Is it possible to send any additional information besides the username and password to the custom authentication Manager while implementing Spring security?

I have a login form containing three fields viz. username, password and workspace of the user. I have created a custom Authentication Provider by implementing AuthenticationProvider interface and overriding authenticate method. So, by directing to /j_spring_security_check I want the extra field workspace also in my custom manager.

http://static.springsource.org/spring-security/site/faq.html#faq-extra-login-fields

Thanks Luke for a quick response.
Regards,
Vinee

Hi,
In the same spring security configuration, I am applying the concurrent session control as well. I have modified the spring security configuration file and added the following peice of code:

<beans:bean id="sessionRegistry" class="org.springframework.security.concurrent.SessionReg istryImpl"/>

<beans:bean id="defaultConcurrentSessionController" class="org.springframework.security.concurrent.Concurrent SessionControllerImpl">
<beans:property name="maximumSessions" value="1"/>
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="exceptionIfMaximumExceeded" value="true" />
</beans:bean>

More over under the providers I am referencing the defaultConcurrentSessionController as follows:
<beans:property name="sessionController" ref="defaultConcurrentSessionController"/>

I have a couple of queries here:

1. The approach that I have mentioned above works fine in the sense that, when a user have a session already existing, he cant open a new session. In case the user tries to open a new browser and enters his credentials, he will be directed to the error page being defined in the spring security config file. How can I define a different url in this case. I read about expired-url property, but the same is not working for me. How to do the configuration for a url to be directed in case the user already has a active session?

2. The second thing is this concurrent session control works on per user that is it doesnt allow the same user to have two different sessions but allows two different users to have two sessions simultaneosly. My requirement is to allow only one session of the application irrespective of the user. How can I achieve this using spring security.



This is basically required as I would be having this application deployed on individual systems and I dont want two users to have their sessions simultaneously open in the same system