Reputation: 16158
Spring Security Concurrency Control
I have used spring security 3.0.7 and I am implementing concurrency control in my project. But it is not working. I have used
<security:session-management>
<security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/>
</security:session-management>
Even I tried solution from spring security reference but it didn't work out. Here is my configuration file content :
<session-management session-authentication-strategy-ref="sas"/>
</http>
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/session-expired.htm" />
</beans:bean>
<beans:bean id="myAuthFilter" class=
"org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="sas" class=
"org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
I am getting following exception :
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Filter beans '<myAuthFilter>' and '<org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0>' have the same 'order' value. When using custom filters, please make sure the positions do not conflict with default filters. Alternatively you can disable the default filters by removing the corresponding child elements from <http> and avoiding the use of <http auto-config='true'>.
Offending resource: class path resource [config/auth.xml]
at org.springframework.beans.factory.parsing.FailFastProblemReporter.error(FailFastProblemReporter.java:68)
at org.springframework.beans.factory.parsing.ReaderContext.error(ReaderContext.java:85)
at org.springframework.beans.factory.parsing.ReaderContext.error(ReaderContext.java:72)
at org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.checkFilterChainOrder(HttpSecurityBeanDefinitionParser.java:196)
at org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.parse(HttpSecurityBeanDefinitionParser.java:132)
at org.springframework.security.config.SecurityNamespaceHandler.parse(SecurityNamespaceHandler.java:86)
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1338)
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1328)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:135)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:93)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:493)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:390)
Can anyone help with this question?
Upvotes: 8
Views: 18894
Answers (5)
Reputation: 16158
If you have written UserPrincipal and UserPrincipalImpl(your own implementation), you should override Object's equals() and hashCode() methods.
Upvotes: 2
Reputation: 1866
The documentation says:
Adds support for concurrent session control, allowing limits to be placed on the number of active sessions a user can have. A
ConcurrentSessionFilterwill be created, and aConcurrentSessionControlStrategywill be used with theSessionManagementFilter. If a form-login element has been declared, the strategy object will also be injected into the created authentication filter. An instance ofSessionRegistry(aSessionRegistryImplinstance unless the user wishes to use a custom bean) will be created for use by the strategy.
So you can not use the custom-filter tag here. That is why it might be giving error. I took above content from this URL. Check this out:
Upvotes: 3
Reputation: 22742
If you use the concurrency-control namespace element, a ConcurrentSessionFilter will be added to the filter chain automatically, hence you cannot use custom-filter to add one at the same location or you will get this error.
The same problem will occur if you use form-login (or auto-config) and attempt to add a UsernamePasswordAuthenticationFilter using custom-filter. It looks like that is causing the specific issue you have here (with your bean myAuthFilter).
You should probably add the rest of your http element configuration to the question to make it more obvious where the conflict is coming from.
Upvotes: 4
Reputation: 7722
I have the following applicationContext-security.xml and it works perfectly
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<context:component-scan base-package="com.mycompany.test"/>
<security:http use-expressions="true">
<security:http-basic/>
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:session-management>
<security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/>
</security:session-management>
</security:http>
<security:global-method-security secured-annotations="enabled"/>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="restuser" password="restuser" authorities="ROLE_RESTCLIENT"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
To test it properly you should do the following: open the websites in two different browsers and clear the cookies. The first time you can log in the 2nd time not. You should see the HTTP authentication form being displayed by the browser in both cases. If you dont see it means you are already authenticated in a previous session hence you need to delete your cookies. (to be on the safe side you should test it with two different browsers otherwise the cookies mith be shared)
Upvotes: 1
Reputation: 134
add the following to web.xml:
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
Upvotes: 2
Related Questions
- Spring Security session concurrency
- Spring Security Concurrent Session Control
- Concurrency control is not working
- Spring security concurrency-control does not work
- ConcurrentSessionControlStrategy in spring security 3.2.4
- Spring Security, Form Login, and Concurrent Sessions
- Custom ConcurrentSessionControlStrategy
- Spring session concurrency
- Is Concurrency Control overridable
- Spring Security Handling Concurrency Exception