Spring Security is able to prevent a principal from concurrently authenticating to the same application more than a specified number of times. Many ISVs take advantage of this to enforce licensing, whilst network administrators like this feature because it helps prevent people from sharing login names. You can, for example, stop user "Batman" from logging onto the web application from two different sessions.
To use concurrent session support, you'll need to add the
following to web.xml
:
<listener> <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class> </listener>
In addition, you will need to add the
org.springframework.security.concurrent.ConcurrentSessionFilter
to your FilterChainProxy
. The
ConcurrentSessionFilter
requires two
properties, sessionRegistry
, which generally points
to an instance of SessionRegistryImpl
, and
expiredUrl
, which points to the page to display
when a session has expired.
The web.xml
HttpSessionEventPublisher
causes an
ApplicationEvent
to be published to the Spring
ApplicationContext
every time a
HttpSession
commences or terminates. This is
critical, as it allows the SessionRegistryImpl
to
be notified when a session ends.
You will also need to wire up the
ConcurrentSessionControllerImpl
and refer to it
from your ProviderManager
bean:
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager"> <property name="providers"> <!-- your providers go here --> </property> <property name="sessionController" ref="concurrentSessionController"/> </bean> <bean id="concurrentSessionController" class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl"> <property name="maximumSessions" value="1"/> <property name="sessionRegistry"> <bean class="org.springframework.security.concurrent.SessionRegistryImpl"/> <property> </bean>