Announcement Announcement Module
Collapse
No announcement yet.
Spring Security Concurrent Session Control Problem Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security Concurrent Session Control Problem

    Hi guys, i am trying to setup the concurrent session control feature provided by Spring Security Framework. Whilst Spring Security context goes up without any error, i think that the concurrent session control isn´t work. My ideia was prevent a user from logging in multiple times. But when i open two browsers and try to log in in both with the same user Spring permits without any problem.

    My web.xml and applicationContext-security you can find attached to this thread.

    I appreciate any help.
    Best Regards,
    Julio Helden

  • #2
    I believe the default configuration logs out the first user who logged in. Log in as Batman then log in as Batman again through a different session. The first Batman session should be logged out now.

    Can you try that and see that it's working?

    Comment


    • #3
      I am having the same problem with the same entries in my web.xml and applicationContext-security.xml. I followed the security documentation. Any resolution to this?

      I have debugged through HttpSecurityBeanDefinitionParser and see that that "sessionControlEnabled" is set to true, do it is reading my
      Code:
      <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" session-registry-ref='sessionRegistry'/>
      It's as if the listener in my web.xml is not being triggered:
      Code:
      	<listener>
      		<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
      	</listener>
      Last edited by J Ball; Jul 23rd, 2008, 10:02 AM.

      Comment


      • #4
        Originally posted by J Ball View Post
        It's as if the listener in my web.xml is not being triggered:
        Code:
        	<listener>
        		<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
        	</listener>
        The listener is triggered as seen when I initially arrive at the login page (prior to login) and when I logout. Can someone suggest where to debug why the concurrent session max is ignored?

        Comment


        • #5
          I am using Spring on Tomcat if that makes any difference. Are there Tomcat configuration steps I need to take?

          Comment


          • #6
            Originally posted by RayKrueger View Post
            I believe the default configuration logs out the first user who logged in. Log in as Batman then log in as Batman again through a different session. The first Batman session should be logged out now.

            Can you try that and see that it's working?
            Correct. This is how it works

            Comment

            Working...
            X