Dynamically configuring maximumSessions on ConcurrentSessionControlStrategy...

[tviegut]

Hi,

Hopefully someone can point me to a simpler solution to a configuration problem that I am having. Presently, upgraded to SS 3.0.7. I'm utilizing SS3 http namespacing with auto-config for most of my security configuration. Things behave as desired.

Now, I'm handling the requirement to add configurable concurrent session management - again straightforward and works as expected.

The hitch however comes into play when attempting to configure the maximumSessions bean property in the ConcurrentSessionControlStrategy. (The business requirement is that the max sessions value be data driven from a value stored in the database.)

My first round sanity check was to do a typical http namespace configuration via the following with a hard coded value in the max-sessions attribute:

<security:session-management>
<security:concurrency-control
max-sessions="2" error-if-maximum-exceeded="true"
expired-url="/login.html?spring.security.error=expired.session" />
</security:session-management>

We utilize a custom DatabasePropertiesPlaceholderConfigurer to simply substitutes placeholders with values from the database.

Once concurrent session management was functioning fine I tried the option below. This however, did not initially register with me that it is an attribute within the http namespace that's expecting an integer value (and not a standard bean property exposed in the same manner as typical beans). Consequently, the placeholder doesn't appear to be resolving at runtime and fails:

<security:session-management>
<security:concurrency-control
max-sessions="$+MAX_SESSIONS+" error-if-maximum-exceeded="true"
expired-url="/login.html?spring.security.error=expired.session" />
</security:session-management>


All said, I've looked into alternate ways to configure this simple attribute. Now I may be missing the obvious, but the only way I can see to configure this is using customizations. However, as I "unraveled" this as an option it seems this would require a proliferation of custom bean configurations in order to get this attribute configured. In addition, I'd need to turn off the auto-config attribute.

This seems painful for such a simple configuration change. I rather be wrong as to my current conclusion. My hope is that I am only missing a clear and simple change.

Thanks in advance for any help,

Todd

[rohan123]

if you want to get the values form database then obvious solution is override the concurrency control class.

Code:

<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">

          <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
          <beans:property name="maximumSessions" value="1" />

</beans:bean>this is default entry with beans namespace.

You can override the given "ConcurrentSessionControlStrategy" and add DataAccess logic there. and specify your custom class here.

[tviegut]

if you want to get the values form database then obvious solution is override the concurrency control class.

Code:

<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">

          <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
          <beans:property name="maximumSessions" value="1" />

</beans:bean>this is default entry with beans namespace.

You can override the given "ConcurrentSessionControlStrategy" and add DataAccess logic there. and specify your custom class here.

First off...thank you for taking the time to reply. Much appreciated. Also...I am sorry that I was not clearer in my initial posting. I am aware of your suggestion and it was the reason I posted in the first place. In my post I was hoping to determine if there was a far more direct and simple strategy for specifying this property other than customizing the ConcurrentSessionControlStrategy itself.

This was a road I'd already started down, but upon doing so and surveying the results the amount of custom bean configuration (outside the scope of the default http namespace configuration) seemed really unreasonable. All of it necessary only to specify this single property dynamically upon startup (and because a property configurer can not be applied within the max-sessions attribute of the <concurrency-control /> element).

The "rough" psuedo-configuration may be as follows. I am aware this may not be complete and the wiring needs tweaking...but the reason I post it is that it illustrates the extent of the customizations needed purely to apply the property configurer:

Code:

    <bean id="concurrencyFilter"
        class="org.springframework.security.web.session.ConcurrentSessionFilter">
        <property name="sessionRegistry" ref="sessionRegistry" />
        <property name="expiredUrl"
            value="/index.html?spring.security.error=expired.session" />
    </bean>

    <bean id="customAuthFilter"
        class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <property name="sessionAuthenticationStrategy" ref="sas" />
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    <bean id="sas" 
        class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
        <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
        <property name="maximumSessions"
            value="$+MAX_SESSIONS+" />
        <property name="exceptionIfMaximumExceeded" value="true" />
    </bean>

    <bean id="sessionRegistry"
        class="org.springframework.security.core.session.SessionRegistryImpl" />

    <bean id="authenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <property name="loginFormUrl" value="/index.html" />
    </bean>
    ...
    ...

And then modification to the http namespace configuration that would be something similar to:

Code:

    <!-- auto-config now set to false in order to allow for customizations -->
    <security:http auto-config="false" use-expressions="true">

        <security:session-management session-authentication-strategy-ref="sas">
        <!-- COMMENTED OUT as now replaced by session-authentication-strategy-ref above...
            <security:concurrency-control
                max-sessions="30" error-if-maximum-exceeded="true"
                expired-url="/index.html?spring.security.error=expired.session" />
        -->
        </security:session-management>
  
        <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
        <security:custom-filter position="FORM_LOGIN_FILTER" ref="customAuthFilter" />
         ...
         ...

Thus, my posting was to determine if there was a direct way to handle this, but for which I'm not aware of.

Thanks again for the feedback,

Kind Regards,

Todd