spring security 2.0.4 session control ignored
I add max sessions into applicationContext-security.xml, and there is no error or any thing. But when I logged in as the same user twice, both succeeded. No error at all.
is there anything wrong with this config? is there a way I trap the login process to see why the second login got thru?Code:<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd "> <http auto-config="true" access-denied-page="/access_denied.jsp"> <concurrent-session-control expired-url="/leadcentral.html" /> <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <form-login login-page="/leadcentral.html" authentication-failure-url="/badlogin.html" default-target-url="/leadcentral.html" /> <logout logout-success-url="/leadcentral.html" invalidate-session="true" /> <sec:concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" /> </http> <authentication-provider user-service-ref="securityService"> <password-encoder hash="md5" /> </authentication-provider> <beans:bean id="securityService" class="com.mycompany.server.security.SecurityService" /> <sec:global-method-security jsr250-annotations="enabled" /> </beans:beans>
