Spring maximum number of sessions; limit the maximum number of users

this post is a little old, but I had the same problem in spring security 4.1, and I solved it like that.

management session

 <security:http disable-url-rewriting="true" use-expressions="true" auto-config="true"> <security:session-management invalid-session-url="/app/login" session-authentication-strategy-ref="sessionAuthenticationStrategy"> </security:session-management> </security:http> 

authentication session strategy-ref

 <bean id="sessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy"> <constructor-arg> <list> <bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy"> <constructor-arg ref="sessionRegistry"/> <property name="maximumSessions" value="1" /> <property name="exceptionIfMaximumExceeded" value="true" /> </bean> <bean class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"> </bean> <bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy"> <constructor-arg ref="sessionRegistry"/> </bean> </list> </constructor-arg> </bean> 

Session session

 @Autowired private SessionRegistry sessionRegistry; 

Authentication

 List<SessionInformation> sessions = new ArrayList<>(); for (Object principal : sessionRegistry.getAllPrincipals()) { sessions.addAll(sessionRegistry.getAllSessions(principal, false)); } LOGGER.info("Sessiones Activas: " + sessions.size()); // filtro para limite de sessiones if (sessions.size() < max_sessions) { //authentication } else { throw new SessionAuthenticationException("Maximo numero de Usuarios exedido."); } 

this way because I authenticate based on security: custom-filter