Announcement Announcement Module
Collapse
No announcement yet.
Unable to restrict multiple login in different browsers Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unable to restrict multiple login in different browsers

    hi all,

    i am trying to restrict a user logging into 2 different browsers, with the same loginid at the same time. this is security context.

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    	xmlns:security="http://www.springframework.org/schema/security"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans
    							http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    							http://www.springframework.org/schema/security
    							http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
    	<security:http auto-config="false" lowercase-comparisons="false" entry-point-ref="loginUrlAuthenticationEntryPoint">
    		<security:custom-filter position="FORM_LOGIN_FILTER" ref="formLoginFilter" />
    		<security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
        	
    		<security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    		<security:intercept-url pattern="/invalidlogin.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    		<security:intercept-url pattern="/accessdenied.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    		<security:intercept-url pattern="/logout.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    		<security:intercept-url pattern="/**.jsp" access="ROLE_GENERIC,ROLE_USER,ROLE_ADMIN" />
    		<security:intercept-url pattern="/**.html" access="ROLE_GENERIC,ROLE_USER,ROLE_ADMIN" />
    		<security:intercept-url pattern="/**.do" access="ROLE_GENERIC,ROLE_USER,ROLE_ADMIN" />
    		<security:intercept-url pattern="/**" filters="none" />
    
    		<security:logout logout-success-url="/logout.jsp" invalidate-session="true" />
    
    		<security:session-management>
    			<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
    		</security:session-management>
    	</security:http>
    
    	<bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    		<property name="loginFormUrl" value="/login.jsp" />
    	</bean>
    
    	<security:authentication-manager alias="authenticationManager">
    		<security:authentication-provider ref="myAuthenticationProvider" />
    	</security:authentication-manager>
    
    	<bean id="formLoginFilter" class="com.company.security.myMapUsernamePasswordAuthenticationFilter">
    		<property name="authenticationManager" ref="authenticationManager" />
    		<property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
    		<property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
    	</bean>
    
    	<bean id="authenticationSuccessHandler" class="com.company.security.AuthenticationSuccessHandlerImpl">
    		<property name="defaultTargetUrl" value="/main.do" />
    		<property name="alwaysUseDefaultTargetUrl" value="true" />
    	</bean>
    
    	<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    		<property name="defaultFailureUrl" value="/invalidlogin.jsp" />
    	</bean>
    
    	<bean id="myAuthenticationProvider" class="com.company.security.CustomUserDetailsService">
    	</bean>
    	
    	<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
        	<property name="sessionRegistry" ref="sessionRegistry" />
        	<property name="expiredUrl" value="/sessionexpired.jsp" />
      	</bean>
      	
      	<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
      	
    </beans>
    can somebody help me out.

  • #2
    I forgot to mention that I am getting this error
    org.springframework.beans.factory.parsing.BeanDefi nitionParsingException: Configuration problem: Filter beans '<concurrencyFilter>' and 'Root bean: class [org.springframework.security.web.session.Concurren tSessionFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null' have the same 'order' value. When using custom filters, please make sure the positions do not conflict with default filters. Alternatively you can disable the default filters by removing the corresponding child elements from <http> and avoiding the use of <http auto-config='true'>.

    Comment


    • #3
      Your configuration is contradicting... Basically your security:Session-manangement tag is useless as you have explicitly configured the ConcurrentSessionFilter use either not both..

      I wonder why you need to configure everything you have, the only custom thing I see is a UserDetailService....

      Comment


      • #4
        Thanks for your reply, even if i remove the security:Session-manangement tag I am still able to login on multiple browser instances (one FF and one IE).

        any help??????

        Comment


        • #5
          In my controller, am printout out the session ids, and they are different for IE and FF. I would have expected spring to not allow the second login with same username/password.

          any help guys????

          Comment


          • #6
            Your extended configuration does allow multiple logins should why should it throw an exception if you don't tell it to do so...

            Comment


            • #7
              Can you tell me how to trigger the error/exception. Even if you can point to me an example of the net, would be fine. I have been googling around, but havent been able to implement a solution.

              Thx.

              Comment


              • #8
                In your case I would remove the custom configuration for the session stuff and simply use the namespace as you don't need the explicit configuration here.

                If you want to use it I suggest reading the documentation and available properties on the 2 beans you are using.

                Comment

                Working...
                X