Package org.springframework.security.web.authentication.session

Class ConcurrentSessionControlAuthenticationStrategy

java.lang.Object
org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy
All Implemented Interfaces:
org.springframework.beans.factory.Aware, org.springframework.context.MessageSourceAware, SessionAuthenticationStrategy
public class ConcurrentSessionControlAuthenticationStrategy extends Object implements org.springframework.context.MessageSourceAware, SessionAuthenticationStrategy
Strategy which handles concurrent session-control.

When invoked following an authentication, it will check whether the user in question should be allowed to proceed, by comparing the number of sessions they already have active with the configured maximumSessions value. The SessionRegistry is used as the source of data on authenticated users and session data.

If a user has reached the maximum number of permitted sessions, the behaviour depends on the exceptionIfMaxExceeded property. The default behaviour is to expire any sessions that exceed the maximum number of permitted sessions, starting with the least recently used sessions. The expired sessions will be invalidated by the ConcurrentSessionFilter if accessed again. If exceptionIfMaxExceeded is set to true, however, the user will be prevented from starting a new authenticated session.

This strategy can be injected into both the SessionManagementFilter and instances of AbstractAuthenticationProcessingFilter (typically UsernamePasswordAuthenticationFilter), but is typically combined with RegisterSessionAuthenticationStrategy using CompositeSessionAuthenticationStrategy.

Since:
3.2
See Also:

  • Field Details

    • messages

      protected org.springframework.context.support.MessageSourceAccessor messages

  • Constructor Details

    • ConcurrentSessionControlAuthenticationStrategy

      public ConcurrentSessionControlAuthenticationStrategy(SessionRegistry sessionRegistry)
      Parameters:
      sessionRegistry - the session registry which should be updated when the authenticated session is changed.

  • Method Details

    • onAuthentication

      public void onAuthentication(Authentication authentication, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      In addition to the steps from the superclass, the sessionRegistry will be updated with the new session information.
      Specified by:
      onAuthentication in interface SessionAuthenticationStrategy

    • getMaximumSessionsForThisUser

      protected int getMaximumSessionsForThisUser(Authentication authentication)
      Method intended for use by subclasses to override the maximum number of sessions that are permitted for a particular authentication. The default implementation simply returns the maximumSessions value for the bean.
      Parameters:
      authentication - to determine the maximum sessions for
      Returns:
      either -1 meaning unlimited, or a positive integer to limit (never zero)

    • allowableSessionsExceeded

      protected void allowableSessionsExceeded(List<SessionInformation> sessions, int allowableSessions, SessionRegistry registry) throws SessionAuthenticationException
      Allows subclasses to customise behaviour when too many sessions are detected.
      Parameters:
      sessions - either null or all unexpired sessions associated with the principal
      allowableSessions - the number of concurrent sessions the user is allowed to have
      registry - an instance of the SessionRegistry for subclass use
      Throws:
      SessionAuthenticationException

    • setExceptionIfMaximumExceeded

      public void setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded)
      Sets the exceptionIfMaximumExceeded property, which determines whether the user should be prevented from opening more sessions than allowed. If set to true, a SessionAuthenticationException will be raised which means the user authenticating will be prevented from authenticating. if set to false, the user that has already authenticated will be forcibly logged out.
      Parameters:
      exceptionIfMaximumExceeded - defaults to false.

    • setMaximumSessions

      public void setMaximumSessions(int maximumSessions)
      Sets the maxSessions property. The default value is 1. Use -1 for unlimited sessions.
      Parameters:
      maximumSessions - the maximimum number of permitted sessions a user can have open simultaneously.

    • setMessageSource

      public void setMessageSource(org.springframework.context.MessageSource messageSource)
      Sets the MessageSource used for reporting errors back to the user when the user has exceeded the maximum number of authentications.
      Specified by:
      setMessageSource in interface org.springframework.context.MessageSourceAware