Announcement Announcement Module
Collapse
No announcement yet.
Concurrent Session Control in Preauthenticated Bean Based Configuration Scenario Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Concurrent Session Control in Preauthenticated Bean Based Configuration Scenario

    I'm using Spring Security 3.0.5. I think my configuration is correct, problem is how to wire the ConcurrentSessionControlStrategy class:

    My config.xml is as follows:
    Code:
    <beans:bean id="springSecurityFilterChain"
    		class="org.springframework.security.web.FilterChainProxy">
    		<filter-chain-map path-type="ant">
    			<filter-chain pattern="/**/resources/**" filters="none" />
    			<filter-chain pattern="/**/logout/**" filters="none" />
    			<filter-chain pattern="/service/**" filters="none" />
    			<filter-chain pattern="/**"
    				filters="sif,shibbolethFilter,concurrencyFilter,logoutFilter,etf,fsi" />
    
    		</filter-chain-map>
    	</beans:bean>
    
    	<beans:bean id="sif"
    		class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />
    
    	<beans:bean id="shibbolethFilter"
    		class="PreAuthenticatedShibbolethAuthenticationFilter">
    		<beans:property name="authenticationManager" ref="authenticationManager" />
    		<beans:property name="exceptionIfHeaderMissing" value="true" />
    		<beans:property name="continueFilterChainOnUnsuccessfulAuthentication"
    			value="true" />
    		<beans:property name="authenticationSuccessHandler"
    			ref="customAuthenticationSuccessHandlerBean" />		
    	</beans:bean>
    
    	<beans:bean id="sas"
    		class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">		
    		<beans:constructor-arg name="sessionRegistry"
    			ref="sessionRegistry" />
    		<beans:property name="maximumSessions" value="1" />
    	</beans:bean>
    
    	<beans:bean id="sessionRegistry"
    		class="org.springframework.security.core.session.SessionRegistryImpl" />
    
    	<beans:bean id="concurrencyFilter"
    		class="org.springframework.security.web.session.ConcurrentSessionFilter">
    		
    		<beans:property name="sessionRegistry" ref="sessionRegistry" />
    		<beans:property name="expiredUrl" value="/session-expired.html" />
    	</beans:bean>
    I was thinking the reference to 'sas' should be under my PreAuthenticatedShibbolethAuthenticationFilter:
    Code:
    <beans:property name="sessionAuthenticationStrategy" ref="sas" />
    But this results in NotWritablePropertyException.

    Any pointers be of great help.

  • #2
    Okay, so I need SessionManagementFilter, got that part (from Peter Mularien's excellent book).

    However, the following code never returns any active session: (principals is always empty)
    Code:
    private @Inject
    	SessionRegistry sessionReg;
    
    	private void doTest() {
    		List<Object> principals = sessionReg.getAllPrincipals();
    		for (Object o : principals) {
    			List<SessionInformation> siList = sessionReg.getAllSessions(o,
    					false);
    			for (SessionInformation si : siList) {
    				logger.error(si.getSessionId() + " " + si.getPrincipal());
    			}
    		}
    	}
    My configuration now looks like the following:
    Code:
    <beans:bean id="springSecurityFilterChain"
    		class="org.springframework.security.web.FilterChainProxy">
    		<filter-chain-map path-type="ant">
    			<filter-chain pattern="/**/resources/**" filters="none" />
    			<filter-chain pattern="/**/logout/**" filters="none" />
    			<filter-chain pattern="/service/**" filters="none" />
    			<filter-chain pattern="/**"
    				filters="sif,shibbolethFilter,concurrencyFilter,logoutFilter,smf, etf,fsi" />
    
    		</filter-chain-map>
    	</beans:bean>
    
    	<beans:bean id="sif"
    		class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />
    
    	<beans:bean id="scr"
    		class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
    
    	<beans:bean id="smf"
    		class="org.springframework.security.web.session.SessionManagementFilter">
    		<beans:constructor-arg name="securityContextRepository"
    			ref="scr" />
    		<beans:property name="sessionAuthenticationStrategy"
    			ref="sas" />
    	</beans:bean>
    
    	<beans:bean id="shibbolethFilter"
    		class="PreAuthenticatedShibbolethAuthenticationFilter">
    		<beans:property name="authenticationManager" ref="authenticationManager" />
    		<beans:property name="exceptionIfHeaderMissing" value="true" />
    		<beans:property name="continueFilterChainOnUnsuccessfulAuthentication"
    			value="true" />
    		<beans:property name="authenticationSuccessHandler"
    			ref="customAuthenticationSuccessHandlerBean" />
    	</beans:bean>
    	
    	<beans:bean id="sas"
    		class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    		<beans:constructor-arg name="sessionRegistry"
    			ref="sessionRegistry" />
    		<beans:property name="maximumSessions" value="1" />
    	</beans:bean>
    
    	<beans:bean id="sessionRegistry"
    		class="org.springframework.security.core.session.SessionRegistryImpl" />
    
    	<beans:bean id="concurrencyFilter"
    		class="org.springframework.security.web.session.ConcurrentSessionFilter">
    		<beans:property name="sessionRegistry" ref="sessionRegistry" />
    		<beans:property name="expiredUrl" value="/session-expired.html" />
    	</beans:bean>

    Comment

    Working...
    X