Announcement Announcement Module
Collapse
No announcement yet.
Concurrency control Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Concurrency control

    Hi,

    I want to implement concurrency control in my app. I'm using Flex hence I'm using Spring BlazeDS Integration 1.5.0M2 as well as Spring Security 3.0.5. This is part of my config:

    Code:
    <security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
    
    <security:http entry-point-ref="preAuthenticatedEntryPoint">
    	<security:session-management>
    		<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
    	</security:session-management>
    </security:http>
    	
    <bean id="preAuthenticatedEntryPoint" class="org.springframework.flex.security3.FlexAuthenticationEntryPoint"/>
    	 
    <security:authentication-manager>
    	<security:authentication-provider ref="myAuthenticationProvider"/>
    </security:authentication-manager>
    Everything is ok while my first attempt to log in when there is another session - I get "Maximum sessions of 1 for this principal exceeded" error which i can handle. But when I try to log in for the second time Spring Security lets me in. Is there something missing in my configuration?

  • #2
    Seriously no clues? Maybe I will provide more informations. First of all I'm using Tomcat 6.0.29. I check concurrency control in this scenario:
    1) Launch my app in IE on localhost; log in (my login button simply executes channelSet.login(login,password))
    2) Launch my app in Chrome on localhost; log in - I get "Maximum sessions of 1 for this principal exceeded" which I handle on a client side - popup appears.
    3) just after the first attempt I click once again on the login button and I am logged in.

    While in steps 1 and 2 all these classes do something:

    Code:
    org.springframework.flex.security3.SpringSecurityLoginCommand
    org.springframework.security.authentication.ProviderManager
    org.springframework.flex.security3.FlexSessionAwareSessionAuthenticationStrategy
    org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy
    org.springframework.security.core.session.SessionRegistryImpl
    my.package.myAuthenticationProvider
    none of them work in step 3. I just click the button and this is it - I am logged in. When I check the sessions with SessionRegistry.getAllSessions(Object principal, boolean includeExpiredSessions) there is only one session.

    Comment


    • #3
      Hi,

      nothing has changed since the last post - concurrency control doesn't work for me. I've tried to use it without error-if-maximum-exceeded. The result was similar - after logging in for the second time I recieve an error in the first browser pointing that channel set is not connected ("Channel disconnected before an acknowledgement was received") when hitting server side service protected with @Secured, but second hit is successful.

      I've added session-management tag to the security-config.xml and HttpSessionEventPublisher to the web.xml in TestDrive - I can observe exactly the same behaviour. Maybe it's some kind of a bug?

      Comment


      • #4
        Sorry for the delayed response...other priorities the last few weeks with the CloudFoundry launch...will look at it today/tomorrow and report back.

        Comment


        • #5
          Ok, I've tracked down the bug, committed a fix, and published a new snapshot. Give it a try to ensure it works for you.

          Thanks for catching it!

          Comment


          • #6
            Thanks! I've checked the fix and these are my conclusions:

            1) <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/> everything's OK with this

            2) <security:concurrency-control max-sessions="1"/>

            a) I launch a browser (IE), log in
            b) while logged in in the first browser I launch a second browser (FF/Chrome), log in
            c) I switch back to the first browser, perform an action which invokes a server side service annotated with @Secured - I get an error. I perform the same action second time - I get results from the server like nothing happened. Now I switch to the second browser (in which I think I should be authenticated and authorized), invoke the service, get the error, get no error for the second time and so on...

            I'm not sure, if this behaviour is expected. I realize that in an application I should handle the error returned from the server and automatically log out a user/block the application; probably I should block the possibility of invoking services while there is no result from the server after the first invocation. It would be nice though if the first browser would retrieve the error every time it tries to invoke @Secured annotated service.

            Comment

            Working...
            X