public class ConcurrentSessionControlAuthenticationStrategy extends java.lang.Object implements org.springframework.context.MessageSourceAware, SessionAuthenticationStrategy
When invoked following an authentication, it will check whether the user in question
should be allowed to proceed, by comparing the number of sessions they already have
active with the configured maximumSessions value. The SessionRegistry
is used as the source of data on authenticated users and session data.
If a user has reached the maximum number of permitted sessions, the behaviour depends
on the exceptionIfMaxExceeded property. The default behaviour is to expire
any sessions that exceed the maximum number of permitted sessions, starting with the
least recently used sessions. The expired sessions will be invalidated by the
ConcurrentSessionFilter
if accessed again. If exceptionIfMaxExceeded
is set to true, however, the user will be prevented from starting a new
authenticated session.
This strategy can be injected into both the SessionManagementFilter
and
instances of AbstractAuthenticationProcessingFilter
(typically
UsernamePasswordAuthenticationFilter
), but is typically combined with
RegisterSessionAuthenticationStrategy
using
CompositeSessionAuthenticationStrategy
.
CompositeSessionAuthenticationStrategy
Modifier and Type | Field and Description |
---|---|
protected org.springframework.context.support.MessageSourceAccessor |
messages |
Constructor and Description |
---|
ConcurrentSessionControlAuthenticationStrategy(SessionRegistry sessionRegistry) |
Modifier and Type | Method and Description |
---|---|
protected void |
allowableSessionsExceeded(java.util.List<SessionInformation> sessions,
int allowableSessions,
SessionRegistry registry)
Allows subclasses to customise behaviour when too many sessions are detected.
|
protected int |
getMaximumSessionsForThisUser(Authentication authentication)
Method intended for use by subclasses to override the maximum number of sessions
that are permitted for a particular authentication.
|
void |
onAuthentication(Authentication authentication,
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
In addition to the steps from the superclass, the sessionRegistry will be updated
with the new session information.
|
void |
setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded)
Sets the exceptionIfMaximumExceeded property, which determines whether the
user should be prevented from opening more sessions than allowed.
|
void |
setMaximumSessions(int maximumSessions)
Sets the maxSessions property.
|
void |
setMessageSource(org.springframework.context.MessageSource messageSource)
Sets the
MessageSource used for reporting errors back to the user when the
user has exceeded the maximum number of authentications. |
public ConcurrentSessionControlAuthenticationStrategy(SessionRegistry sessionRegistry)
sessionRegistry
- the session registry which should be updated when the
authenticated session is changed.public void onAuthentication(Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
onAuthentication
in interface SessionAuthenticationStrategy
protected int getMaximumSessionsForThisUser(Authentication authentication)
maximumSessions
value for the bean.authentication
- to determine the maximum sessions forprotected void allowableSessionsExceeded(java.util.List<SessionInformation> sessions, int allowableSessions, SessionRegistry registry) throws SessionAuthenticationException
sessions
- either null
or all unexpired sessions associated with
the principalallowableSessions
- the number of concurrent sessions the user is allowed to
haveregistry
- an instance of the SessionRegistry
for subclass useSessionAuthenticationException
public void setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded)
exceptionIfMaximumExceeded
- defaults to false.public void setMaximumSessions(int maximumSessions)
maximumSessions
- the maximimum number of permitted sessions a user can have
open simultaneously.public void setMessageSource(org.springframework.context.MessageSource messageSource)
MessageSource
used for reporting errors back to the user when the
user has exceeded the maximum number of authentications.setMessageSource
in interface org.springframework.context.MessageSourceAware