I don't integrate springMVC here, but I use the ini configuration file directly.
shiro.ini
[main]# Objects and their properties are defined here,# Such as the securityManager, Realms and anything# else needed to build the SecurityManagerauthc.loginUrl = /login.jspauthc.successUrl = /web/index.jsp#cache managerbuiltInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManagersecurityManager=org.apache.shiro.web.mgt.DefaultWebSecurityManagersecurityManager.cacheManager = $builtInCacheManagersecurityManager.sessionManager=$sessionManager#session You must configure session. When you force exit, sessionManager=org.apache.shiro.web.session.mgt.DefaultWebSessionManager.sessionDAO=$sessionDAOssessionDAO=org.apache.shiro.session.mgt.eis.MemorySessionDAO# Create ldap realmldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm#.........# Configure JDBC realm datasourcedataSource = org.postgresql.ds.PGPoolingDataSource#.......# Create JDBC realm.jdbcRealm.permissionsLookupEnabled = truejdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealmjdbcRealm.userRolesQuery = ......jdbcRealm.permissionsQuery = ......jdbcRealm.dataSource = $dataSource#self realmlocalAuthorizingRealm = com.redbudtek.shiro.LocalAuthorizingRealmscurityManager.realms = $ldapRealm, $localAuthorizingRealm
In LocalAuthorizingRealm, remove the user's other sessions before logging in for authentication:
@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {String userName = (String)authenticationToken.getPrincipal();//handle sessionDefaultWebSecurityManager securityManager = (DefaultWebSecurityManager) SecurityUtils.getSecurityManager();DefaultWebSessionManager sessionManager = (DefaultWebSessionManager)securityManager.getSessionManager();Collection<Session> sessions = sessionManager.getSessionDAO().getActiveSessions();//Get the currently logged in user session list for(Session session:sessions){//Clear sessionif saved by the user when he logged in before(userName.equals(String.valueOf(session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY)))))))))) {sessionManager.getSessionDAO().delete(session);}}String pwd = null;return new SimpleAuthenticationInfo(userName,pwd,getName());} After the session is deleted, there must be interaction between the client and the server before shiro can make authentication judgments. When interacting with the server, the subject information screenshot is as follows:
At this time, the logged-in user authentication has expired and can respond to the client.
The above is what the editor introduces to you to realize single sign-in (one user can only log in at one place at the same time). I hope it will be helpful to everyone. If you have any questions, please leave me a message and the editor will reply to everyone in time. Thank you very much for your support to Wulin.com website!