0

I need to use Concurrent Session Control features of Spring Security. I need to invalidate the previous session of the logged in user(single user sign in). I do not need the feature of authentication and authorization, since it was already implemented by the application using Servlet(Filter) which calls serice layer that calls dao layer(Hibernate).

Please guide me how to implement Concurrent Session Control without authentication and authorization.

Thanks, balachandar

Gajanan Kulkarni
  • 697
  • 6
  • 22
user1346346
  • 195
  • 2
  • 16
  • This is not concurrent session control. CSC is when an authenticated user has two current sessions in the application (because of using two browsers or computers). When do you exactly want to invalidate current user session? – sinuhepop Apr 20 '12 at 12:08
  • Since Authentication is done in our app, i tried to use Spring Security just for CSC. As per the below answers, i unstand that we need to use Spring Authentication to get CSC. – user1346346 Apr 23 '12 at 06:55

2 Answers2

0

One option (hack) would be to use Spring's pre-authentication feature. i.e. you would perform your authentication in your filter and set an attribute on the request object which is the username. The request would then be passed down to Spring and Spring where the concurrent session control feature could be enabled.

But really the best option would be to implement concurrent session control in your filter. You could even "borrow" some code from the spring source.

Nick Shaw
  • 11
  • 1
0

Short answer: you can't unless you refactor your application to use spring-security fully.

Slightly longer answer: you can "fake" a Java EE container login (pre-authenticated). That would entail specifying a login-filter derived from AbstractPreAuthenticatedProcessingFilter in your spring security http configuration. For instance, you could wrap your request in your filter and add a header values and use the RequestHeaderAuthenticationFilter, or you could write your own that pulls the principal from a request attribute you set on the request in your own login filter. Combine with a PreAuthenticatedAuthenticationProvider.

Slightly longer answer #2: you could use an allow-all kind of setup where you configure spring-security with session concurrency as usual but set the access to permitAll for all URLs (is <intercept-url pattern="/*" access="permitAll" />). You would, however, have to implement essentially what the ConcurrentSessionControlStrategy does in your own login logic, to get the sessions registered into the spring security SessionRegistry. You will most likely run into any number of other snags along the way as well.

Note however that since spring-security works on the basis of a servlet filter (not a servlet like Spring MVC), you will need to refactor your own login as a filter and place it before the spring security filter in the chain, if you are to go with some combination of your own auth logic and spring security.

My advice, if you want to leverage spring-security for concurrent session control, you should really go all the way and build your auth on top of spring-security instead of some custom servlet. Don't fight the framework, use it as intended. Or, don't use it at all.

Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
pap
  • 27,064
  • 6
  • 41
  • 46
  • Thank you for the Answer. As per the advice, I will use Spring Security for auth. I follow this link to implement http://stackoverflow.com/questions/2683308/spring-security-3-database-authentication-with-hibernate since our app is developed using (struts+spring+hibernate)....Please let me know should i follow some other approach to implement this. Thanks – user1346346 Apr 23 '12 at 07:01