Spring Security Max Login Session

spring-security

I have a problem with my j2ee application using spring security. I set max-sessions in concurrent-session-control to 1. Now it works fine when I try to Login the second time it will stop me. But when I logout the other one and try to login again I still get this same message.

Your login attempt was not successful, try again.
Reason: Maximum sessions of 1 for this principal exceeded

I have this in my http security

 <security:logout logout-url="/logout.do"
  invalidate-session="true" logout-success-url="/logoutSuccess.do" />
 <security:concurrent-session-control
  max-sessions="1" exception-if-maximum-exceeded="true" expired-url="/loginform.do" />

Best Answer

It's been quite a while since you posted this, but if anyone else is having this problem I believe this behavior will occur if you don't add org.springframework.security.web.session.HttpSessionEventPublisher as a listener in your web.xml.

See here:

Adding the listener to web.xml causes an ApplicationEvent to be published to the Spring ApplicationContext every time a HttpSession commences or terminates. This is critical, as it allows the SessionRegistryImpl to be notified when a session ends. Without it, a user will never be able to log back in again once they have exceeded their session allowance, even if they log out of another session or it times out.

Related Solutions

Spring Security – Can’t Login After Clicking Logout

Actually, I just solved it. ;)

This listener was missing from my web.xml:

<listener>
  <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
</listener>

Java – spring limit max sessions ; limit max users

You can use Spring Security's concurrent session control by accessing the SessionRegistry to find out how many users are currently logged in. In Spring Security 3, the ConcurrentSessionControlStrategy is responsible for controlling whether the user is allowed to create a session after logging in. You can extend this class and add an extra check based on the number of users:

public class MySessionAuthenticationStrategy extends ConcurrentSessionControlStrategy {
    int MAX_USERS = 1000; // Whatever
    SessionRegistry sr;

    public MySessionAuthenticationStrategy(SessionRegistry sr) {
        super(sr);
        this.sr = sr;
    }

    @Override
    public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
        if (sr.getAllPrincipals().size() > MAX_USERS) {
            throw new SessionAuthenticationException("Maximum number of users exceeded");
        }
        super.onAuthentication(authentication, request, response);
    }
}

You would then inject this into the security namespace as described in the Spring Security reference manual.

In Spring Security 2.0, the concurrent session control is implemented slightly differently and you would customize the ConcurrentSessionController instead.

Best Answer

Related Solutions

Spring Security – Can’t Login After Clicking Logout

Java – spring limit max sessions ; limit max users

Related Topic