StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POSpring Security 3.0.5 Concurrency is not working
text
Body
copied!<p>Hi I am using Spring Security 3.0.5 with Spring Framework 3.0.6. I have configured concurrency as per the documentation. It is not working. I login to the application from a browser session and then attemp to login again from another tab in the same browser - it lets me log in instead of denying the attempt.</p> <p>Here is my security config file:</p> <pre><code><?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <http auto-config="false" use-expressions="true" access-denied-page="/jsp/accessDenied.jsp" entry-point-ref="authenticationEntryPoint"> <intercept-url pattern="/login.jsp" filters="none" /> <intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> <logout invalidate-session="true" logout-url="/logout.htm" logout-success-url="/login.jsp?loggedout=true"/> <custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/> <custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/> <session-management session-authentication-strategy-ref="sas"/> </http> <beans:bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> <beans:property name="sessionAuthenticationStrategy" ref="sas"/> <beans:property name="authenticationManager" ref="authenticationManager"/> <beans:property name="authenticationFailureHandler" ref="customAuthenticationFailureHandler"/> <beans:property name="authenticationSuccessHandler" ref="customAuthenticationSuccessHandler"/> </beans:bean> <beans:bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <beans:property name="defaultFailureUrl" value="/login.jsp?authfailed=true"/> </beans:bean> <beans:bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"> <beans:property name="defaultTargetUrl" value="/index.jsp" /> </beans:bean> <beans:bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <beans:property name="loginFormUrl" value="/login.jsp"/> </beans:bean> <authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="userDetailsService"> <password-encoder ref="passwordEncoder"/> </authentication-provider> </authentication-manager> <beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/> <user-service id="userDetailsService"> <user name="username" password="ee11cbb19052e40b07aac0ca060c23ee" authorities="ROLE_USER, ROLE_ADMIN" /> <user name="test" password="21232f297a57a5a743894a0e4a801fc3" authorities="ROLE_USER" /> </user-service> <beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> <beans:property name="sessionRegistry" ref="sessionRegistry"/> <beans:property name="expiredUrl" value="/login.jsp?loggedout=true" /> </beans:bean> <beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> <beans:property name="maximumSessions" value="1" /> <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> </beans:bean> <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> </code></pre> <p></p> <p>Here is my web.xml</p> <pre><code><?xml version="1.0" encoding="UTF-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> <display-name>Spring security web application (series)</display-name> <context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/applicationContext-security.xml </param-value> </context-param>  <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class> org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <servlet> <servlet-name>springsecuritywebapp</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>springsecuritywebapp</servlet-name> <url-pattern>*.htm</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app> </code></pre> <p>Regards, Nazir</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload