Announcement Announcement Module
Collapse
No announcement yet.
Concurrent Session Control not working! Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Concurrent Session Control not working!

    Hi all,
    I'm trying to config Concurrent Session Control, but it doesn't work. I tried to search forum but i still can not get the answer. Please help!. Thanks.

    web.xml:
    Code:
     <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      </filter>
      <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>
      
      <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
      </listener>
      
      <listener>
        <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
      </listener>

    applicationContext.xml

    Code:
    <security:http auto-config="true" access-denied-page="/accessDenied.jsf">	
    	
    		<security:intercept-url pattern="/pages/users.jsf" access="ROLE_ADMIN" />
    		<security:intercept-url pattern="/pages/*.*" access="ROLE_USER,ROLE_ADMIN" />
    		
    		<security:form-login login-page="/login.jsf" authentication-failure-url="/login.jsf" />
    		<security:logout delete-cookies="JSESSIONID" invalidate-session="true" logout-success-url="/login.jsf" logout-url="/logout.jsf"/>
    			
    		        
            <security:session-management>
            	<security:concurrency-control expired-url="/viewExpired.jsf" max-sessions="1" error-if-maximum-exceeded="true" />
        	</security:session-management>
                
    	</security:http>
    
    <security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled" />
    	
    	
    	<security:authentication-manager alias="authenticationManager">
    		
    		<security:authentication-provider>
    			<security:jdbc-user-service data-source-ref="dataSource" 
    				authorities-by-username-query="select username,authority from users where username=?"/>
    		</security:authentication-provider>
    		
    		
    	</security:authentication-manager>
    AuthenticationServiceImp:
    Code:
    @Service("authenticationService")
    public class AuthenticationServiceImpl implements AuthenticationService {
    
    	@Resource(name = "authenticationManager")
    	private AuthenticationManager authenticationManager;
    
    	@Override
    	public boolean login(String username, String password) {
    		try {
    			Authentication authenticate = authenticationManager
    					.authenticate(new UsernamePasswordAuthenticationToken(username, password));
    			
    			if (authenticate.isAuthenticated()) {
    				SecurityContextHolder.getContext().setAuthentication(authenticate);
    				
    				return true;
    			}
    		} catch (AuthenticationException e) {
    			e.printStackTrace();
    		}
    		return false;
    	}
    
    	@Override
    	public void logout() {
    		SecurityContextHolder.getContext().setAuthentication(null);
    	}
    
    }

  • #2
    Those two threads might help:
    http://stackoverflow.com/questions/11062585/spring-concurrent-session-control-not-working-user-can-login-multiple-times
    http://stackoverflow.com/questions/8586824/spring-security-concurrency-control

    I ran into the same problem (with spring-security 3.1.1 and 3.1.2) and solved it by implementing equals() and hashCode() of my custom UserDetails implementation like in org.springframework.security.core.userdetails.User .

    Comment


    • #3
      Thank you so much Ninca7.

      Actually, i don't custom UserDetails .
      Here is my code:

      Code:
      /*UserDetailEntity class*/
      public class UserDetailEntity implements Serializable {
      
          @NotNull
          @Column(unique = true)
          private String username;
      
          @NotNull
          private String password;
      
          @Id
          @GeneratedValue(strategy = GenerationType.AUTO)
          @Column(name = "id")
          private Long id;
          ...........................
      
      	@Override
      	public int hashCode() {
      		int hash = 0;
      		hash += (id != null ? id.hashCode() : 0);
      		return hash;
      	}
      
      	
      	@Override
      	public boolean equals(Object object) {
      		
      		if (!(object instanceof UserDetailEntity)) {
      			return false;
      		}
      
      		UserDetailEntity other = (UserDetailEntity) object;
      
      		if ((this.id == null && other.id != null)
      				|| (this.id != null && !this.id.equals(other.id))) {
      			return false;
      		}
      		return true;
      	}
          ..................................
      }
      
      
      
      /*UserDetailsServiceImpl class*/
      @Service("userDetailsService")
      public class UserDetailsServiceImpl implements UserDetailsService {
      
      	@Override
      	public UserDetails loadUserByUsername(String username)
      			throws UsernameNotFoundException {
      		
      		UserDetailEntity userDetailEntity = UserDetailEntity.findUserDetailEntity(username);
      		
      		if (userDetailEntity == null)
      			throw new UsernameNotFoundException("User not found");
      		
      		return buildUserFromUserEntity(userDetailEntity);
      	}
      
      	@SuppressWarnings({ "rawtypes", "unchecked" })
      	private  User buildUserFromUserEntity(UserDetailEntity userEntity) {
      		
      		String username = userEntity.getUsername();
      
      		String password = userEntity.getPassword();
      
      		boolean enabled = userEntity.isEnabled();
      
      		boolean accountNonExpired = userEntity.isEnabled();
      
      		boolean credentialsNonExpired = userEntity.isEnabled();
      
      		boolean accountNonLocked = userEntity.isEnabled();
      
      		Collection authorities = new ArrayList();
      	
      		authorities.add(new SimpleGrantedAuthority(userEntity.getAuthority()));
      
      		User user = new User(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
      
      		return user;
      	}
      }
      
      
      
      
      /*Login Bean class*/
      public String login() {
      				
      		boolean success = authenticationService.login(userName, userPw );
      		
      		if(!success){
      		  return "fail";	
      		}
                        return "success";
          }
      
      
      /*AuthenticationServiceImpl class*/
      @Service("authenticationService")
      public class AuthenticationServiceImpl implements AuthenticationService {
      
      	@Resource(name = "authenticationManager")
      	private AuthenticationManager authenticationManager;
      
      	@Override
      	public boolean login(String username, String password) {
      		try {
      			Authentication authenticate = authenticationManager
      					.authenticate(new UsernamePasswordAuthenticationToken(username, password));
      			
      			if (authenticate.isAuthenticated()) {
      				SecurityContextHolder.getContext().setAuthentication(authenticate);
      				
      				return true;
      			}
      		} catch (AuthenticationException e) {
      			e.printStackTrace();
      		}
      		return false;
      	}
      
      	@Override
      	public void logout() {
      		SecurityContextHolder.getContext().setAuthentication(null);
      	}
      
      }

      applicationContext.xml

      Code:
      <security:http auto-config="false" access-denied-page="/accessDenied.jsf" entry-point-ref="authenticationProcessingFilterEntryPoint">	
      	
      		<security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
           	<security:custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter"/>
           	<security:session-management session-authentication-strategy-ref="sas"/>
           	
      		<security:intercept-url pattern="/pages/users.jsf" access="ROLE_ADMIN" />
      		<security:intercept-url pattern="/pages/*.*" access="ROLE_USER,ROLE_ADMIN" />
      		
      		<security:logout invalidate-session="true" logout-success-url="/login.jsf" logout-url="/logout.jsf"/>
      		
      	</security:http>
      	
      	<bean id="authenticationProcessingFilterEntryPoint" 
                class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
              <constructor-arg name="loginFormUrl" value="/login.jsf" />
              <property name="forceHttps" value="false"/>
          </bean>
          
      	<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
      	   <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
      	   <constructor-arg name="expiredUrl" value="/login.jsf" />
        	</bean>
      	
      	<bean id="myAuthFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        	   <property name="sessionAuthenticationStrategy" ref="sas" />
        	   <property name="authenticationManager" ref="authenticationManager" />
      	</bean>
      	
      	<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
      	  <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
      	  <property name="maximumSessions" value="1" />
      	  <property name="exceptionIfMaximumExceeded" value="true"/>
      	</bean>
      	
      	<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
      	
      	
      	<security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled" />
      	
      	<security:authentication-manager alias="authenticationManager">
      		
      		<security:authentication-provider user-service-ref="userDetailsService" >
      			<security:password-encoder hash="sha-256"/>
      		</security:authentication-provider>
      		
      	</security:authentication-manager>


      Do i miss something?

      Thanks
      Last edited by warcraft; Sep 27th, 2012, 12:39 PM.

      Comment


      • #4
        Fixed.
        Thanks all.

        Comment

        Working...
        X