concurrent login user not working
Hi guys,
I've got system that does not support concurrent login user. Below are my config files:
applicationContext-security.xmlCode:<context-param> <param-name>contextConfigLocation</param-name> <param-value> WEB-INF/applicationContext.xml </param-value> </context-param> <!-- encoding filter --> <filter> <filter-name>encodingFilter</filter-name> <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>forceEncoding</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>encodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- security filters --> <!-- <filter> <filter-name>captchaFilter</filter-name> <filter-class>oas.security.CaptchaFilter</filter-class> </filter> <filter-mapping> <filter-name>captchaFilter</filter-name> <url-pattern>/jsp/j_spring_security_check</url-pattern> </filter-mapping> --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class> </listener> <!-- struts filter --> <filter> <filter-name>struts2</filter-name> <filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class> </filter> <filter-mapping> <filter-name>struts2</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>
But when I try to test logging in using one user (concurrently) in different browsers, the user can still login without error. I would like to stop the second user from logging in by throwing and exception or redirecting him to a page telling him he needs to logout before relogging in. I also tried logging in in one browser, closed the browser, open it again and logged in again (same browser), but the user can still login. Can you please pinpoint what I am doing wrong?Code:<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xmlns:p="http://www.springframework.org/schema/p" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd"> <security:http entry-point-ref="authenticationEntryPoint" session-fixation-protection="newSession" auto-config="false" access-decision-manager-ref="accessDecisionManager" access-denied-page="/403.jsp"> ....... <security:logout invalidate-session="true" logout-success-url="/jsp/login.jsp" logout-url="/jsp/j_spring_security_logout"/> <security:concurrent-session-control exception-if-maximum-exceeded="true" max-sessions="1" expired-url="/jsp/login.jsp" /> <security:anonymous granted-authority="ROLE_ANONYMOUS" username="Guest" /> </security:http> <bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased"> <property name="decisionVoters"> <bean class="org.springframework.security.vote.RoleVoter"> <property name="rolePrefix" value=""/> </bean> </property> </bean> <!-- this will make authenticationManager available for injection --> <security:authentication-manager alias="authenticationManager"/> <bean id="authenticationProcessingFilter" class="oas.security.MyAuthenticationProcessingFilter"> <security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/> <property name="defaultTargetUrl" value="/jsp/common/Home.do"/> <property name="authenticationFailureUrl" value="/jsp/login.jsp?error=1" /> <property name="authenticationManager" ref="customAuthenticationManager" /> <property name="allowSessionCreation" value="true" /> <property name="alwaysUseDefaultTargetUrl" value="false" /> <property name="filterProcessesUrl" value="/jsp/j_spring_security_check" /> <property name="userService" ref="userService"></property> </bean> <bean id="customAuthenticationManager" class="oas.security.CustomAuthenticationManager"> <property name="dao" ref="universalDao"/> </bean> <bean id="authenticationEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint"> <property name="loginFormUrl" value="/jsp/login.jsp" /> <property name="forceHttps" value="false" /> </bean> </beans>
Note: After the second user logs in, the first user is still logged in.
thank you
-marckun
Originally Posted by Daxon
