ConcurrentSessionControlStrategy 3.0.RC1 documentation error?

[Daxon]

I'm trying to implement concurrent sessions, but I have a custom AuthenticationFilter meaning there's some more work involved.

So reading the documentation under 11.3 Concurrency Control,

Placed the listener into the web.xml
Copied the required xml configurations,

Documentation (page 60) says the ConcurrentSessionControlStrategy package is in

Code:

<beans:bean id="sas"
class="org.springframework.security.web.session.ConcurrentSessionControlStrategy">
      <beans:property name="sessionRegistry" ref="sessionRegistry" />
      <beans:property name="maximumSessions" value="1" />
</beans:bean>

Yet this package doesn't exist.

It is really located in

Code:

<beans:bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
       <beans:property name="sessionRegistry" ref="sessionRegistry" />
       <beans:property name="maximumSessions" value="1" />
</beans:bean>

Now the problem is that a new error instantly comes up saying

Code:

no matching constructor found in class "ConcurrentSessionControlStrategy" 
validate constructor arg injection

the "sessionRegistry" property can then not be resolved


Can someone further explain what I have to do to implement the ConcurrentSessionControlStrategy to work, do I have to extend it?
and call the properties?

[Luke Taylor]

Thanks for spotting this error in the docs. There is an additional error, in that the SessionRegistry is a constructor argument, not a property, so it should be

Code:

<bean id="sas"  class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
    <property name="maximumSessions" value="1" />
  </bean>

If you add the source jars to your IDE, then it will make it much easier to detect issues like this as you can quickly browse to the implementation class and check it out.

[Daxon]

Cool, there's one more thing in the online API documentation.
The listener in the web.xml entry has not been updated.

http://static.springsource.org/sprin...Publisher.html


So I still don't understand whats going on.
I have a form-login and customAuthenticationFilter.
Both login/logout perfectly

but when I try enable concurrency control to the seesions, my appliction fails when I try to run it. Yes I am running a Grails app, but I have fully integrated Spring Security 3 into it. But I will try it in a Spring MVC app


The application fails when I add the commented out red lines.. These exact lines from the documentation.

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
	xmlns:security="http://www.springframework.org/schema/security"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
           http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">



<security:http entry-point-ref="authenticaionEntryPoint">
        <security:intercept-url pattern="/home*" access="ROLE_USER" />
		<security:intercept-url pattern="/home/2*" access="ROLE_ADMIN" />

         <security:form-login login-page="/login" default-target-url="/home" login-processing-url="/native_login" authentication-failure-url="/login?login_error" />
        <security:custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />
       <!--<security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter"/> -->
        <security:custom-filter after="FORM_LOGIN_FILTER" ref="myAuthenticationFilter" />
    <!--<security:session-management session-authentication-strategy-ref="sas"/> -->
</security:http>


<bean id="authenticaionEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
		<property name="loginFormUrl" value="/login" />
	</bean>

	<bean id="myAuthenticationFilter" class="com.app.MyAuthenticationProcessingFilter">
        <!--<property name="sessionAuthenticationStrategy" ref="sas" />  -->
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="authenticationSuccessHandler">
			<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
				<property name="defaultTargetUrl" value="/home" />
				<property name="alwaysUseDefaultTargetUrl" value="true" />
			</bean>
		</property>
		<property name="authenticationFailureHandler">
			<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
				<property name="defaultFailureUrl" value="/login?error=2" />
			</bean>
		</property>
	</bean>



  
    <bean id="customUserDetailsService" class="com.app.CustomUserDetailsService">
    </bean>


    <bean id="myAuthenticationProvider" class="com.app.MyAuthenticationProvider" >
        <property name="customUserDetailsService" ref="customUserDetailsService"/>
    </bean>

    <security:authentication-manager alias="authenticationManager">
		<security:authentication-provider ref="myAuthenticationProvider" />
        <security:authentication-provider user-service-ref="customUserDetailsService"/>
	   </security:authentication-manager>


     <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
		<constructor-arg value="/login?comeback=1"/>
		<constructor-arg>
			<list>
				<ref bean="customLogoutHandler"/>
                <ref bean="securityContextLogoutHandler"/>
			</list>
		</constructor-arg>
		<property name="filterProcessesUrl" value="/logout" />
	</bean>


     <bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>

    <bean id="customLogoutHandler" class="com.app.CustomLogoutHandler">
    </bean>



    <!-- CONCURRENCY CONFIGURATION

<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <property name="sessionRegistry" ref="sessionRegistry" />
    <property name="expiredUrl" value="/sessionexp" />
</bean>


<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
         <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
       <property name="maximumSessions" value="1" />
</bean>

<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
 -->



</beans>

Is there anything I'm missing? only breaks with the red lines

[Luke Taylor]

What do you mean by "The application fails" ?

I've updated the Javadoc for the event publisher. Thanks for spotting that.

[Luke Taylor]

Hmm. Something seems a bit buggy here. I'll take a look at it.

https://jira.springsource.org/browse/SEC-1318

[Daxon]

Now I understand your JIRA,

Grails gave me no indecation as to what was wrong. Even with log4j warn,error and debug messages.

I converted everything over to Spring MVC and tested,
then when I added those red lines I got this error at compile time.

PHP Code:

00:55:25,686 ERROR ContextLoader:208 - Context initialization failed
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: session-fixation-protection attribute cannot be used in combination with session-authentication-strategy-ref
Offending resource: ServletContext resource [/WEB-INF/applicationContext-security.xml]
    at org.springframework.beans.factory.parsing.FailFastProblemReporter.error(FailFastProblemReporter.java:68) 


So do I just have to wait it out if its a bug?
Or can I disable the session-fixation-protection to get it working?

[Luke Taylor]

Well, I already committed a fix (should be visible in the "source" tab of Jira). I'm just adding some integration tests with a configuration like the one in the the manual and ran into a few problems (it is after 1am here ).

The nightly build should pick those up or you can build yourself. Alternatively, RC2 should be released in the next day or so.

This article mentions the problem of grails failing to log errors during loading the context:

http://blog.jayway.com/2009/11/23/sp...l-with-grails/

so it isn't just you .

[Daxon]

Thanks, yea I'll get the nightly build in the next day or two.
forgot to check the source

I'm in Ireland,its late