spring security concurrent session not working -

-

i using spring 4 , hibernate 4 have implemented spring security , working fine but, not want allow concurrent logins using same credentials. 1. have added listener "httpsessioneventpublisher" web.xml , used "session management" tag in spring security implement concurrency control not working following complete code:

web.xml:

<?xml version="1.0" encoding="utf-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">  <listener>     <listener-class>         org.springframework.security.web.session.httpsessioneventpublisher     </listener-class> </listener>  <servlet>     <servlet-name>appservlet</servlet-name>     <servlet-class>org.springframework.web.servlet.dispatcherservlet</servlet-class>     <init-param>         <param-name>contextconfiglocation</param-name>         <param-value>/web-inf/spring/appservlet/servlet-context.xml</param-value>     </init-param>     <load-on-startup>1</load-on-startup> </servlet>  <servlet-mapping>     <servlet-name>appservlet</servlet-name>     <url-pattern>/</url-pattern> </servlet-mapping>  <filter>     <filter-name>springsecurityfilterchain</filter-name>     <filter-class>org.springframework.web.filter.delegatingfilterproxy</filter-class> </filter>  <filter-mapping>     <filter-name>springsecurityfilterchain</filter-name>     <url-pattern>/*</url-pattern>  </filter-mapping>

spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation="http://www.springframework.org/schema/beans                     http://www.springframework.org/schema/beans/spring-beans.xsd                         http://www.springframework.org/schema/security                     http://www.springframework.org/schema/security/spring-security.xsd">   <http auto-config="true" use-expressions="true">     <intercept-url pattern="/login" access="permitall()" />     <intercept-url pattern="/loginerror" access="isanonymous()" />     <intercept-url pattern="/sessiontimeout" access="isanonymous()" />     <intercept-url pattern="/forgotpassword" access="isanonymous()" />     <intercept-url pattern="/requestnewpassword" access="isanonymous()" />     <intercept-url pattern="/assets/**" access="permitall()" />      <intercept-url pattern="/sessionexpired" access="isanonymous()" />     <intercept-url pattern="/error" access="isanonymous()" />       <form-login  login-page="/login"                  username-parameter="userid"                  password-parameter="password"                  authentication-success-handler-ref="cdatsuccesshandler"                  authentication-failure-url="/loginerror" />      <!-- <session-management session-fixation-protection="newsession" invalid-session-url="/sessiontimeout">     </session-management> -->      <session-management>         <concurrency-control max-sessions="1" expired-url="/sessiontimeout" />     </session-management>      <intercept-url pattern="/**" access="isauthenticated()"/>      <csrf/>      <!-- <access-denied-handler error-page="/sessionexpired"/>  -->      <headers>         <xss-protection enabled="true" block="true"/>     </headers>  </http>  <authentication-manager erase-credentials="true">     <authentication-provider ref="cdatauthenticationprovider"> </authentication-provider> </authentication-manager>

authentication provider class

package com.component.cdat.security.configuration;  import java.util.arraylist; import java.util.collection; import java.util.list;  import org.springframework.beans.factory.annotation.autowired; import org.springframework.security.authentication.authenticationprovider; import     org.springframework.security.authentication.usernamepasswordauthenticationtoken; import org.springframework.security.core.authentication; import org.springframework.security.core.authenticationexception; import org.springframework.security.core.grantedauthority; import org.springframework.security.core.authority.simplegrantedauthority; import org.springframework.stereotype.component;  import com.component.cdat.project.bean.mappprojectuser; import com.component.cdat.user.bean.user; import com.component.cdat.user.services.userservice;  @component("cdatauthenticationprovider") public class cdatauthenticationprovider implements authenticationprovider{  @autowired userservice userservice;  @override public authentication authenticate(authentication authentication) throws authenticationexception {      string loginid = authentication.getname().trim();     string password = (string) authentication.getcredentials();      if(loginid == null || password == null || loginid.isempty() || password.isempty()){         // throw exception         system.out.println("username or password empty!!");         throw new nullpointerexception();     }      user user = userservice.getuserbyusername(loginid);      if(user == null || !loginid.equalsignorecase(user.getusername())){         system.out.println("user not found!!");         throw new nullpointerexception();     }      if(!password.equalsignorecase(user.getpassword())){         system.out.println("pasword incorrect!!");         throw new nullpointerexception();     }      collection<? extends grantedauthority> authorities = getauthorities(user);      return new usernamepasswordauthenticationtoken(user, password, authorities); }  private collection<? extends grantedauthority> getauthorities(user user){      list<grantedauthority> authorities = new arraylist<grantedauthority>();     list<mappprojectuser> userauthoritylist = userservice.getuserrole(user.getuserid());      for(mappprojectuser userauthority : userauthoritylist){         authorities.add(new simplegrantedauthority("role_" + userauthority.getusertype().getshortdesc()));     }     return authorities; }  @override public boolean supports(class<?> arg0) {     return true; } }

have @ reference documentation (this spring security 3.1) :

  <http>       ...       <session-management>           <concurrency-control max-sessions="1" />       </session-management>   </http>

this prevent user logging in multiple times - a second login cause first invalidated. prefer prevent second login, in case can use 

<http>     ...     <session-management>         <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />     </session-management> </http>

try add error-if-maximum-exceeded="true" concurrency-control tag, see if it's working. aware of drawback of concurrency control : if user closes browser without logging out, have no way log in before session timeout (which 30 minutes... won't able access website next 30 minutes).


Comments

Post a Comment

Popular posts from this blog

java - Static nested class instance -

-
this question has answer here: java inner class , static nested class 23 answers i came across in java, know static nested class why create instance of 'static'. isn't whole idea of 'static' use without instance? understand concept of inner classes, why (and frankly how possible to) create 'instance' of 'static' member @ ? why this: 1- outerclass.staticnestedclass nestedobject = new outerclass.staticnestedclass(); 2- nestedobject.anestedclassmethod(); and not this: 1- outerclass outerinstance=new outerclass(); 2- outerinstance.staticnestedclass.anestedclassmethod(); use on inner classes, keyword static indicates can access inner class without instance of outer class. for example: public class outer { public static class inner { /* code here. */ } } with construction, can create instance of inn
Read more

c# - Bluetooth LE CanUpdate Characteristic property -

-
i building xamarin.forms cross platform mobile app, uses monkey.robotics bluetoth low energy functionality. connecting mbed based implimentation of custom gatt service . in xamarin c#, triggers characteristic. canupdate property in monkey.robotics? this standard example c# based on: if (characteristic.canupdate) { characteristic.valueupdated += (s, e) => { debug.writeline("characteristic.valueupdated"); device.begininvokeonmainthread( () => { updatedisplay(characteristic); }); isbusy = false; // spin until first result received }; isbusy = true; characteristic.startupdates(); } this has been working, since changed own custom gatt service connecting to, canupdate property false. property , how triggered? me debugging gatt service code. thanks monkey.robotics open sour
Read more

JavaScript - Replace variable from string in all occurrences -

-
ok, know if have character '-' , want remove in places in string javascript, ... someword = someword.replace(/-/g, ''); but, when applying array of characters, s not working ... const badchars = ('\/:*?"<>|').split(''); let filename = title.replace(/ /g, '-').tolocalelowercase(); (let item = 0; item < badchars.length; item++) { // below not work global '/ /g' filename = filename.replace(/badchars[item]/g, ''); } any ideas? /badchars[item]/g looks badchars , literally, followed i , t , e , or m . if you're trying use character badchars[item] , you'll need use regexp constructor, , you'll need escape regex-specific characters. escaping regular expression has been well-covered . using that: filename = filename.replace(new regexp(regexp.quote(badchars[item]), 'g'), ''); but , don't want that. want character class: let filename = title.replac
Read more