Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Missing example with Spring Security maximum sessions feature

See original GitHub issue

There is no example to illustrate session management with maximum sessions.

The java code is:

            .sessionManagement()
                .maximumSessions(1)
                .maxSessionsPreventsLogin(false)
                .expiredUrl("/login?expired")

but logout does not invalidate the login.

There are some forums that mention org.springframework.security.web.session.HttpSessionEventPublisher, but it’s supposed to be added to web.xml, which Spring Boot doesn’t use.

I can’t piece it together into code that successfully logs the user out and allows for a new login.

Issue Analytics

  • State:closed
  • Created 9 years ago
  • Comments:13 (4 by maintainers)

github_iconTop GitHub Comments

6reactions
rwinchcommented, Feb 18, 2015

There are a few things going on here

  • As mentioned previously, Spring Security requires a HttpSessionListener (HttpSessionEventPublisher) to be registered. It would be nice if Spring Boot documented how to register a HttpSessionListener. I created #2518 to address this.
  • Spring Security has a bug that means the SessionDestroyedEvent will not be received by the SessionRegistryImpl. The workaround is to explicitly provide the SessionRegistryImpl

A complete example can be found below:

@EnableWebMvcSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                    .antMatchers("/expired").permitAll()
                    .anyRequest().authenticated()
                    .and()
                .formLogin()
                    .and()
                .sessionManagement()
                    .maximumSessions(1)
                    .expiredUrl("/expired")
                    .maxSessionsPreventsLogin(true)
                    .sessionRegistry(sessionRegistry());
    }

    // Work around https://jira.spring.io/browse/SEC-2855
    @Bean
    public SessionRegistry sessionRegistry() {
        SessionRegistry sessionRegistry = new SessionRegistryImpl();
        return sessionRegistry;
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                    .withUser("user").password("password").roles("USER");
    }

    // Register HttpSessionEventPublisher
    @Bean
    public static ServletListenerRegistrationBean httpSessionEventPublisher() {
        return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
    }
}
3reactions
wilkinsonacommented, Apr 20, 2017

@tanojkumar A closed issue from almost 3 years ago isn’t a good place to look for some help. Please use Stack Overflow or Gitter instead.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Spring Security Session - How to Control Session with Spring ...
Spring security supports the feature to limit multiple login for the same user through session management. The first step to enable this ...
Read more >
Spring Security maxSession doesn't work - Stack Overflow
I want to prevent login when user exceed maxSession count. For example every user can login once. And then if ...
Read more >
Session Management :: Spring Security
Spring Security can prevent a principal from concurrently authenticating to the same application more than a specified number of times. Many ISVs take...
Read more >
Spring security concurrent sessions - YouTube
Spring security concurrent sessions. Lean how to use the # springsecurity and the concurrent sessions control feature to restricting the ...
Read more >
Using Sessions and Session Persistence - Oracle Help Center
You can set the maximum life of a cookie with the cookie-max-age-secs element in the session descriptor of the weblogic.xml deployment descriptor.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

project.version not accessible in application.properties with gradle build

Next page

@EnableAspectJAutoProxy,@Aspect and @RestController