spring security concurrent session not working -

-

i using spring 4 , hibernate 4 have implemented spring security , working fine but, not want allow concurrent logins using same credentials. 1. have added listener "httpsessioneventpublisher" web.xml , used "session management" tag in spring security implement concurrency control not working following complete code:

web.xml:

<?xml version="1.0" encoding="utf-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">  <listener>     <listener-class>         org.springframework.security.web.session.httpsessioneventpublisher     </listener-class> </listener>  <servlet>     <servlet-name>appservlet</servlet-name>     <servlet-class>org.springframework.web.servlet.dispatcherservlet</servlet-class>     <init-param>         <param-name>contextconfiglocation</param-name>         <param-value>/web-inf/spring/appservlet/servlet-context.xml</param-value>     </init-param>     <load-on-startup>1</load-on-startup> </servlet>  <servlet-mapping>     <servlet-name>appservlet</servlet-name>     <url-pattern>/</url-pattern> </servlet-mapping>  <filter>     <filter-name>springsecurityfilterchain</filter-name>     <filter-class>org.springframework.web.filter.delegatingfilterproxy</filter-class> </filter>  <filter-mapping>     <filter-name>springsecurityfilterchain</filter-name>     <url-pattern>/*</url-pattern>  </filter-mapping>

spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation="http://www.springframework.org/schema/beans                     http://www.springframework.org/schema/beans/spring-beans.xsd                         http://www.springframework.org/schema/security                     http://www.springframework.org/schema/security/spring-security.xsd">   <http auto-config="true" use-expressions="true">     <intercept-url pattern="/login" access="permitall()" />     <intercept-url pattern="/loginerror" access="isanonymous()" />     <intercept-url pattern="/sessiontimeout" access="isanonymous()" />     <intercept-url pattern="/forgotpassword" access="isanonymous()" />     <intercept-url pattern="/requestnewpassword" access="isanonymous()" />     <intercept-url pattern="/assets/**" access="permitall()" />      <intercept-url pattern="/sessionexpired" access="isanonymous()" />     <intercept-url pattern="/error" access="isanonymous()" />       <form-login  login-page="/login"                  username-parameter="userid"                  password-parameter="password"                  authentication-success-handler-ref="cdatsuccesshandler"                  authentication-failure-url="/loginerror" />      <!-- <session-management session-fixation-protection="newsession" invalid-session-url="/sessiontimeout">     </session-management> -->      <session-management>         <concurrency-control max-sessions="1" expired-url="/sessiontimeout" />     </session-management>      <intercept-url pattern="/**" access="isauthenticated()"/>      <csrf/>      <!-- <access-denied-handler error-page="/sessionexpired"/>  -->      <headers>         <xss-protection enabled="true" block="true"/>     </headers>  </http>  <authentication-manager erase-credentials="true">     <authentication-provider ref="cdatauthenticationprovider"> </authentication-provider> </authentication-manager>

authentication provider class

package com.component.cdat.security.configuration;  import java.util.arraylist; import java.util.collection; import java.util.list;  import org.springframework.beans.factory.annotation.autowired; import org.springframework.security.authentication.authenticationprovider; import     org.springframework.security.authentication.usernamepasswordauthenticationtoken; import org.springframework.security.core.authentication; import org.springframework.security.core.authenticationexception; import org.springframework.security.core.grantedauthority; import org.springframework.security.core.authority.simplegrantedauthority; import org.springframework.stereotype.component;  import com.component.cdat.project.bean.mappprojectuser; import com.component.cdat.user.bean.user; import com.component.cdat.user.services.userservice;  @component("cdatauthenticationprovider") public class cdatauthenticationprovider implements authenticationprovider{  @autowired userservice userservice;  @override public authentication authenticate(authentication authentication) throws authenticationexception {      string loginid = authentication.getname().trim();     string password = (string) authentication.getcredentials();      if(loginid == null || password == null || loginid.isempty() || password.isempty()){         // throw exception         system.out.println("username or password empty!!");         throw new nullpointerexception();     }      user user = userservice.getuserbyusername(loginid);      if(user == null || !loginid.equalsignorecase(user.getusername())){         system.out.println("user not found!!");         throw new nullpointerexception();     }      if(!password.equalsignorecase(user.getpassword())){         system.out.println("pasword incorrect!!");         throw new nullpointerexception();     }      collection<? extends grantedauthority> authorities = getauthorities(user);      return new usernamepasswordauthenticationtoken(user, password, authorities); }  private collection<? extends grantedauthority> getauthorities(user user){      list<grantedauthority> authorities = new arraylist<grantedauthority>();     list<mappprojectuser> userauthoritylist = userservice.getuserrole(user.getuserid());      for(mappprojectuser userauthority : userauthoritylist){         authorities.add(new simplegrantedauthority("role_" + userauthority.getusertype().getshortdesc()));     }     return authorities; }  @override public boolean supports(class<?> arg0) {     return true; } }

