Results 1 to 4 of 4

Thread: Concurrent login - is this the way it's supposed to work ?

  1. Nov 17th, 2005, 08:29 AM #1
    nicholsl
    nicholsl is offline Junior Member
    Join Date
    Sep 2004
    Posts
    5

    Default Concurrent login - is this the way it's supposed to work ?

    I've just got the concurrent login feature working on Acegi 0.9, and it all appears to work, just not in the way I was expecting !

    I thought that if you tried to login on one machine, but were already logged in elsewhere, your login would be rejected and (a suitable) message could be displayed to say that you were already logged in.

    However, what's happening is as follows:

    1) Login to machine 1 as user - login is fine.
    2) Login to machine 2 as user - login is fine (??).
    3) Go back to machine 1, and you now need to log back in.

    Is this right ? Maybe there is something in my config that's wrong ?

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
	"http://www.springframework.org/dtd/spring-beans.dtd">

<beans>
	<bean id="filterChainProxy"
		class="net.sf.acegisecurity.util.FilterChainProxy">
		<property name="filterInvocationDefinitionSource">
			<value>
			CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
			PATTERN_TYPE_APACHE_ANT
			/**/j_acegi_security_check=httpSessionContextIntegrationFilter,authenticationProcessingFilter 
			/**/*.html*=concurrentSessionFilter,httpSessionContextIntegrationFilter,authenticationProcessingFilter,requestMethodsFilter,anonymousProcessingFilter,securityEnforcementFilter
			/**/*.html=concurrentSessionFilter,httpSessionContextIntegrationFilter,authenticationProcessingFilter,requestMethodsFilter,anonymousProcessingFilter,securityEnforcementFilter
		</value>
		</property>
	</bean>

	<bean id="authenticationManager"
			class="net.sf.acegisecurity.providers.ProviderManager">
		<property name="providers">
		<list>
			<ref local="daoAuthenticationProvider"/>
			<ref local="anonymousAuthenticationProvider"/>
		</list>
		</property>
 		<property name="sessionController"><ref bean="concurrentSessionController"/></property>
	</bean>

	<bean id="concurrentSessionController" class="net.sf.acegisecurity.concurrent.ConcurrentSessionControllerImpl">
	  <property name="maximumSessions"><value>1</value></property>
	  <property name="sessionRegistry"><ref local="sessionRegistry"/></property>
	</bean>

	<bean id="sessionRegistry" class="net.sf.acegisecurity.concurrent.SessionRegistryImpl"/>

	<bean id="authenticationDAOImpl"
		class="com.du.eproc.dao.impl.AuthenticationDAOAcegiHibernateImpl" autowire="byName"/>

	<bean id="daoAuthenticationProvider"
		class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
		<property name="authenticationDao" ref="authenticationDAOImpl"/>
	</bean>

	<!-- 
		=====================
		HTTP Request Security
		=====================
	 -->
	<bean id="httpSessionContextIntegrationFilter" 
		class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter">
		<property name="context" value="net.sf.acegisecurity.context.SecurityContextImpl"/>
	</bean>

	<bean id="concurrentSessionFilter"
		class="net.sf.acegisecurity.concurrent.ConcurrentSessionFilter">
		<property name="sessionRegistry"><ref bean="sessionRegistry"/></property>
		<property name="expiredUrl" value="/login.html"/>
	</bean>

	<bean id="anonymousProcessingFilter" 
		class="net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
		<property name="key" value="foobar"/>
		<property name="userAttribute" value="anonymous,ROLE_ANONYMOUS" />
	</bean>

	<bean id="anonymousAuthenticationProvider" 
		class="net.sf.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
		<property name="key" value="foobar" />
	</bean>

	<bean id="authenticationProcessingFilter"
		class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="authenticationFailureUrl" value="/login.html" />
		<property name="defaultTargetUrl" value="/index.html" />
		<property name="filterProcessesUrl" value="/j_acegi_security_check" />
	</bean>

	<bean id="authenticationProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
		<property name="loginFormUrl">
			<value>/login.html</value>
		</property>
		<property name="forceHttps">
			<value>false</value>
		</property>
	</bean>

	<bean id="securityEnforcementFilter"
		class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
		<property name="filterSecurityInterceptor">
			<ref local="filterInvocationInterceptor"/>
		</property>
		<property name="authenticationEntryPoint">
			<ref local="authenticationProcessingFilterEntryPoint"/>
		</property>
	</bean>

	<bean id="requestMethodsFilter" class="net.sf.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>

	<bean id="httpRequestAccessDecisionManager"
		class="net.sf.acegisecurity.vote.AffirmativeBased">
		<property name="allowIfAllAbstainDecisions">
			<value>false</value>
		</property>
		<property name="decisionVoters">
			<list>
				<ref bean="roleVoter"/>
			</list>
		</property>
	</bean>


<!-- <bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>  -->
	<bean id="roleVoter" class="com.du.eproc.security.RoleVoter"/>

	<bean id="filterInvocationInterceptor"
		class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager">
			<ref bean="authenticationManager"/>
		</property>
		<property name="accessDecisionManager">
			<ref local="httpRequestAccessDecisionManager"/>
		</property>
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/login.html=ROLE_ANONYMOUS
				/logout.html=ROLE_USER
				/*.html*=ROLE_USER,ROLE_SYSADMIN				
				/*.html=ROLE_USER,ROLE_SYSADMIN
			</value>
		</property>
	</bean>
		
</beans>
    Thanks in advance for any help.
    Lawrie Nichols
  2. Nov 17th, 2005, 09:05 AM #2
    RayKrueger
    RayKrueger is offline Senior Member
    Join Date
    Oct 2004
    Posts
    207

    Default

    The ConcurrentSessionController support has been the focus of some debate in the past. It's all about which session stays. The first one or the last one.

    I believe Ben refactored the ConcurrentSession support to work the way you expect based on configuration. Have a look at the docs for 0.9.0...
    http://acegisecurity.org/docbook/ace...ncurrent-login
  3. Nov 17th, 2005, 09:16 AM #3
    nicholsl
    nicholsl is offline Junior Member
    Join Date
    Sep 2004
    Posts
    5

    Default

    Hi Ray

    thanks for the response.

    Quote Originally Posted by RayKrueger
    It's all about which session stays. The first one or the last one.
    Looks currently like it's the last one then....maybe I'll have a look in the code to see if there's a way to change this behaviour.

    Quote Originally Posted by RayKrueger
    I believe Ben refactored the ConcurrentSession support to work the way you expect based on configuration. Have a look at the docs for 0.9.0...
    http://acegisecurity.org/docbook/ace...ncurrent-login
    I used this as the reference for setting up the concurrent login in my app, but unfortunately it does not mention anything about which session would be kicked.

    I guess an ideal would be to have a property settable on the ConcurrentSessionControllerImpl that you could use to specifiy what should happen to the sessions in this situation.

    Cheers
    Lawrie Nichols
  4. Nov 22nd, 2005, 04:44 AM #4
    Ben Alex
    Ben Alex is offline Senior Member Spring Team
    Join Date
    Aug 2004
    Location
    Sydney, Australia
    Posts
    2,768

    Default

    Feel free to attach a patch to a JIRA task and it'll be added.
    Ben Alex
    Project Founder, Spring UAA, Spring Roo and Spring Security
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules