Announcement Announcement Module
Collapse
No announcement yet.
How to enable Concurrent Session Handling? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to enable Concurrent Session Handling?

    This is either a feature request or a gap in my understanding.

    I'm trying to enable the ConcurrentSessionFilter from Spring Security to prevent the same principal from maintaining two concurrent sessions. For web applications an invalidated session will be redirected to a specified URI. For Flex/AIR, this model does seem to be appropriate. Instead it seems appropriate to pass an error event back.

  • #2
    You need to add a listener in your web.xml file

    Code:
    <listener>
    <listener-class>
    org.springframework.security.ui.session.HttpSessionEventPublisher
    </listener-class>
    </listener>
    And add a concurrent-session-control element to your security settings:
    <security:concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" />

    So your spring-security.xml might look like this:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xmlns:security="http://www.springframework.org/schema/security" 
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
           http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd>
    	<security:http auto-config="true">
    		<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    		<security:concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" />
    	</security:http>
    	<security:authentication-provider>
    		<security:user-service>
    			<security:user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
    			<security:user name="user" password="user" authorities="ROLE_USER" />
    		</security:user-service>
    	</security:authentication-provider>
    </beans>

    Comment


    • #3
      Spring Security Concurrent Session control...

      So how do tell the login page that this user has a session already open and didn't just mis-type their user name and password?

      Comment


      • #4
        I believe you should be able to implement an ExceptionTranslator that listens for the particular security exception (SessionAlreadyUsedException?) and translates it such that you can check for it on the client.

        Comment

        Working...
        X