Announcement Announcement Module
No announcement yet.
ConcurrentSessionControlStrategy and directly used AuthenticationManager.authenticate Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • ConcurrentSessionControlStrategy and directly used AuthenticationManager.authenticate

    Hi, I working on a Wicket frontend to AppFuse and I would like to consult one Spring Security related thing. Wicket doesn't allow to use custom values in form actions and I cannot direct user's browser to /j_security_check after Login button is clicked. I mitigated it using AuthenticationManager.authenticate() directly (with username and password read from a form as described in a documentation) and it generally works fine.

    Recently I wanted to use ConcurrentSessionControlStrategy, but when j_security_check (and UsernamePasswordAuthenticationFilter) is omitted ConcurrentSessionControlStrategy doesn't know about newly logged user. I can directly call onAuthentication() on it (together with HttpSessionEventPublisher to detect when a session is destroyed), but it doesn't look good and I worry I can miss something important in some other place.

    Two questions:
    1. Can I somehow simulate calling functions offered by SessionManagementFilter (and its friends) without direct an user to /j_security_check?
    2. Is it safe to use directly ConcurrentSessionControlStrategy.onAuthentication( ) (or just SessionRegistry.registerNewSession() to get a list of active users later)?


  • #2
    I know this is an old post but I thought rather than posting a new question I would extend the same post.
    I have a similar problem i.e. to avoid using /j_security_check and yet able to control the number of concurrent login session.
    One of the solution (that I know of ) is to invoke ConcurrentSessionControlStrategy.onAuthentication( ) but this is deprecated since spring security 3.2 . So what is the alternative for this .
    Hopefully I will find an answer for this here

    Last edited by niravshah99; Oct 5th, 2013, 07:02 AM.


    • #3
      As mentioned on the deprecation you should use ConcurrentSessionControlAuthenticationStrategy instead of ConcurrentSessionControlStrategy