Results 1 to 6 of 6

Thread: Spring Security Concurrent Session Control Problem

  1. Jul 11th, 2008, 04:11 PM #1
    Júlio Adrian M Van Helden
    Júlio Adrian M Van Helden is offline Junior Member
    Join Date
    Oct 2007
    Posts
    12

    Default Spring Security Concurrent Session Control Problem

    Hi guys, i am trying to setup the concurrent session control feature provided by Spring Security Framework. Whilst Spring Security context goes up without any error, i think that the concurrent session control isn´t work. My ideia was prevent a user from logging in multiple times. But when i open two browsers and try to log in in both with the same user Spring permits without any problem.

    My web.xml and applicationContext-security you can find attached to this thread.

    I appreciate any help.
    Best Regards,
    Julio Helden
    Attached Files Attached Files
  2. Jul 12th, 2008, 09:00 AM #2
    RayKrueger
    RayKrueger is offline Senior Member
    Join Date
    Oct 2004
    Posts
    207

    Default

    I believe the default configuration logs out the first user who logged in. Log in as Batman then log in as Batman again through a different session. The first Batman session should be logged out now.

    Can you try that and see that it's working?
  3. Jul 23rd, 2008, 08:30 AM #3
    J Ball
    J Ball is offline Member
    Join Date
    Jul 2008
    Posts
    77

    Default

    I am having the same problem with the same entries in my web.xml and applicationContext-security.xml. I followed the security documentation. Any resolution to this?

    I have debugged through HttpSecurityBeanDefinitionParser and see that that "sessionControlEnabled" is set to true, do it is reading my
    Code:
    <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" session-registry-ref='sessionRegistry'/>
    It's as if the listener in my web.xml is not being triggered:
    Code:
    	<listener>
		<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
	</listener>
    Last edited by J Ball; Jul 23rd, 2008 at 09:02 AM.
  4. Jul 23rd, 2008, 12:45 PM #4
    J Ball
    J Ball is offline Member
    Join Date
    Jul 2008
    Posts
    77

    Default

    Quote Originally Posted by J Ball View Post
    It's as if the listener in my web.xml is not being triggered:
    Code:
    	<listener>
		<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
	</listener>
    The listener is triggered as seen when I initially arrive at the login page (prior to login) and when I logout. Can someone suggest where to debug why the concurrent session max is ignored?
  5. Jul 24th, 2008, 04:41 PM #5
    J Ball
    J Ball is offline Member
    Join Date
    Jul 2008
    Posts
    77

    Default

    I am using Spring on Tomcat if that makes any difference. Are there Tomcat configuration steps I need to take?
  6. Jul 25th, 2008, 04:57 AM #6
    gregd
    gregd is offline Senior Member
    Join Date
    Nov 2005
    Posts
    114

    Default

    Quote Originally Posted by RayKrueger View Post
    I believe the default configuration logs out the first user who logged in. Log in as Batman then log in as Batman again through a different session. The first Batman session should be logged out now.

    Can you try that and see that it's working?
    Correct. This is how it works
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules