Results 1 to 4 of 4

Thread: Concurrent Session Control not working!

  1. Aug 25th, 2012, 01:03 AM #1
    warcraft
    warcraft is offline Junior Member
    Join Date
    Jun 2007
    Posts
    15

    Default Concurrent Session Control not working!

    Hi all,
    I'm trying to config Concurrent Session Control, but it doesn't work. I tried to search forum but i still can not get the answer. Please help!. Thanks.

    web.xml:
    Code:
     <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>
  
  <listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
  </listener>

    applicationContext.xml

    Code:
    <security:http auto-config="true" access-denied-page="/accessDenied.jsf">	
	
		<security:intercept-url pattern="/pages/users.jsf" access="ROLE_ADMIN" />
		<security:intercept-url pattern="/pages/*.*" access="ROLE_USER,ROLE_ADMIN" />
		
		<security:form-login login-page="/login.jsf" authentication-failure-url="/login.jsf" />
		<security:logout delete-cookies="JSESSIONID" invalidate-session="true" logout-success-url="/login.jsf" logout-url="/logout.jsf"/>
			
		        
        <security:session-management>
        	<security:concurrency-control expired-url="/viewExpired.jsf" max-sessions="1" error-if-maximum-exceeded="true" />
    	</security:session-management>
            
	</security:http>

<security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled" />
	
	
	<security:authentication-manager alias="authenticationManager">
		
		<security:authentication-provider>
			<security:jdbc-user-service data-source-ref="dataSource" 
				authorities-by-username-query="select username,authority from users where username=?"/>
		</security:authentication-provider>
		
		
	</security:authentication-manager>
    AuthenticationServiceImp:
    Code:
    @Service("authenticationService")
public class AuthenticationServiceImpl implements AuthenticationService {

	@Resource(name = "authenticationManager")
	private AuthenticationManager authenticationManager;

	@Override
	public boolean login(String username, String password) {
		try {
			Authentication authenticate = authenticationManager
					.authenticate(new UsernamePasswordAuthenticationToken(username, password));
			
			if (authenticate.isAuthenticated()) {
				SecurityContextHolder.getContext().setAuthentication(authenticate);
				
				return true;
			}
		} catch (AuthenticationException e) {
			e.printStackTrace();
		}
		return false;
	}

	@Override
	public void logout() {
		SecurityContextHolder.getContext().setAuthentication(null);
	}

}
    Reply With Quote Reply With Quote
  2. Sep 11th, 2012, 09:32 AM #2
    Ninca7
    Ninca7 is offline Junior Member
    Join Date
    Jul 2012
    Posts
    3

    Default

    Those two threads might help:
    http://stackoverflow.com/questions/11062585/spring-concurrent-session-control-not-working-user-can-login-multiple-times
    http://stackoverflow.com/questions/8586824/spring-security-concurrency-control

    I ran into the same problem (with spring-security 3.1.1 and 3.1.2) and solved it by implementing equals() and hashCode() of my custom UserDetails implementation like in org.springframework.security.core.userdetails.User .
    Reply With Quote Reply With Quote
  3. Sep 27th, 2012, 12:18 PM #3
    warcraft
    warcraft is offline Junior Member
    Join Date
    Jun 2007
    Posts
    15

    Default

    Thank you so much Ninca7.

    Actually, i don't custom UserDetails .
    Here is my code:

    Code:
    /*UserDetailEntity class*/
public class UserDetailEntity implements Serializable {

    @NotNull
    @Column(unique = true)
    private String username;

    @NotNull
    private String password;

    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    @Column(name = "id")
    private Long id;
    ...........................

