Announcement Announcement Module
Collapse
No announcement yet.
Concurrency control dont work [JSF 1.2 + Spring 3.0.5 + Spring Security 3.0.5] Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Concurrency control dont work [JSF 1.2 + Spring 3.0.5 + Spring Security 3.0.5]

    Hi all

    I'm trying to configure a "CONCURRENT_SESSION_FILTER", but it not work.

    I have read a lot of posts, but I didnt found the fix. My user class implements "UserDetails", and the "hashCode/equals" methods.

    Login method:
    Code:
    Authentication authenticate = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
     
    SecurityContextHolder.getContext().setAuthentication(authenticate);
    HibernateUserDetailsService class:
    Code:
        @Override
        public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
            List results = getHibernateTemplate().find("from User where username = ?",
                    new Object[]{username});
            if (results.size() < 1) {
                throw new UsernameNotFoundException(username + "not found");
            }
            return (UserDetails) results.get(0);
        }

    Spring security context:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xmlns:beans="http://www.springframework.org/schema/beans"
                 xsi:schemaLocation="http://www.springframework.org/schema/beans
               http://www.springframework.org/schema/beans/spring-beans.xsd
               http://www.springframework.org/schema/security 
               http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
      <global-method-security secured-annotations="enabled" jsr250-annotations="enabled" />
    
      <http auto-config="false" use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint" >
        
        <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
        <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter"/> 
        <session-management session-authentication-strategy-ref="sas" />
        
        <intercept-url pattern="/pages/**" access="isAuthenticated()" />
        <intercept-url pattern="/public/**" access="permitAll" />
        <intercept-url pattern="/admin/**" access="hasRole('ADMINISTRADOR')" />
        <access-denied-handler error-page="/403.html"/>
                    
      </http>
    
      <beans:bean id="authenticationProcessingFilterEntryPoint"
                  class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/login.xhtml"/>
        <beans:property name="forceHttps" value="false"/>
      </beans:bean>
    
      <beans:bean id="concurrencyFilter"
                  class="org.springframework.security.web.session.ConcurrentSessionFilter">
        <beans:property name="sessionRegistry" ref="sessionRegistry" />
        <beans:property name="expiredUrl" value="/error.html" />
      </beans:bean>
      
      <beans:bean id="sas"
                  class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
        <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
        <beans:property name="maximumSessions" value="1" />
        <beans:property name="exceptionIfMaximumExceeded" value="true"/>
      </beans:bean>
    
      <beans:bean id="myAuthFilter"
                  class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="sessionAuthenticationStrategy" ref="sas" />
        <beans:property name="authenticationManager" ref="authenticationManager" />
      </beans:bean>
    
      <beans:bean id="userDetailsService"
                  class="com.package.HibernateUserDetailsService" />
    
      <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="userDetailsService">
          <password-encoder hash="sha"/>
        </authentication-provider>
      </authentication-manager>
      
      <beans:bean id="securityContext"
                  class="org.springframework.security.core.context.SecurityContextHolder"
                  factory-method="getContext"/>
            
      <beans:bean id="loggerListener"
                  class="org.springframework.security.authentication.event.LoggerListener" />
    
      <beans:bean id="sessionRegistry"
                  class="org.springframework.security.core.session.SessionRegistryImpl" />
      
    </beans:beans>
    Last edited by alejandro8a; May 9th, 2012, 11:17 AM.

  • #2
    I solved the problem using the login-processing-url by default "/j_spring_security_check"

    Login method:
    Code:
    ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
    RequestDispatcher dispatcher = ((ServletRequest) context.getRequest()).getRequestDispatcher("/j_spring_security_check");
    dispatcher.forward((ServletRequest) context.getRequest(), (ServletResponse) context.getResponse());
    FacesContext.getCurrentInstance().responseComplete();

    Spring security context:
    Code:
     
    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xmlns:beans="http://www.springframework.org/schema/beans"
                 xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans.xsd
          http://www.springframework.org/schema/security 
          http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
      <global-method-security secured-annotations="enabled" jsr250-annotations="enabled" />
    
      <http auto-config="true" use-expressions="true" >
     
        <intercept-url pattern="/pages/**" access="isAuthenticated()" />
        <intercept-url pattern="/public/**" access="permitAll" />
        <intercept-url pattern="/admin/**" access="hasRole('ADMINISTRADOR')" />
        
        <form-login login-processing-url="/j_spring_security_check"
                    login-page="/login.xhtml" default-target-url="/pages/index.xhtml"
                    authentication-failure-url="/error_login.xhtml" />
    
        <logout invalidate-session="true" logout-url="/logout" logout-success-url="/" />
        <session-management invalid-session-url="/login.xhtml">
          <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
        </session-management>
      </http>
    
      <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="userDetailsService">
          <password-encoder hash="sha"/>
        </authentication-provider>
      </authentication-manager>
     
      <beans:bean id="userDetailsService" class="com.package.HibernateUserDetailsService" />
        
      <beans:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener" />
    
      <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
     
    </beans:beans>

    Comment

    Working...
    X