org.springframework.security.web.authentication.session
Class ConcurrentSessionControlStrategy

java.lang.Object
  extended by org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
      extended by org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy
All Implemented Interfaces:
org.springframework.context.MessageSourceAware, SessionAuthenticationStrategy

public class ConcurrentSessionControlStrategy
extends SessionFixationProtectionStrategy
implements org.springframework.context.MessageSourceAware

Strategy which handles concurrent session-control, in addition to the functionality provided by the base class. When invoked following an authentication, it will check whether the user in question should be allowed to proceed, by comparing the number of sessions they already have active with the configured maximumSessions value. The SessionRegistry is used as the source of data on authenticated users and session data.

If a user has reached the maximum number of permitted sessions, the behaviour depends on the exceptionIfMaxExceeded property. The default behaviour is to expired the least recently used session, which will be invalidated by the ConcurrentSessionFilter if accessed again. If exceptionIfMaxExceeded is set to true, however, the user will be prevented from starting a new authenticated session.

This strategy can be injected into both the SessionManagementFilter and instances of AbstractAuthenticationProcessingFilter (typically UsernamePasswordAuthenticationFilter).

Since:
3.0

Field Summary
protected  org.springframework.context.support.MessageSourceAccessor messages
           
 
Fields inherited from class org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
logger
 
Constructor Summary
ConcurrentSessionControlStrategy(SessionRegistry sessionRegistry)
           
 
Method Summary
protected  void allowableSessionsExceeded(java.util.List<SessionInformation> sessions, int allowableSessions, SessionRegistry registry)
          Allows subclasses to customise behaviour when too many sessions are detected.
protected  int getMaximumSessionsForThisUser(Authentication authentication)
          Method intended for use by subclasses to override the maximum number of sessions that are permitted for a particular authentication.
 void onAuthentication(Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Called when a user is newly authenticated.
protected  void onSessionChange(java.lang.String originalSessionId, javax.servlet.http.HttpSession newSession, Authentication auth)
          Called when the session has been changed and the old attributes have been migrated to the new session.
 void setAlwaysCreateSession(boolean alwaysCreateSession)
           
 void setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded)
          Sets the exceptionIfMaximumExceeded property, which determines whether the user should be prevented from opening more sessions than allowed.
 void setMaximumSessions(int maximumSessions)
          Sets the maxSessions property.
 void setMessageSource(org.springframework.context.MessageSource messageSource)
           
 
Methods inherited from class org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
setMigrateSessionAttributes, setRetainedAttributes
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

messages

protected org.springframework.context.support.MessageSourceAccessor messages
Constructor Detail

ConcurrentSessionControlStrategy

public ConcurrentSessionControlStrategy(SessionRegistry sessionRegistry)
Parameters:
sessionRegistry - the session registry which should be updated when the authenticated session is changed.
Method Detail

onAuthentication

public void onAuthentication(Authentication authentication,
                             javax.servlet.http.HttpServletRequest request,
                             javax.servlet.http.HttpServletResponse response)
Description copied from class: SessionFixationProtectionStrategy
Called when a user is newly authenticated.

If a session already exists, and matches the session Id from the client, a new session will be created, and the session attributes copied to it (if migrateSessionAttributes is set). The sessionRegistry will be updated with the new session information. If the client's requested session Id is invalid, nothing will be done, since there is no need to change the session Id if it doesn't match the current session.

If there is no session, no action is taken unless the alwaysCreateSession property is set, in which case a session will be created if one doesn't already exist.

Specified by:
onAuthentication in interface SessionAuthenticationStrategy
Overrides:
onAuthentication in class SessionFixationProtectionStrategy

getMaximumSessionsForThisUser

protected int getMaximumSessionsForThisUser(Authentication authentication)
Method intended for use by subclasses to override the maximum number of sessions that are permitted for a particular authentication. The default implementation simply returns the maximumSessions value for the bean.

Parameters:
authentication - to determine the maximum sessions for
Returns:
either -1 meaning unlimited, or a positive integer to limit (never zero)

allowableSessionsExceeded

protected void allowableSessionsExceeded(java.util.List<SessionInformation> sessions,
                                         int allowableSessions,
                                         SessionRegistry registry)
                                  throws SessionAuthenticationException
Allows subclasses to customise behaviour when too many sessions are detected.

Parameters:
sessions - either null or all unexpired sessions associated with the principal
allowableSessions - the number of concurrent sessions the user is allowed to have
registry - an instance of the SessionRegistry for subclass use
Throws:
SessionAuthenticationException

onSessionChange

protected void onSessionChange(java.lang.String originalSessionId,
                               javax.servlet.http.HttpSession newSession,
                               Authentication auth)
Description copied from class: SessionFixationProtectionStrategy
Called when the session has been changed and the old attributes have been migrated to the new session. Only called if a session existed to start with. Allows subclasses to plug in additional behaviour.

Overrides:
onSessionChange in class SessionFixationProtectionStrategy
Parameters:
originalSessionId - the original session identifier
newSession - the newly created session
auth - the token for the newly authenticated principal

setExceptionIfMaximumExceeded

public void setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded)
Sets the exceptionIfMaximumExceeded property, which determines whether the user should be prevented from opening more sessions than allowed. If set to true, a SessionAuthenticationException will be raised.

Parameters:
exceptionIfMaximumExceeded - defaults to false.

setMaximumSessions

public void setMaximumSessions(int maximumSessions)
Sets the maxSessions property. The default value is 1. Use -1 for unlimited sessions.

Parameters:
maximumSessions - the maximimum number of permitted sessions a user can have open simultaneously.

setMessageSource

public void setMessageSource(org.springframework.context.MessageSource messageSource)
Specified by:
setMessageSource in interface org.springframework.context.MessageSourceAware

setAlwaysCreateSession

public final void setAlwaysCreateSession(boolean alwaysCreateSession)
Overrides:
setAlwaysCreateSession in class SessionFixationProtectionStrategy