Prevent Concurrent logins - madhusudana30/AlternativeJPAForWebSphere GitHub Wiki
dzone.com/articles/disable-multiple-logins-same
Concurrent Sessions Goal: To restrict users from logging in more than once (having multiple HTTP sessions associated with the same username). As a concrete example, consider that joe logs in. Now consider that joe attempts to login from a different machine (or even a different browser within the same machine). We wish to prevent the second login from succeeding.
The steps outlined here use the legacy Spring Security configuration method. (It’s the same result as given in the reference below–it just requires more XML.)
Add filter to web.xml which will keep Spring Security informed about sessions. web.xml <listener>
<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
</listener> Add new session registry bean to applicationContext-spring-security.xml. applicationContext-spring-security.xml <bean id=“sessionRegistry” class=“org.springframework.security.concurrent.SessionRegistryImpl” /> Add new concurrent session filter bean to applicationContext-spring-security.xml. applicationContext-spring-security.xml <bean id=“concurrentSessionFilter” class=“org.springframework.security.concurrent.ConcurrentSessionFilter”>
<property name="sessionRegistry" ref="sessionRegistry" />
</bean> Add new concurrent session controller bean to applicationContext-spring-security.xml. applicationContext-spring-security.xml <bean id=“concurrentSessionController”
class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl"> <property name="sessionRegistry" ref="sessionRegistry" /> <property name="maximumSessions" value="1" /> <property name="exceptionIfMaximumExceeded" value="true" />
</bean> Add concurrent session filter reference to existing bean definition with id filterChainProxy. Add concurrentSessionFilter to the end (just before the end of the CDATA). applicationContext-spring-security.xml <bean id=“filterChainProxy” class=“org.springframework.security.util.FilterChainProxy”>
<property name="filterInvocationDefinitionSource">
<value>
<![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=securityContextHolderAwareRequestFilter,..omitted..,filterInvocationInterceptor,concurrentSessionFilter]]>
</value>
</property>
</bean> Add concurrent session controller reference to existing bean definition with id authenticationManager. Insert an additional property element with ref attribute into the existing bean. applicationContext-spring-security.xml <bean id=“authenticationManager” class=“org.springframework.security.providers.ProviderManager”>
<property name="providers">
<list>
<!-- omitted -->
</list>
</property>
<property name="sessionController" ref="concurrentSessionController" />
</bean>