Jun 18th, 2008, 11:54 AM
Cluster-aware SessionRegistry for concurrent logins?
I tried to replace Spring Security 2.0.2's default SessionRegistry with a custom SessionRegistry implementation which uses either EHCache or a JGroups' ReplicatedHashMap to store the principals and sessionIds. I tried both approaches, but neither of them makes the concurrent login filter work as expected (ie. allow only one concurrent login for each user regardless their used cluster node).
I can post my modified SessionRegistry code but I doubt the problem is there (it's a plain replacement of Maps to Caches or ReplicatedHashMaps, nothing else). Any clue what could be wrong with such a setup?
Generally, is it a naive theory to handle concurrent logins in a cluster this way?
Jun 20th, 2008, 09:42 AM
Jun 20th, 2008, 09:48 AM
I don't know about this approach but it has certainly been done with a database before.
Jun 20th, 2008, 02:09 PM
The main point of the question was that simply replacing SessionRegistry alone could automatically making it work in a cluster or you think I need something else as well?
Sep 19th, 2008, 06:00 AM
Any news on this one?
The problem is, that the SessionRegistryImpl that comes with spring security only is aware of the sessions created on the current node. if one clusters an application by using a HttpSession stored in a central database, the concurrent session support in spring security fails.
ie. what is the best practice for having a cluster aware SessionRegistry.
dyn: i'd love to see your code and hear of any progress you may have made.
Feb 3rd, 2009, 06:43 AM
I am also having this issue. Has any solved this before?
Feb 3rd, 2009, 07:01 AM
What application server are you using? Also, what problem are you trying to solve by using the session registry?
Feb 3rd, 2009, 07:17 AM
I am using Oracle Application Server. The application is using the ConcurrentSessionFilter to disable concurrent logons. This worked fine until the application was put in front of a clustering/load balancing environment. Now the same user can login many times.
Feb 6th, 2009, 02:47 AM
We have recently implemented a solution that uses GigaSpaces to store session information so that other applications in the cluster are aware of what sessions are in use.
I think using either a clustered cache or database is the best option.
Feb 9th, 2009, 03:29 AM
This works fine with a custom SessionRegistryImpl which uses Hibernate with Oracle db, which has two clustered tomcat instances behind a load balancer @ Colombo Stock Exchange website.
Originally Posted by hoffmandirt
Tags for this Thread