Spring Flex and Spring Security Concurrent Session Management

[MSahmoud]

I am building an application using spring 3.0.5, spring integration 1.0.3, spring security 3.0.5 and blazeds 3.2.0.3978.

I am trying to enable the concurrent control in the system and until now I can't find the appropriate configuration for that.

These are the configuration:

spring-security.xml

Code:

<security:http entry-point-ref="entryPoint">
	<security:anonymous enabled="false"/>
	<security:session-management>
		<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
	</security:session-management>
	<security:logout/>
</security:http>

spring-remoting.xml

Code:

<flex:message-broker>
	<flex:mapping pattern="messagebroker/*" />
	<flex:secured per-client-authentication="false"/>
</flex:message-broker>

I debugged the code and found:

- The concurrent filter is configured
- The session management filter is configured
- The concurrent strategy is configured
- The SpringSecurityLoginCommand doAuthtntication method runs after the session management filter runs the doFilter method which cause that the session management filter doesn't feel with the authentication in the spring context

Code:

if (!securityContextRepository.containsContext(request)) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

            if (authentication != null && !authenticationTrustResolver.isAnonymous(authentication)) {
             // The user has been authenticated during the current request, so call the session strategy
                try {
                    sessionStrategy.onAuthentication(authentication, request, response);
                } catch (SessionAuthenticationException e) {
                    // The session strategy can reject the authentication
                    logger.debug("SessionAuthenticationStrategy rejected the authentication object", e);
                    SecurityContextHolder.clearContext();
                    failureHandler.onAuthenticationFailure(request, response, e);

                    return;
                }
                // Eagerly save the security context to make it available for any possible re-entrant
                // requests which may occur before the current request completes. SEC-1396.
                securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);
            }

I had made more further investigation and found that LoginCommand is invoked from MessageBrokerServlet which is invoked after the filter chain which cause that the concurrent session strategy isn't invoked to control the concurrent session.

Thanks a lot in advance for your help