ConcurrentSessionControlStrategy in spring security 3.2.4

Question

ConcurrentSessionControlStrategy in spring security 3.2.4

I had a working configuration with ConcurrentSessionControlStrategy and my own implementation of sessionRegistry. I upgraded to spring security 3.2.4 and had to change ConcurrentSessionControlStrategy to ConcurrentSessionControlAuthenticationStrategy. and now it seems that sessionRegistry is not bound, i.e. ConcurrentSessionControlAuthenticationStrategy.onAuthenticaton is not in sessionRegistry.registerNewSession. What to do?

my xml configuration:

    <security:http use-expressions="true" auto-config="false"
        entry-point-ref="loginUrlAuthenticationEntryPoint">


        <security:intercept-url pattern="/**"
            access="isAuthenticated()" />

        <security:custom-filter position="FORM_LOGIN_FILTER"
            ref="twoFactorAuthenticationFilter" />



        <security:logout logout-url="/player/logout"
            logout-success-url="/demo/player/logoutSuccess" />

        <security:session-management>
            <security:concurrency-control
                max-sessions="1" session-registry-ref="clusteredSessionRegistryImpl"
                error-if-maximum-exceeded="false" />
        </security:session-management>

    </security:http>



    <bean
        class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
        <constructor-arg ref="clusteredSessionRegistryImpl" />
        <property name="maximumSessions" value="1" />
    </bean>

    <bean id="loginUrlAuthenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <property name="loginFormUrl" value="/demo/player/login?login_error=true" />
    </bean>

    <bean id="twoFactorAuthenticationFilter" class="com.XXX.filter.TwoFactorAuthenticationFilter">
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="authenticationFailureHandler" ref="failureHandler" />
        <property name="authenticationSuccessHandler" ref="playerAuthenticationSuccessHandler" />
        <property name="postOnly" value="true" />
    </bean>


    <bean id="failureHandler"
        class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <property name="defaultFailureUrl" value="/login?login_error=true" />

    </bean>

    <bean id="bCryptPasswordEncoder"
        class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider
            ref="authenticationProvider">
        </security:authentication-provider>
    </security:authentication-manager>

</beans>

+4

java spring spring-mvc spring-security

lior Jun 05 '14 at 10:21

source share

1 answer

Edgar · Answer 1 · 2014-10-09T13:42:49+0000

I seem to be late with the answer, but no way ...

ConcurrentSessionControlStrategy - ConcurrentSessionControlAuthenticationStrategy, SessionFixationProtectionStrategy RegisterSessionAuthenticationStrategy.

, CompositeSessionAuthenticationStrategy .

, , ConcurrentSessionControlAuthenticationStrategy ConcurrentSessionControlStrategy. , SessionRegistry RegisterSessionAuthenticationStrategy. SessionRegistry , "substitute" "ok".

, , , ( CompositeSessionAuthenticationStrategy, SessionAuthenticationStrategy, :) ).

ConcurrentSessionControlStrategy in spring security 3.2.4

More articles: