I have Spring Security configured with CAS for the authentication that has been working well for some time now. We now have a new requirement to restrict the number of concurrent sessions to one per user (one login per user at a time), except for a selected set of users. The users who are exceptions can have an unlimited number of sessions.
Restricting the number of concurrent sessions for all users to a maximum of one session is straightword:
So, that applies to all users. But what would the best way be to customize the concurrent sessions so that the list of excepted users are not restricted? Is this something that can be configured without custom code?
<concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>
Would appreciate advice from the experts!