	@Override
	public int hashCode() {
		int hash = 0;
		hash += (id != null ? id.hashCode() : 0);
		return hash;
	}

	
	@Override
	public boolean equals(Object object) {
		
		if (!(object instanceof UserDetailEntity)) {
			return false;
		}

		UserDetailEntity other = (UserDetailEntity) object;

		if ((this.id == null && other.id != null)
				|| (this.id != null && !this.id.equals(other.id))) {
			return false;
		}
		return true;
	}
    ..................................
}



/*UserDetailsServiceImpl class*/
@Service("userDetailsService")
public class UserDetailsServiceImpl implements UserDetailsService {

	@Override
	public UserDetails loadUserByUsername(String username)
			throws UsernameNotFoundException {
		
		UserDetailEntity userDetailEntity = UserDetailEntity.findUserDetailEntity(username);
		
		if (userDetailEntity == null)
			throw new UsernameNotFoundException("User not found");
		
		return buildUserFromUserEntity(userDetailEntity);
	}

	@SuppressWarnings({ "rawtypes", "unchecked" })
	private  User buildUserFromUserEntity(UserDetailEntity userEntity) {
		
		String username = userEntity.getUsername();

		String password = userEntity.getPassword();

		boolean enabled = userEntity.isEnabled();

		boolean accountNonExpired = userEntity.isEnabled();

		boolean credentialsNonExpired = userEntity.isEnabled();

		boolean accountNonLocked = userEntity.isEnabled();

		Collection authorities = new ArrayList();
	
		authorities.add(new SimpleGrantedAuthority(userEntity.getAuthority()));

		User user = new User(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);

		return user;
	}
}




/*Login Bean class*/
public String login() {
				
		boolean success = authenticationService.login(userName, userPw );
		
		if(!success){
		  return "fail";	
		}
                  return "success";
    }


/*AuthenticationServiceImpl class*/
@Service("authenticationService")
public class AuthenticationServiceImpl implements AuthenticationService {

	@Resource(name = "authenticationManager")
	private AuthenticationManager authenticationManager;

	@Override
	public boolean login(String username, String password) {
		try {
			Authentication authenticate = authenticationManager
					.authenticate(new UsernamePasswordAuthenticationToken(username, password));
			
			if (authenticate.isAuthenticated()) {
				SecurityContextHolder.getContext().setAuthentication(authenticate);
				
				return true;
			}
		} catch (AuthenticationException e) {
			e.printStackTrace();
		}
		return false;
	}

	@Override
	public void logout() {
		SecurityContextHolder.getContext().setAuthentication(null);
	}

}

    applicationContext.xml

    Code:
    <security:http auto-config="false" access-denied-page="/accessDenied.jsf" entry-point-ref="authenticationProcessingFilterEntryPoint">	
	
		<security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
     	<security:custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter"/>
     	<security:session-management session-authentication-strategy-ref="sas"/>
     	
		<security:intercept-url pattern="/pages/users.jsf" access="ROLE_ADMIN" />
		<security:intercept-url pattern="/pages/*.*" access="ROLE_USER,ROLE_ADMIN" />
		
		<security:logout invalidate-session="true" logout-success-url="/login.jsf" logout-url="/logout.jsf"/>
		
	</security:http>
	
	<bean id="authenticationProcessingFilterEntryPoint" 
          class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <constructor-arg name="loginFormUrl" value="/login.jsf" />
        <property name="forceHttps" value="false"/>
    </bean>
    
	<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
	   <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
	   <constructor-arg name="expiredUrl" value="/login.jsf" />
  	</bean>
	
	<bean id="myAuthFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
  	   <property name="sessionAuthenticationStrategy" ref="sas" />
  	   <property name="authenticationManager" ref="authenticationManager" />
	</bean>
	
	<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
	  <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
	  <property name="maximumSessions" value="1" />
	  <property name="exceptionIfMaximumExceeded" value="true"/>
	</bean>
	
	<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
	
	
	<security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled" />
	
	<security:authentication-manager alias="authenticationManager">
		
		<security:authentication-provider user-service-ref="userDetailsService" >
			<security:password-encoder hash="sha-256"/>
		</security:authentication-provider>
		
	</security:authentication-manager>


    Do i miss something?

    Thanks
    Last edited by warcraft; Sep 27th, 2012 at 12:39 PM.
    Reply With Quote Reply With Quote
  4. Sep 30th, 2012, 02:19 PM #4
    warcraft
    warcraft is offline Junior Member
    Join Date
    Jun 2007
    Posts
    15

    Default

    Fixed.
    Thanks all.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules