Announcement Announcement Module
No announcement yet.
concurrentSession problem Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • concurrentSession problem


    In my program, a concurrentSessionController was configued with maxSessions =1.
    There are two accounts : Jeff and Tom. Tom's role is Role_Admin and Jeff's is Role_User.
    The 403 error page is the login page.

    First,I use the account Jeff login the application.
    When a page needs the role Role_Admin was accessed,a AccessDeniedException was thrown
    and the login page appeared.
    Then I use the account Tom login the application.
    After doing something ,logout the application and use the account Jeff login again ,
    A ConcurrentLoginExceptionJeff has reached the maximum concurrent logins) was thrown.

    I suspected that when doing the second authentication ,the pre session is not invalidated.
    I had a look at the source code of the class AuthenticationProcessingFilter and find the answer.

    public Authentication attemptAuthentication(HttpServletRequest request)
    throws AuthenticationException {

    // Place the last username attempted into HttpSession for views
    request.getSession().setAttribute(ACEGI_SECURITY_L AST_USERNAME_KEY,

    return this.getAuthenticationManager().authenticate(authR equest);

    Maybe before placing the last username attempted into HttpSession for views,
    the existed session should be invalidated at first.
    Am I right?


  • #2
    Just to clarify your proposal for the benefit of others following the thread, the concurrent session handling support as it presently stands relies on standard HttpSession invalidation or expiration to be notified when a given HttpSession is no longer associated with a particular principal. Jeff's proposal is to add a hook that if a HttpSession gets used with a different principal, the concurrent session controller needs to be informed about this so that it removes the link to the existing principal.

    I agree this is a useful improvement, and I've noted it down as part of general refactorings intend to the concurrent session controller code.