
Reputation: 1816

Unable to make Spring 3 Session Concurency Control work

Using Spring Security 3.1.0, I cannot seem to get the concurrent session control feature to work. When I log into my system at the same time using IE and FireFox (using my local workstation) I see my user principle in the session registry twice. I am expecting the concurrent session control to log me out or throw an exception or do something that indicates I am logged into the site more than once and it is not permitted.

For what it's worth, I could not get the concurrency control to work at all using the auto config of the HTTP namespace element, even with specifying that my site uses a custom login form. I'm wondering if that might be due to the fact that my authentication is provided via LDAP...?

Here's my security config.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns=""
 xmlns:beans="" xmlns:xsi=""

 <http auto-config="false" use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint">
     <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
     <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter"/>
     <session-management session-authentication-strategy-ref="sas"/>
  <intercept-url pattern="/" access="permitAll" />
  <intercept-url pattern="/css/**" access="permitAll" />
  <intercept-url pattern="/images/**" access="permitAll" />
  <intercept-url pattern="/js/**" access="permitAll" />
  <intercept-url pattern="/public/**" access="permitAll" />
  <intercept-url pattern="/home/**" access="permitAll" />
  <intercept-url pattern="/admin/user/**" access="hasRole('AUTH_MANAGE_USERS')" />
  <intercept-url pattern="/admin/group/**" access="hasRole('AUTH_MANAGE_USERS')" />
  <intercept-url pattern="/**" access="isAuthenticated()" />
  <access-denied-handler error-page="/403.html"/>
  <logout invalidate-session="true" logout-success-url="/public/"/>

    <beans:bean id="authenticationProcessingFilterEntryPoint"
        <beans:property name="loginFormUrl" value="/public/"/>
        <beans:property name="forceHttps" value="false"/>

  <beans:bean id="concurrencyFilter"
     <beans:property name="sessionRegistry" ref="sessionRegistry" />
     <beans:property name="expiredUrl" value="/expired.html" />

   <beans:bean id="myAuthFilter" class="">
     <beans:property name="sessionAuthenticationStrategy" ref="sas" />
     <beans:property name="authenticationManager" ref="authenticationManager" />

   <beans:bean id="sas" class="">
     <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
     <beans:property name="maximumSessions" value="1" />
     <beans:property name="exceptionIfMaximumExceeded" value="true"/>

 <authentication-manager alias="authenticationManager">
  <authentication-provider ref='ldapProvider' />
  <authentication-provider ref="externalUserLdapProvider"/>

 <beans:bean id="sessionRegistry" class="" />

 <beans:bean id="securityContext" 
  class="" factory-method="getContext"/>

 <beans:bean id="ldapProvider"
  <beans:constructor-arg ref="bindAuthenticator" />
  <beans:constructor-arg ref="userService" />
  <beans:property name="userDetailsContextMapper" ref="permissionedUserContextMapper" />

 <beans:bean id="permissionedUserContextMapper"
  class="...service.impl.PermissionedUserContextMapperImpl" >
  <beans:property name="userDao" ref="userDao"/>

 <!-- LDAP via AD-->
 <beans:bean id="bindAuthenticator"
  <beans:constructor-arg ref="contextSource" />
  <beans:property name="userSearch" ref="userSearch" />

 <beans:bean id="userSearch"
  <beans:constructor-arg ref="contextSource" />
  <beans:property name="searchSubtree">

 <beans:bean id="contextSource"
   value="ldap://omitted" />
  <beans:property name="userDn"
   value="ommitted" />
  <beans:property name="password" value="omitted" />

 <!--  Second LDAP Authenticator (Apache DS) -->
    <beans:bean id="externalUserLdapProvider" class="">
        <beans:constructor-arg ref="externalUserBindAuthenticator"/>
  <beans:constructor-arg ref="userService" />
  <beans:property name="userDetailsContextMapper" ref="permissionedUserContextMapper" />

 <beans:bean id="externalUserBindAuthenticator" class="">
  <beans:constructor-arg ref="externalUserContextSource" />
  <beans:property name="userDnPatterns">

 <beans:bean id="externalUserContextSource" 
     <beans:constructor-arg value="ldap://omitted"/>


Am I missing some property that should tell the concurrency control strategy to barf if the user logs more than 1 session? I know the same user is logging more than one session -- as I am seeing duplicate principles in the session registry.

Any/all replies are very much appreciated! Thanks in advance!

Upvotes: 3

Views: 3497

Answers (1)


Reputation: 242706

SessionRegistry uses equals()/hashCode() of UserDetails to find sessions of the same user. If you have custom UserDetails, perhaps it's not implemented.

Upvotes: 5

Related Questions