org.springframework.security.web.authentication.session

Class ConcurrentSessionControlStrategy

java.lang.Object

org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy

All Implemented Interfaces:

Aware, ApplicationEventPublisherAware, MessageSourceAware, SessionAuthenticationStrategy

Deprecated.

Use ConcurrentSessionControlAuthenticationStrategy instead

@Deprecated
public class ConcurrentSessionControlStrategy
extends SessionFixationProtectionStrategy
implements MessageSourceAware

Strategy which handles concurrent session-control, in addition to the functionality provided by the base class. When invoked following an authentication, it will check whether the user in question should be allowed to proceed, by comparing the number of sessions they already have active with the configured maximumSessions value. The SessionRegistry is used as the source of data on authenticated users and session data.

If a user has reached the maximum number of permitted sessions, the behaviour depends on the exceptionIfMaxExceeded property. The default behaviour is to expired the least recently used session, which will be invalidated by the ConcurrentSessionFilter if accessed again. If exceptionIfMaxExceeded is set to true, however, the user will be prevented from starting a new authenticated session.

This strategy can be injected into both the SessionManagementFilter and instances of AbstractAuthenticationProcessingFilter (typically UsernamePasswordAuthenticationFilter).

Since:

3.0

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected static class	org.springframework.security.web.authentication.session.AbstractSessionFixationProtectionStrategy.NullEventPublisher

Field Summary

Fields

Modifier and Type	Field and Description
protected org.apache.commons.logging.Log	logger
protected MessageSourceAccessor	messages Deprecated.

Constructor Summary

Constructors

Constructor and Description
ConcurrentSessionControlStrategy(SessionRegistry sessionRegistry) Deprecated.

Method Summary

Methods

Modifier and Type	Method and Description
protected void	allowableSessionsExceeded(List<SessionInformation> sessions, int allowableSessions, SessionRegistry registry) Deprecated. Allows subclasses to customise behaviour when too many sessions are detected.
protected int	getMaximumSessionsForThisUser(Authentication authentication) Deprecated. Method intended for use by subclasses to override the maximum number of sessions that are permitted for a particular authentication.
void	onAuthentication(Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Deprecated. In addition to the steps from the superclass, the sessionRegistry will be updated with the new session information.
protected void	onSessionChange(String originalSessionId, javax.servlet.http.HttpSession newSession, Authentication auth) Called when the session has been changed and the old attributes have been migrated to the new session.
void	setAlwaysCreateSession(boolean alwaysCreateSession) Deprecated.
void	setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) Sets the ApplicationEventPublisher to use for submitting SessionFixationProtectionEvent.
void	setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded) Deprecated. Sets the exceptionIfMaximumExceeded property, which determines whether the user should be prevented from opening more sessions than allowed.
void	setMaximumSessions(int maximumSessions) Deprecated. Sets the maxSessions property.
void	setMessageSource(MessageSource messageSource) Deprecated.

Methods inherited from class org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy

extractAttributes, setMigrateSessionAttributes, setRetainedAttributes

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

messages

protected MessageSourceAccessor messages

Deprecated.

logger

protected final org.apache.commons.logging.Log logger

Constructor Detail

ConcurrentSessionControlStrategy

public ConcurrentSessionControlStrategy(SessionRegistry sessionRegistry)

Deprecated.

Parameters:

sessionRegistry - the session registry which should be updated when the authenticated session is changed.

Method Detail

onAuthentication

public void onAuthentication(Authentication authentication,
                    javax.servlet.http.HttpServletRequest request,
                    javax.servlet.http.HttpServletResponse response)

Deprecated.

In addition to the steps from the superclass, the sessionRegistry will be updated with the new session information.

Specified by:

onAuthentication in interface SessionAuthenticationStrategy

getMaximumSessionsForThisUser

protected int getMaximumSessionsForThisUser(Authentication authentication)

Deprecated.

Method intended for use by subclasses to override the maximum number of sessions that are permitted for a particular authentication. The default implementation simply returns the maximumSessions value for the bean.

Parameters:

authentication - to determine the maximum sessions for

Returns:

either -1 meaning unlimited, or a positive integer to limit (never zero)

allowableSessionsExceeded

protected void allowableSessionsExceeded(List<SessionInformation> sessions,
                             int allowableSessions,
                             SessionRegistry registry)
                                  throws SessionAuthenticationException

Deprecated.

Allows subclasses to customise behaviour when too many sessions are detected.

Parameters:

sessions - either null or all unexpired sessions associated with the principal

allowableSessions - the number of concurrent sessions the user is allowed to have

registry - an instance of the SessionRegistry for subclass use

Throws:

SessionAuthenticationException

setExceptionIfMaximumExceeded

public void setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded)

Deprecated.

Sets the exceptionIfMaximumExceeded property, which determines whether the user should be prevented from opening more sessions than allowed. If set to true, a SessionAuthenticationException will be raised.

Parameters:

exceptionIfMaximumExceeded - defaults to false.

setMaximumSessions

public void setMaximumSessions(int maximumSessions)

Deprecated.

Sets the maxSessions property. The default value is 1. Use -1 for unlimited sessions.

Parameters:

maximumSessions - the maximimum number of permitted sessions a user can have open simultaneously.

setMessageSource

public void setMessageSource(MessageSource messageSource)

Deprecated.

Specified by:

setMessageSource in interface MessageSourceAware

setAlwaysCreateSession

public final void setAlwaysCreateSession(boolean alwaysCreateSession)

Deprecated.

onSessionChange

protected void onSessionChange(String originalSessionId,
                   javax.servlet.http.HttpSession newSession,
                   Authentication auth)

Called when the session has been changed and the old attributes have been migrated to the new session. Only called if a session existed to start with. Allows subclasses to plug in additional behaviour. *

The default implementation of this method publishes a SessionFixationProtectionEvent to notify the application that the session ID has changed. If you override this method and still wish these events to be published, you should call super.onSessionChange() within your overriding method.

Parameters:

originalSessionId - the original session identifier

newSession - the newly created session

auth - the token for the newly authenticated principal

setApplicationEventPublisher

public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher)

Sets the ApplicationEventPublisher to use for submitting SessionFixationProtectionEvent. The default is to not submit the SessionFixationProtectionEvent.

Specified by:

setApplicationEventPublisher in interface ApplicationEventPublisherAware

Parameters:

applicationEventPublisher - the ApplicationEventPublisher. Cannot be null.