					Determine whether to repeat login isloginexists = false;
					Ifsessioninvalidate = false;
					Loginusermap = (Map<long, string>) acx.getapplication (). get (Webconstant.login_user_map);
					if (Loginusermap = = null) {Loginusermap = new Hashmap<long, string> ();
					HttpServletRequest request = Servletactioncontext.getrequest ();
					String sessionId = Request.getsession (false). GetId ();
					System.out.println ("sessionId" + sessionId); For (Long UserlogicId2:loginUserMap.keySet ()) {if (!userlogicid2.equals userlogicid) &&!loginusermap.con
						Tainsvalue (sessionId)) {//different browsers do not allow the same user to repeat login continue; } if (Userlogicid2.equals (userlogicid) &&!loginusermap.containsvalue (sessionId)) {Setifsessionin
						Validate (TRUE);
						} isloginexists = true;
					Break
						} if (isloginexists) {settip ("loginexists");
					if (ifsessioninvalidate==true) {request.getsession (false). Invalidate (); }} ELSE {Loginusermap.put (USERLOGICID, sessionId);
						Acx.getapplication (). put (WEBCONSTANT.LOGIN_USER_MAP,LOGINUSERMAP);
						Acx.getsession (). Put (webconstant.user_id, GetUserName ());
						Acx.getsession (). Put (Webconstant.user_logicid,usermanageservice.findbyusername (GetUserName ()). GetLogicId ());
					       Acx.getsession (). Put (Webconstant.login_time, New Date ()); }

In the user exit operation, the corresponding user logicid and SessionID in the Loginusermap are purged, while the user information in the session is purged.

 Map<long, string> Loginusermap = (Map<long, string>) acx.getapplication (). Get (
		   WEBCONSTANT.LOGIN_USER_MAP);
		   String username=usermanageservice.findbylogicid (userlogicid). GetUserName ();	
		   if (Loginusermap.containskey (userlogicid)) {loginusermap.remove (userlogicid);
	    
		   } session.getservletcontext (). setattribute ("Loginusermap", Loginusermap);
		   Long id= (Long) Session.getattribute (WEBCONSTANT.USER_LOGICID);
		   
		   if (id!=null) this.userManageService.userLogout (ID);
		   Session.removeattribute (webconstant.user_id);
		   Session.removeattribute (WEBCONSTANT.USER_LOGICID);
		
		   Session.removeattribute (Webconstant.login_time);
		
		   Make session fail Session.invalidate ();
		   Response.setheader ("Cache-control", "No-cache");
		   Response.setheader ("Cache-control", "No-store");
		   Response.setdateheader ("Expires", 0); 

In the session Failure listener processing, also do the same operation, to ensure that the login session timeout from the Loginusermap to remove the user to ensure that the successor account can log on normally.

public class Sessionlistener implements httpsessionlistener{@Override public void sessioncreated (H
		Ttpsessionevent event) {} @Override public void sessiondestroyed (Httpsessionevent event) {//monitoring session Expiration and destruction
		HttpSession session=event.getsession ();
	
		ServletContext Application=session.getservletcontext ();
			 try{string Username= (String) session.getattribute (webconstant.user_id);
			 Long userlogicid= (Long) Session.getattribute (WEBCONSTANT.USER_LOGICID); Map<long, string> Loginusermap = (Map<long, string>) Application.getattribute (WebConstant.LOGIN_USER_MAP 
			 );
			 if (Loginusermap.containskey (userlogicid)) Loginusermap.remove (USERLOGICID);
			  Application.setattribute (Webconstant.login_user_map, Loginusermap);
		 System.out.println ("Session:" +session.getid () + "expired");
		 catch (Exception e) {System.out.println (E.getmessage ()); }
	}


}

Here, the basic can do to limit the user's repeated login, but rely on these exceptional conditions can still not be processed, such as the user in the process of closing the browser, login again, because the information recorded in the server-side application and did not follow the normal security exit process execution, then the login operation will prompt " Logged in elsewhere. " To resolve this issue, refer to the blog "Java Web user single sign-on exception processing user's abnormal exit."