Spring Flex and Spring Security Concurrent Session Management

I am building an application using spring 3.0.5, spring integration 1.0.3, spring security 3.0.5 and blazeds 3.2.0.3978.

I am trying to enable the concurrent control in the system and until now I can't find the appropriate configuration for that.

These are the configuration:

spring-security.xml

Code:

---

<security:http entry-point-ref="entryPoint">
        <security:anonymous enabled="false"/>
        <security:session-management>
                <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
        </security:session-management>
        <security:logout/>
</security:http>

---

spring-remoting.xml

Code:

---

<flex:message-broker>
        <flex:mapping pattern="messagebroker/*" />
        <flex:secured per-client-authentication="false"/>
</flex:message-broker>

---

I debugged the code and found:

- The concurrent filter is configured
- The session management filter is configured
- The concurrent strategy is configured
- The SpringSecurityLoginCommand doAuthtntication method runs after the session management filter runs the doFilter method which cause that the session management filter doesn't feel with the authentication in the spring context

Code:

---

if (!securityContextRepository.containsContext(request)) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

            if (authentication != null && !authenticationTrustResolver.isAnonymous(authentication)) {
            // The user has been authenticated during the current request, so call the session strategy
                try {
                    sessionStrategy.onAuthentication(authentication, request, response);
                } catch (SessionAuthenticationException e) {
                    // The session strategy can reject the authentication
                    logger.debug("SessionAuthenticationStrategy rejected the authentication object", e);
                    SecurityContextHolder.clearContext();
                    failureHandler.onAuthenticationFailure(request, response, e);

                    return;
                }
                // Eagerly save the security context to make it available for any possible re-entrant
                // requests which may occur before the current request completes. SEC-1396.
                securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);
            }

---

I had made more further investigation and found that LoginCommand is invoked from MessageBrokerServlet which is invoked after the filter chain which cause that the concurrent session strategy isn't invoked to control the concurrent session.

Thanks a lot in advance for your help

This seems like a general gap in our integration due to the changes to how session management is handled in Spring Security 3. I have opened a Jira for it:
https://jira.springframework.org/browse/FLEX-166

In the meantime, you could consider implementing a special MessageInterceptor that implements the necessary behavior (invoking the SessionAuthenticationStrategy, etc.) when necessary.

hi,

i'm using Spring BlazeDS Integration 1.5RC1, BlazeDS 4.0.0.14931, Spring Security 3.0.3 and i'm still having problem with concurrent session management - it doesn't seem to work (despite FLEX-165 and FLEX-166 have been resolved)

my confiuguration:
security-config.xml

Code:

---

    <http entry-point-ref="entryPoint">
        <anonymous enabled="false"/>
        <session-management>
            <concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
        </session-management>
    </http>

<beans:bean id="entryPoint" class="org.springframework.flex.security3.FlexAuthenticationEntryPoint"/>

    <authentication-manager alias="springAuthManager">
        <authentication-provider ref="daoAuthenticationProvider"/>
    </authentication-manager>
<beans:bean id="passwordEncoder"
                class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
        <beans:constructor-arg value="256"/>
    </beans:bean>

    <beans:bean id="saltSource"
                class="org.springframework.security.authentication.dao.ReflectionSaltSource">
        <beans:property name="userPropertyToUse" value="accountId"/>
    </beans:bean>

    <beans:bean id="daoAuthenticationProvider"
                class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <beans:property name="userDetailsService" ref="deUserDetailsService"/>
        <beans:property name="passwordEncoder" ref="passwordEncoder"/>
        <beans:property name="saltSource" ref="saltSource"/>
        <beans:property name="hideUserNotFoundExceptions" value="false"/>
    </beans:bean>

---

dispatcher-servletx.xml:

Code:

---

<flex:message-broker>
        <flex:exception-translator ref="deExceptionTranslator"/>
        <!--                <flex:remoting-service default-channels="my-amf"/>-->
        <flex:secured per-client-authentication="false"/>
    </flex:message-broker>

    <flex:remoting-destination ref="configurationService"/>
    <flex:remoting-destination ref="authenticationService"/>
    <flex:remoting-destination ref="administrationService"/>

---

web.xml:

Code:

---

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <listener>
        <listener-class>flex.messaging.HttpFlexSession</listener-class>
    </listener>

    <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>pl.dataexplorer.commons.spring.DeDispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/messagebroker/*</url-pattern>
    </servlet-mapping>

---

do I need to add anything else in my spring configuration files or web.xml? plz. tell me what am I doing wrong..

Thanks in advance!

The problem is still there on 1.5.0 RELEASE, is there anyone who has fixed it??????

Hi,

I am also trying to integrate Flex with Spring security.
Can you please let me whether you solved the problem?

regards,
Salini

Hello,

I'm facing the same problem. Do you plan to have a new version with a solution to this problem ?
Waiting for it, how can I do the same code as following for a given sessionId ?

Quote:

---

protected Authentication getAuthentication() {
SecurityContext securityContext = SecurityContextHolder.getContext();
Authentication authentication = securityContext.getAuthentication();
return authentication;
}

---

With such a code, I could delete a previous session when a user try to loggin a second time.

Thanks a lot for your help