I have developed a web application using spring security. For login it gets access from LDAP. Now I want to manage the session using spring security itself, I can see by using authentication.getName()
I am getting the username
and I can also get the sessionID
.
Now I want to make sure if the same user is trying to login from the same system using some other browser he should get a message saying that he is already login in his account.
Can anyone give an idea how to achieve this ????
<security:session-management
invalid-session-url="/login.jsp?error=sessionExpired"
session-authentication-error-url="/login.jsp?error=alreadyLogin">
<security:concurrency-control
max-sessions="1"
expired-url="/login.jsp?error=sessionExpiredDuplicateLogin"
error-if-maximum-exceeded="false" />
</security:session-management>
When I use this and try to login using some other browser it gives me the following error:
HTTP Status 500 - Request processing failed; nested exception is java.lang.IllegalStateException: Cannot call sendError() after the response has been committed
enter code here
SessionManagementFilter in Spring Security web. session. SessionManagementFilter. In XML configuration it's represented by a tag called <session-management />.
One way to handle it would be to inject the username into the session when user logs in and then use an ordinary httpsessionlistener and do the same thing on session timeout.
Concurrent session control feature use the SessionRegistry to maintain a list of active HTTP session along with information of the associated authenticated users. It updates this SessionRegistry at a real time by Spring security every-time a session is created or destroy.
By default, Spring Security will create a session when it needs one — this is “ifRequired“. For a more stateless application, the “never” option will ensure that Spring Security itself won't create any session. But if the application creates one, Spring Security will make use of it.
I may be missing something, but I have tried the next configuration and it works as expected:
<!-- more configuration stuff -->
<sec:form-login login-page="/login.jsp"
default-target-url="/defaultTarget.jsp"
authentication-failure-url="/login.jsp?error=true"
login-processing-url="/login" always-use-default-target="true" />
<sec:session-management>
<sec:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</sec:session-management>
When I try to log in with the same user from another browser, it takes me to /login.jsp and shows the error message: Maximum sessions of 1 for this principal exceeded
EDIT: you also need to place this in your web.xml
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With