Announcement Announcement Module
Collapse
No announcement yet.
Concurrent Session Problem Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Concurrent Session Problem

    Why Concurrent session dosen't work in acegi security ? I've update for acegi-0.9 without success again.

    Thanks

  • #2
    I have the same problem. Upgraded to 0.9 and concurrent session doesn't work any more. I tried everything: Added ConcurrentSessionFilter, SessionRegistry but still no luck.

    Kenny

    Comment


    • #3
      Here is what I found in ProviderManager.java from the 0.9.0 source:

      Code:
      public Authentication doAuthentication(Authentication authentication) throws AuthenticationException {
        ...
        try {
          result = provider.authenticate(authentication);
          sessionController.checkAuthenticationAllowed(result);
        } catch (AuthenticationException ae) {
          lastException = ae;
        }
      
        if (result != null) {
          sessionController.registerSuccessfulAuthentication(result);
          applicationEventPublisher.publishEvent(new AuthenticationSuccessEvent(result));
      
          return result;
        }
        ...
      }
      As we can see, even when the ConcurrentLoginException is thrown, an AuthenticationSuccessEvent will still get published because the authentication object is found. It should be like this:

      Code:
        ...
        if (result != null && lastException == null) {
          sessionController.registerSuccessfulAuthentication(result);
          applicationEventPublisher.publishEvent(new AuthenticationSuccessEvent(result));
      
          return result;
        }
        ...

      Comment


      • #4
        Could someone log this as a bug in JIRA? Bugs should be reported in JIRA so they're tracked. Thanks.

        Comment


        • #5
          Hi Ben,

          I will submit a bug report on JIRA. Thanks!

          Kenny

          Comment


          • #6
            is it resolved in 1.0.0rc1?

            Comment


            • #7
              http://opensource2.atlassian.com/pro...browse/SEC-110

              Comment


              • #8
                Why there isn't any examle that uses ConcurrentSessionFilter

                I want to restrict the user number with the same principals
                So the only information I've found about ConcurrentSessionFilter
                was in reference manual, I've done all as there was written
                but althou ConcurrentSessionFilter succsessfully registered, it not applied any restriction

                Comment


                • #9
                  Upgrade to 1.0.0 RC1 then use ConcurrentSessionControllerImpl.maximumSessions property. See its JavaDocs for more info.

                  Comment


                  • #10
                    no restriction in 1.0.0-RC2?

                    It seems like ConcurrentSessionFilter has not effect tin 1.0.0-RC2. Or am I doing something wrong?

                    Code:
                    <!-- filter chain -->
                    <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
                        <property name="filterInvocationDefinitionSource">
                            <value>
                                    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                                    PATTERN_TYPE_APACHE_ANT
                                   /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,concurrentSessionFilter,filterInvocationInterceptor
                            </value>
                        </property>
                    </bean>
                    
                    <!-- fifth item in chain: ConcurrentSessionFilter -->
                    <bean id="concurrentSessionFilter" class="org.acegisecurity.concurrent.ConcurrentSessionFilter">
                        <property name="sessionRegistry"><ref local="sessionRegistry"/></property>
                        <property name="expiredUrl"><value>/</value></property>
                    </bean>
                    <bean id="sessionRegistry" class="org.acegisecurity.concurrent.SessionRegistryImpl"/>
                    
                    <!-- ConcurrentSessionController -->
                    <bean id="concurrentSessionController" class="org.acegisecurity.concurrent.ConcurrentSessionControllerImpl">
                        <property name="maximumSessions"><value>1</value></property>
                        <property name="sessionRegistry"><ref local="sessionRegistry"/></property>
                    </bean>

                    Comment


                    • #11
                      http://forum.springframework.org/sho...4785#post44785

                      Comment


                      • #12
                        Originally posted by adrury View Post
                        It seems like ConcurrentSessionFilter has not effect tin 1.0.0-RC2. Or am I doing something wrong?

                        Code:
                        <!-- filter chain -->
                        <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
                            <property name="filterInvocationDefinitionSource">
                                <value>
                                        CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                                        PATTERN_TYPE_APACHE_ANT
                                       /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,concurrentSessionFilter,filterInvocationInterceptor
                                </value>
                            </property>
                        </bean>
                        
                        <!-- fifth item in chain: ConcurrentSessionFilter -->
                        <bean id="concurrentSessionFilter" class="org.acegisecurity.concurrent.ConcurrentSessionFilter">
                            <property name="sessionRegistry"><ref local="sessionRegistry"/></property>
                            <property name="expiredUrl"><value>/</value></property>
                        </bean>
                        <bean id="sessionRegistry" class="org.acegisecurity.concurrent.SessionRegistryImpl"/>
                        
                        <!-- ConcurrentSessionController -->
                        <bean id="concurrentSessionController" class="org.acegisecurity.concurrent.ConcurrentSessionControllerImpl">
                            <property name="maximumSessions"><value>1</value></property>
                            <property name="sessionRegistry"><ref local="sessionRegistry"/></property>
                        </bean>
                        ConcurrentSessionfilter should the first in the filter chain proxy. Refer the documntation. It is better to provide a jsp for the session expiredURL property.

                        The previous session will be expired but not the current session make a note of it.

                        Regards
                        Anand

                        Comment

                        Working...
                        X