Results 1 to 2 of 2

Thread: Concurrent Session Control in Preauthenticated Bean Based Configuration Scenario

  1. Sep 5th, 2012, 08:51 AM #1
    kmansoor
    kmansoor is offline Junior Member
    Join Date
    Aug 2010
    Posts
    26

    Default Concurrent Session Control in Preauthenticated Bean Based Configuration Scenario

    I'm using Spring Security 3.0.5. I think my configuration is correct, problem is how to wire the ConcurrentSessionControlStrategy class:

    My config.xml is as follows:
    Code:
    <beans:bean id="springSecurityFilterChain"
		class="org.springframework.security.web.FilterChainProxy">
		<filter-chain-map path-type="ant">
			<filter-chain pattern="/**/resources/**" filters="none" />
			<filter-chain pattern="/**/logout/**" filters="none" />
			<filter-chain pattern="/service/**" filters="none" />
			<filter-chain pattern="/**"
				filters="sif,shibbolethFilter,concurrencyFilter,logoutFilter,etf,fsi" />

		</filter-chain-map>
	</beans:bean>

	<beans:bean id="sif"
		class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />

	<beans:bean id="shibbolethFilter"
		class="PreAuthenticatedShibbolethAuthenticationFilter">
		<beans:property name="authenticationManager" ref="authenticationManager" />
		<beans:property name="exceptionIfHeaderMissing" value="true" />
		<beans:property name="continueFilterChainOnUnsuccessfulAuthentication"
			value="true" />
		<beans:property name="authenticationSuccessHandler"
			ref="customAuthenticationSuccessHandlerBean" />		
	</beans:bean>

	<beans:bean id="sas"
		class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">		
		<beans:constructor-arg name="sessionRegistry"
			ref="sessionRegistry" />
		<beans:property name="maximumSessions" value="1" />
	</beans:bean>

	<beans:bean id="sessionRegistry"
		class="org.springframework.security.core.session.SessionRegistryImpl" />

	<beans:bean id="concurrencyFilter"
		class="org.springframework.security.web.session.ConcurrentSessionFilter">
		
		<beans:property name="sessionRegistry" ref="sessionRegistry" />
		<beans:property name="expiredUrl" value="/session-expired.html" />
	</beans:bean>
    I was thinking the reference to 'sas' should be under my PreAuthenticatedShibbolethAuthenticationFilter:
    Code:
    <beans:property name="sessionAuthenticationStrategy" ref="sas" />
    But this results in NotWritablePropertyException.

    Any pointers be of great help.
    Reply With Quote Reply With Quote
  2. Sep 5th, 2012, 12:47 PM #2
    kmansoor
    kmansoor is offline Junior Member
    Join Date
    Aug 2010
    Posts
    26

    Default

    Okay, so I need SessionManagementFilter, got that part (from Peter Mularien's excellent book).

    However, the following code never returns any active session: (principals is always empty)
    Code:
    private @Inject
	SessionRegistry sessionReg;

	private void doTest() {
		List<Object> principals = sessionReg.getAllPrincipals();
		for (Object o : principals) {
			List<SessionInformation> siList = sessionReg.getAllSessions(o,
					false);
			for (SessionInformation si : siList) {
				logger.error(si.getSessionId() + " " + si.getPrincipal());
			}
		}
	}
    My configuration now looks like the following:
    Code:
    <beans:bean id="springSecurityFilterChain"
		class="org.springframework.security.web.FilterChainProxy">
		<filter-chain-map path-type="ant">
			<filter-chain pattern="/**/resources/**" filters="none" />
			<filter-chain pattern="/**/logout/**" filters="none" />
			<filter-chain pattern="/service/**" filters="none" />
			<filter-chain pattern="/**"
				filters="sif,shibbolethFilter,concurrencyFilter,logoutFilter,smf, etf,fsi" />

		</filter-chain-map>
	</beans:bean>

	<beans:bean id="sif"
		class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />

	<beans:bean id="scr"
		class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />

	<beans:bean id="smf"
		class="org.springframework.security.web.session.SessionManagementFilter">
		<beans:constructor-arg name="securityContextRepository"
			ref="scr" />
		<beans:property name="sessionAuthenticationStrategy"
			ref="sas" />
	</beans:bean>

	<beans:bean id="shibbolethFilter"
		class="PreAuthenticatedShibbolethAuthenticationFilter">
		<beans:property name="authenticationManager" ref="authenticationManager" />
		<beans:property name="exceptionIfHeaderMissing" value="true" />
		<beans:property name="continueFilterChainOnUnsuccessfulAuthentication"
			value="true" />
		<beans:property name="authenticationSuccessHandler"
			ref="customAuthenticationSuccessHandlerBean" />
	</beans:bean>
	
	<beans:bean id="sas"
		class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
		<beans:constructor-arg name="sessionRegistry"
			ref="sessionRegistry" />
		<beans:property name="maximumSessions" value="1" />
	</beans:bean>

	<beans:bean id="sessionRegistry"
		class="org.springframework.security.core.session.SessionRegistryImpl" />

	<beans:bean id="concurrencyFilter"
		class="org.springframework.security.web.session.ConcurrentSessionFilter">
		<beans:property name="sessionRegistry" ref="sessionRegistry" />
		<beans:property name="expiredUrl" value="/session-expired.html" />
	</beans:bean>
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules