Max Concurrent sessions doesn't apply to same browser

Question

i have configured max sessions to be 1 and set error-if-maximum-exceeded=true i noticed two issues:

1- session-authentication-error-url doesn't work if there's authentication-failure-handler-ref configured, the authentication-failure-handler-ref takes precedence and then you will have to handle SessionAuthenticationException there and make needed logic.

2- if i have open session in chrome and try to login in firefox i get the SessionAuthenticationException but if i tried to login again in chrome (which already has an open session) i get login successful and doesn't get the SessionAuthenticationException should i prevent the user from seeing login page if he's already authenticated ? if that's correct, please advise how to do that.

i usually check for authenticated user as follows:

if(!SecurityContextHolder.getContext().getAuthentication().getPrincipal().equals("anonymousUser")){
  // logged in user
}

here's my current configuration:

1- web.xml:

    <filter>
      <filter-name>springSecurityFilterChain</filter-name>
       <filter-class>
            org.springframework.web.filter.DelegatingFilterProxy
       </filter-class>
    </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>ERROR</dispatcher>
  </filter-mapping>

  <listener>
      <listener-class>
      org.springframework.security.web.session.HttpSessionEventPublisher
      </listener-class>
  </listener>

2- applicationSecurity.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:p="http://www.springframework.org/schema/p" 
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-3.1.xsd
        http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context-3.1.xsd">

    <bean id="passwordEncoder"
        class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
        <constructor-arg value="256"/>
    </bean>

    <bean id="saltSource"
        class="org.springframework.security.authentication.dao.ReflectionSaltSource">
        <property name="userPropertyToUse" value="username" />
    </bean>

    <bean id="customUserDetailsService"
        class="com.myapp.faces.web.services.CustomUserDetailsService" />

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider user-service-ref="customUserDetailsService">
            <security:password-encoder ref="passwordEncoder">
                <security:salt-source ref="saltSource" />
            </security:password-encoder>
        </security:authentication-provider>
    </security:authentication-manager>

    <bean id="loginSuccessHandler" class="com.myapp.faces.web.services.LoginSuccessHandler">
       <property name="defaultTargetUrl" value="/dashboard"/>
    </bean>

    <bean id="loginFailureHandler" class="com.myapp.faces.web.services.LoginFailureHandler" />

    <security:http use-expressions="true"  auto-config="true" >


        <security:intercept-url pattern="/j_spring_security_check" access="permitAll" />

        <security:intercept-url pattern="/faces/javax.faces.resource/**" access="permitAll"/>
        <security:intercept-url pattern="/xmlhttp/**" access="permitAll" />
        <security:intercept-url pattern="/resources/**" access="permitAll" />

        <security:intercept-url pattern="**/faces/javax.faces.resource/**" access="permitAll" />
        <security:intercept-url pattern="**/xmlhttp/**" access="permitAll" />
        <security:intercept-url pattern="**/resources/**" access="permitAll" />

        <security:intercept-url pattern="/login" access="permitAll"/>       

        <security:intercept-url pattern="/**" access="isAuthenticated()" />     


        <security:form-login                
            login-processing-url="/j_spring_security_check"         
            login-page="/login"
            authentication-failure-handler-ref="loginFailureHandler"
            authentication-success-handler-ref="loginSuccessHandler" />

        <security:logout  />

        <security:session-management session-authentication-error-url="/login?error=3">
          <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
        </security:session-management>

    </security:http>

</beans>

score 1 · Accepted Answer · edited May 23 '17 at 11:43

I personally do it this way.

    @RequestMapping(method=RequestMethod.GET)
    public String login(Authentication authentication)
    {
        if((authentication != null) && authentication.isAuthenticated())
        {
            return "redirect:dashboard";
        }
        return viewResolver.getView(ViewConstants.LOGIN_PAGE);
    }

The method above is used for requesting the login page.

I don't think there is a way to do it using only configuration though. I may be wrong.

EDIT :

Check this link

Max Concurrent sessions doesn't apply to same browser

1 Answers1