Class ConcurrentSessionControlAuthenticationStrategy
- All Implemented Interfaces:
org.springframework.beans.factory.Aware
,org.springframework.context.MessageSourceAware
,SessionAuthenticationStrategy
When invoked following an authentication, it will check whether the user in question
should be allowed to proceed, by comparing the number of sessions they already have
active with the configured maximumSessions value. The SessionRegistry
is used as the source of data on authenticated users and session data.
If a user has reached the maximum number of permitted sessions, the behaviour depends
on the exceptionIfMaxExceeded property. The default behaviour is to expire any
sessions that exceed the maximum number of permitted sessions, starting with the least
recently used sessions. The expired sessions will be invalidated by the
ConcurrentSessionFilter
if accessed again. If exceptionIfMaxExceeded
is set to true, however, the user will be prevented from starting a new
authenticated session.
This strategy can be injected into both the SessionManagementFilter
and
instances of AbstractAuthenticationProcessingFilter
(typically
UsernamePasswordAuthenticationFilter
), but is typically combined with
RegisterSessionAuthenticationStrategy
using
CompositeSessionAuthenticationStrategy
.
- Since:
- 3.2
- See Also:
-
Field Summary
Modifier and TypeFieldDescriptionprotected org.springframework.context.support.MessageSourceAccessor
-
Constructor Summary
ConstructorDescriptionConcurrentSessionControlAuthenticationStrategy
(SessionRegistry sessionRegistry) -
Method Summary
Modifier and TypeMethodDescriptionprotected void
allowableSessionsExceeded
(List<SessionInformation> sessions, int allowableSessions, SessionRegistry registry) Allows subclasses to customise behaviour when too many sessions are detected.protected int
getMaximumSessionsForThisUser
(Authentication authentication) Method intended for use by subclasses to override the maximum number of sessions that are permitted for a particular authentication.void
onAuthentication
(Authentication authentication, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) In addition to the steps from the superclass, the sessionRegistry will be updated with the new session information.void
setExceptionIfMaximumExceeded
(boolean exceptionIfMaximumExceeded) Sets the exceptionIfMaximumExceeded property, which determines whether the user should be prevented from opening more sessions than allowed.void
setMaximumSessions
(int maximumSessions) Sets the maxSessions property.void
setMessageSource
(org.springframework.context.MessageSource messageSource) Sets theMessageSource
used for reporting errors back to the user when the user has exceeded the maximum number of authentications.
-
Field Details
-
messages
protected org.springframework.context.support.MessageSourceAccessor messages
-
-
Constructor Details
-
ConcurrentSessionControlAuthenticationStrategy
- Parameters:
sessionRegistry
- the session registry which should be updated when the authenticated session is changed.
-
-
Method Details
-
onAuthentication
public void onAuthentication(Authentication authentication, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) In addition to the steps from the superclass, the sessionRegistry will be updated with the new session information.- Specified by:
onAuthentication
in interfaceSessionAuthenticationStrategy
-
getMaximumSessionsForThisUser
Method intended for use by subclasses to override the maximum number of sessions that are permitted for a particular authentication. The default implementation simply returns themaximumSessions
value for the bean.- Parameters:
authentication
- to determine the maximum sessions for- Returns:
- either -1 meaning unlimited, or a positive integer to limit (never zero)
-
allowableSessionsExceeded
protected void allowableSessionsExceeded(List<SessionInformation> sessions, int allowableSessions, SessionRegistry registry) throws SessionAuthenticationException Allows subclasses to customise behaviour when too many sessions are detected.- Parameters:
sessions
- eithernull
or all unexpired sessions associated with the principalallowableSessions
- the number of concurrent sessions the user is allowed to haveregistry
- an instance of theSessionRegistry
for subclass use- Throws:
SessionAuthenticationException
-
setExceptionIfMaximumExceeded
public void setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded) Sets the exceptionIfMaximumExceeded property, which determines whether the user should be prevented from opening more sessions than allowed. If set to true, a SessionAuthenticationException will be raised which means the user authenticating will be prevented from authenticating. if set to false, the user that has already authenticated will be forcibly logged out.- Parameters:
exceptionIfMaximumExceeded
- defaults to false.
-
setMaximumSessions
public void setMaximumSessions(int maximumSessions) Sets the maxSessions property. The default value is 1. Use -1 for unlimited sessions.- Parameters:
maximumSessions
- the maximum number of permitted sessions a user can have open simultaneously.
-
setMessageSource
public void setMessageSource(org.springframework.context.MessageSource messageSource) Sets theMessageSource
used for reporting errors back to the user when the user has exceeded the maximum number of authentications.- Specified by:
setMessageSource
in interfaceorg.springframework.context.MessageSourceAware
-