0

I have declared the following functions in an open source core banking solution based on Spring boot (Fineract) to limit the number of concurrent sessions per user to 1. My WebSecurity.java file is as follows:

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .sessionManagement()
                .maximumSessions(1)
                .maxSessionsPreventsLogin(true)
                .sessionRegistry(sessionRegistry());
}

// Work around https://jira.spring.io/browse/SEC-2855
@Bean
public SessionRegistry sessionRegistry() {
    SessionRegistry sessionRegistry = new SessionRegistryImpl();
    return sessionRegistry;
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth
            .inMemoryAuthentication()
                .withUser("mifos").password("password").roles("USER");
}

// Register HttpSessionEventPublisher
@Bean
public static ServletListenerRegistrationBean httpSessionEventPublisher() {
    return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
}

}
The SecurityWebApplicationInitializer.java is as follows:

public class SecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {

protected Class<?>[] getRootConfigClasses() {
    return new Class[] { WebSecurityConfig.class };
} 
}

However, I am still able to log into the system with multiple private browser windows opened. My assumption is that the problem is either with the SpringSecurityFilterChain not being registered with war, or with the way I am chaining the functions of the HttpSecurity object. Since I did not declare a customized login form or have defined any expired URL pages, I had to edit the steps shown in the following link: https://github.com/spring-projects/spring-boot/issues/1537 . Any leads on how to diagnose this issue? Thanks in advance.

Usman Khaliq
  • 363
  • 3
  • 22
  • How are you testing this? Opening a new browser window with CTRL+N isn't a new browser. You need a separate browser instance not only a browser window – M. Deinum May 11 '17 at 11:35
  • @M.Deinum does a private browser window constitute as a new session? Cuz I tried with that. I am going to test it by logging into the external IP of my machine from another system and check it then. – Usman Khaliq May 11 '17 at 12:16
  • No not really as that still copies the information (if it opened from another private session). Try with 2 individual browsers. – M. Deinum May 11 '17 at 12:25
  • @M.Deinum so ive tried with a simultaneous instance of firefox and chrome on my computer, and i can still access the web app. – Usman Khaliq May 11 '17 at 22:23
  • You are using Spring Boot so your `SecurityWebApplicationInitializer` isn't doing anything. Next to that your security rules are weird, you allow anything to be access (The `/**` matches everything). Next your `ServletListenerRegistrationBean` shouldn't be static. – M. Deinum May 12 '17 at 05:42
  • @M.Deinum thanks for the pointers. i saw this example from the following link: https://github.com/spring-projects/spring-boot/issues/1537 . The reason why I added the /** pattern was because I wanted the sessionManagement to be triggerred across the application. Could you kindly point me towards resources where I can learn more about the substitute for SecurityWebApplicationInitializer in Spring boot, and the changes to be made to ServletListenerRegistrationBean? thanks. – Usman Khaliq May 12 '17 at 12:50
  • The session management will be triggered for any URL anyway. No need to do anything additional. You don't need a `SecurityWebApplicationInitializer` with Spring Boot. – M. Deinum May 12 '17 at 13:35
  • Noted, I shall get rid of the SecurityWebApplicationInitializer, review the code and give it a go. Also, do I need to use Redis for persistence of the sessions? – Usman Khaliq May 12 '17 at 17:10

0 Answers0