How to configure custom concurrent session control?

[barrys52]

I have Spring Security configured with CAS for the authentication that has been working well for some time now. We now have a new requirement to restrict the number of concurrent sessions to one per user (one login per user at a time), except for a selected set of users. The users who are exceptions can have an unlimited number of sessions.

Restricting the number of concurrent sessions for all users to a maximum of one session is straightword:

Code:

<http>
...
<concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>
</http>

So, that applies to all users. But what would the best way be to customize the concurrent sessions so that the list of excepted users are not restricted? Is this something that can be configured without custom code?

Would appreciate advice from the experts!

Thanks,
Barry

[barrys52]

FYI - I have gone ahead and created custom code for this requirement. Basically, I have subclassed the ConcurrentSessionControllerImplCustom and modified the checkAuthenticationAllowed method. The method will first test whether the current principal is on the unrestricted list, and if so, just returns. Otherwise, the method proceeds with the original code (checking whether the user has exceeded the maximum number of sessions).

If anyone can tell me whether this can be accomplished without custom code, I still like to hear how.