Concurrent Session Conterol and Session Fixation Protection not working

[Yol]

Hi all,
I'm configuring Concurrent Session Control and Session Fixation Protection, but these don't work. JSESSIONID value doesn't change value when logging in, and I can't to limit session to one. Can anyone help with this question?

web.xml :

Code:

...
  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  <listener>
    <listener-class>
		org.springframework.security.web.session.HttpSessionEventPublisher
    </listener-class>
  </listener>
...

spring-security.xml :

Code:

<?xml version="1.0" encoding="ISO-8859-1"?>

<beans xmlns="http://www.springframework.org/schema/beans" 
		xmlns:sec ="http://www.springframework.org/schema/security"		
		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		xsi:schemaLocation="http://www.springframework.org/schema/beans
		http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
	    http://www.springframework.org/schema/security
	    http://www.springframework.org/schema/security/spring-security-3.1.xsd">
	
	<sec:http access-denied-page="/failed.xhtml" use-expressions="true" >
		<sec:form-login login-page="/fLogin.xhtml" 
			default-target-url="/pages/page01.xhtml"/>
		<sec:intercept-url pattern="/maint/**" access="isAuthenticated()" requires-channel="https"/>
		<sec:intercept-url pattern="/pages/**" access="isAuthenticated()" requires-channel="https"/>
		
		<sec:logout invalidate-session="true" logout-success-url="/fLogin.xhtml" delete-cookies="JSESSIONID"/>
		
		<sec:session-management invalid-session-url="/fLogin.xhtml" session-fixation-protection="newSession">
			<sec:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" 
										session-registry-ref="sessionRegistry"	expired-url="/fLogin.xhtml"/>
		</sec:session-management>
		
		<sec:port-mappings>
			<sec:port-mapping http="8090" https="8443"/>
		</sec:port-mappings>
	</sec:http>
	
	<bean id="sessionRegistry"
    	class="org.springframework.security.core.session.SessionRegistryImpl" />

    <sec:global-method-security pre-post-annotations="enabled">
        
    </sec:global-method-security>

	<sec:authentication-manager alias="authenticationManager">
		<sec:authentication-provider
			user-service-ref="userDetailsService" >
			<sec:password-encoder ref="passwordEncoder">
				<sec:salt-source ref="saltSource"/>
			</sec:password-encoder>
		</sec:authentication-provider>
	</sec:authentication-manager>
	
	<bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" id="passwordEncoder">	
	</bean>
	
	<bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="saltSource">
		<property name="userPropertyToUse" value="username"></property>	
	</bean>
	
	<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
	    <property name="rolePrefix" value="" />
	</bean>
	
</beans>

AuthenticationServiceImp :

Code:

@Service("authenticationService")
public class AuthenticationServiceImp implements AuthenticationService{

	@Resource(name = "authenticationManager")
	private AuthenticationManager authenticationManager;
	
	@Override
	public boolean login(String username, String password) {
		// TODO Auto-generated method stub
		try {
			Authentication authenticate = authenticationManager
					.authenticate(new UsernamePasswordAuthenticationToken(
							username, password));
			if (authenticate.isAuthenticated()) {
				SecurityContextHolder.getContext().setAuthentication(
						authenticate);		
				
				return true;
			}
		} catch (AuthenticationException e) {		
			FacesContext.getCurrentInstance().addMessage(null, 
					new FacesMessage(FacesMessage.SEVERITY_ERROR, e.getMessage(), e.getMessage()));
		}
		return false;
	}

	@Override
	public void logout() {
		// TODO Auto-generated method stub
		SecurityContextHolder.getContext().setAuthentication(null);		
	}

}

UserDetailServiceImp :

Code:

@Service("userDetailsService")
public class UserDetailServiceImp implements UserDetailsService {

	@Resource
	private UsuarioRemote jUsuarioService;
	
	@Autowired
	private PasswordEncoder encoder;
	@Autowired
	private SaltSource saltSource;

	@Override
	public UserDetails loadUserByUsername(String username)
			throws UsernameNotFoundException {
		try {
			
			/*
			 * provisional authorities
			 * */
			Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
			authorities.add(new GrantedAuthorityImpl("BD.SETTI.CTM.COUNT"));
			authorities.add(new GrantedAuthorityImpl("BS.SETTI.CTM.COUNT"));
 
			boolean enabled = true;
			boolean accountNonExpired = true;
			boolean credentialsNonExpired = true;
                        boolean accountNonLocked = true;

                        Usuario user = jUsuarioService.findById(username);
			
			
			User userSs = new User(user.getUsername(), user.getPassword(), enabled,
					accountNonExpired, credentialsNonExpired,
					accountNonLocked, user.getAttempts(), 
					user.getMaxAttempts(), user.isRequiresChangePw(), authorities);	
			return userSs;
			
		} catch (Exception e) {
			// TODO: handle exception
			return null;
		}
       }
}

User.java

Code:

public class User implements Serializable,
		org.springframework.security.core.userdetails.UserDetails,
		CredentialsContainer {

	private static final long serialVersionUID = 1L;

	private String password;
	private final String username;
	private final Set<GrantedAuthority> authorities;
	private final boolean accountNonExpired;
	private final boolean accountNonLocked;
	private final boolean credentialsNonExpired;
	private final boolean enabled;

	private short MAX_FAILED_LOGIN_ATTEMPTS;

	private int failedLoginAttempts;
	private boolean requiresChangePw;

        public User(String username, String password,
			Collection<? extends GrantedAuthority> authorities) {
		this(username, password, true, true, true, true, 3, (short) 5, false,
				authorities);
	}

	public User(String username, String password, boolean enabled,
			boolean accountNonExpired, boolean credentialsNonExpired,
			boolean accountNonLocked, int failedLoginAttempts,
			short maxfailedAttempts, boolean requiresChangePw,
			Collection<? extends GrantedAuthority> authorities) {

		if (((username == null) || "".equals(username)) || (password == null)) {
			throw new IllegalArgumentException(
					"Cannot pass null or empty values to constructor");
		}

		this.username = username;
		this.password = password;
		this.enabled = enabled;
		this.accountNonExpired = accountNonExpired;
		this.credentialsNonExpired = credentialsNonExpired;
		this.accountNonLocked = accountNonLocked;
		this.failedLoginAttempts = failedLoginAttempts;
		this.MAX_FAILED_LOGIN_ATTEMPTS = maxfailedAttempts;
		this.requiresChangePw = requiresChangePw;
		this.authorities = Collections
				.unmodifiableSet(sortAuthorities(authorities));

	}

... 
/* getter and setter and other methods */
...

        @Override
	public int hashCode() {
		final int prime = 31;
		int result = 1;
		result = prime * result
				+ ((username == null) ? 0 : username.hashCode());
		return result;
	}

	@Override
	public boolean equals(Object obj) {
		if (this == obj)
			return true;
		if (obj == null)
			return false;
		if (!(obj instanceof User))
			return false;
		User other = (User) obj;
		if (username == null) {
			if (other.username != null)
				return false;
		} else if (!username.equals(other.username))
			return false;
		return true;

	}
}