Cluster-aware SessionRegistry for concurrent logins?

[dyn]

I tried to replace Spring Security 2.0.2's default SessionRegistry with a custom SessionRegistry implementation which uses either EHCache or a JGroups' ReplicatedHashMap to store the principals and sessionIds. I tried both approaches, but neither of them makes the concurrent login filter work as expected (ie. allow only one concurrent login for each user regardless their used cluster node).

I can post my modified SessionRegistry code but I doubt the problem is there (it's a plain replacement of Maps to Caches or ReplicatedHashMaps, nothing else). Any clue what could be wrong with such a setup?

Generally, is it a naive theory to handle concurrent logins in a cluster this way?

[dyn]

Any hints, please?

[Luke Taylor]

I don't know about this approach but it has certainly been done with a database before.

[dyn]

Thanks Luke!

The main point of the question was that simply replacing SessionRegistry alone could automatically making it work in a cluster or you think I need something else as well?

[bangert]

Any news on this one?

The problem is, that the SessionRegistryImpl that comes with spring security only is aware of the sessions created on the current node. if one clusters an application by using a HttpSession stored in a central database, the concurrent session support in spring security fails.

ie. what is the best practice for having a cluster aware SessionRegistry.

dyn: i'd love to see your code and hear of any progress you may have made.

thanks.

[hoffmandirt]

I am also having this issue. Has any solved this before?

[jonnio]

What application server are you using? Also, what problem are you trying to solve by using the session registry?

[hoffmandirt]

I am using Oracle Application Server. The application is using the ConcurrentSessionFilter to disable concurrent logons. This worked fine until the application was put in front of a clustering/load balancing environment. Now the same user can login many times.

[amin]

We have recently implemented a solution that uses GigaSpaces to store session information so that other applications in the cluster are aware of what sessions are in use.

I think using either a clustered cache or database is the best option.

[karunadheera]

I am using Oracle Application Server. The application is using the ConcurrentSessionFilter to disable concurrent logons. This worked fine until the application was put in front of a clustering/load balancing environment. Now the same user can login many times.

This works fine with a custom SessionRegistryImpl which uses Hibernate with Oracle db, which has two clustered tomcat instances behind a load balancer @ Colombo Stock Exchange website.