没有内置的机制来完成您想要的事情，但是您可以编写一个自定义的HttpSessionListener，它将保存对活动会话的引用，在过期时删除它们，并且还公开一些方法来操作会话属性。因此也需要注册一个AuthenticationSuccessHandler来完成此操作。
登录用户的管理器如下所示：

@Service
public class LoggedInUsersManagerService implements HttpSessionListener {

    // assuming you have some session storage here, 
    // can be something as simple as just a map

    public void sessionCreated(HttpSessionEvent se) {
        final HttpSession session = se.getSession();
        sessionStore.put(session.getAttribute(USER_ID_ATTRIBUTE), session);
    }

    public void sessionDestroyed(HttpSessionEvent se) {
        final HttpSession session = se.getSession();
        sessionStore.remove(session.getAttribute(USER_ID_ATTRIBUTE));
    }

    public void doSomethingWithUserSession(UserIdType id) {
        final HttpSession session = sessionStore.get(id);
        if(session != null) {
            //do what you need with the session attributes
        }
    }
}

您的成功处理程序将如下所示

public class MyAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication authentication) throws IOException, ServletException {
        HttpSession session = request.getSession();
        session.setAttribute(USER_ID_ATTRIBUTE, getUserIdFromAUthentication(authentication));
        //maybe do something else as well
    }

}

您可以在spring安全配置中注册success处理程序，例如

http
    .oauth2login()
    .successHandler(myAuthenticationSuccessHandler)

请记住，在用户仍在使用您的服务时操作会话数据实际上不是一个好主意，因此除非绝对需要，否则我不建议您这样做。