have @ reference documentation (this spring security 3.1) :

  <http>       ...       <session-management>           <concurrency-control max-sessions="1" />       </session-management>   </http>

this prevent user logging in multiple times - a second login cause first invalidated. prefer prevent second login, in case can use 

<http>     ...     <session-management>         <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />     </session-management> </http>

try add error-if-maximum-exceeded="true" concurrency-control tag, see if it's working. aware of drawback of concurrency control : if user closes browser without logging out, have no way log in before session timeout (which 30 minutes... won't able access website next 30 minutes).


Comments

Post a Comment

Popular posts from this blog

matlab - error with cyclic autocorrelation function -

-
Image
i'm trying code cyclic autocorrelation function in matlab follows: t=0:(n-1); t=t*te; i_alpha=0; tau=-n2*te:te:n2*te; alpha=-1/2:1/n:1/2; ryy_cl=zeros(length(alpha),length(tau)); alpha=alpha/te ind_tau=0; i_alpha=i_alpha+1; k=tau ind_tau=ind_tau+1; if k>0 % ryy_cl(i_alpha,ind_tau)=1/length(sig_bin_syl_mod(1:end- k))*sum((sig_bin_syl_mod(1:end-k)).*sig_bin_syl_mod(k+1:end)).*exp(1i*2*pi*alpha*t(1+k:length(sig_bin_syl_mod(1:end)))); ryy_cl(i_alpha,ind_tau)=(1/n)*sum((sig_bin_syl_mod(1:end-k)).*sig_bin_syl_mod(k+1:end)).*exp(-1i*2*pi*alpha*t(1:end-k)); else ryy_cl(i_alpha,ind_tau)=(1/n)*sum((sig_bin_syl_mod(1-k:end)).*sig_bin_syl_mod(1:end+k)).*exp(-1i*2*pi*alpha*t(1-k:end)); end end end i'm getting errors, , doesn't show expecting. according below formulae, how can fix it? the code provided incomplete, difficult confidently reproduce error. in particular, haven't de...
Read more

django - (fields.E300) Field defines a relation with model 'AbstractEmailUser' which is either not installed, or is abstract -

-
i trying create customuser django project email username , add radio button truck , company. in registration process email-id registered per truck or company. mentioned radio button 'tag' , add manytomany field tag in emailuser model. when makemigrations, raising error : (fields.e300) field defines relation model 'abstractemailuser' either not installed, or abstract. i quite new django , not sure whether have created correct code wants. please me solving this. here code, models.py: import django django.contrib.auth.models import ( abstractbaseuser, baseusermanager, permissionsmixin) django.core.mail import send_mail django.db import models django.utils import timezone django.utils.translation import ugettext_lazy _ class emailusermanager(baseusermanager): """custom manager emailuser.""" def _create_user(self, email, password, is_staff, is_superuser, **extra_fields): """create , save emailus...
Read more

c# - What is a good .Net RefEdit control to use with ExcelDna? -

-
i using exceldna , c# build suite of tools. part of forms i'd want user select cells/ranges workbook. i've got application.inputbox route working...but doesn't cool... i haven't read many things excel's refedit control, , see many have in past written workarounds, in (shudder) vba or vb.net. however, none of these seem recent... best approach/control refedit functionality on form run via exceldna (if applicable)? the refedit sample project of github explores different ways of dealing threading when showing form excel add-in, main issue making refedit control .net add-in. check page links various other implementations: https://github.com/excel-dna/exceldna/wiki/links-about-refedit
Read more