Concurrent Sessions (Preventing Users from Logging in More Than Once)

Skip to end of metadata
Go to start of metadata

Concurrent Sessions

Goal: To restrict users from logging in more than once (having multiple HTTP sessions associated with the same username). As a concrete example, consider that joe logs in. Now consider that joe attempts to login from a different machine (or even a different browser within the same machine). We wish to prevent the second login from succeeding.

The steps outlined here use the legacy Spring Security configuration method. (It's the same result as given in the reference below--it just requires more XML.)

  1. Add filter to web.xml which will keep Spring Security informed about sessions.
    web.xml
    <listener>
      <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
    </listener>
    
  2. Add new session registry bean to applicationContext-spring-security.xml.
    applicationContext-spring-security.xml
    <bean id="sessionRegistry" class="org.springframework.security.concurrent.SessionRegistryImpl" />
    
  3. Add new concurrent session filter bean to applicationContext-spring-security.xml.
    applicationContext-spring-security.xml
    <bean id="concurrentSessionFilter" class="org.springframework.security.concurrent.ConcurrentSessionFilter">
      <property name="sessionRegistry" ref="sessionRegistry" />
    </bean>
    
  4. Add new concurrent session controller bean to applicationContext-spring-security.xml.
    applicationContext-spring-security.xml
    <bean id="concurrentSessionController" 
        class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl">
      <property name="sessionRegistry" ref="sessionRegistry" />
      <property name="maximumSessions" value="1" />
      <property name="exceptionIfMaximumExceeded" value="true" />
    </bean>
    
  5. Add concurrent session filter reference to existing bean definition with id filterChainProxy. Add concurrentSessionFilter to the end (just before the end of the CDATA).
    applicationContext-spring-security.xml
    <bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
      <property name="filterInvocationDefinitionSource">
        <value>
          <![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
          PATTERN_TYPE_APACHE_ANT
           /**=securityContextHolderAwareRequestFilter,..omitted..,filterInvocationInterceptor,concurrentSessionFilter]]>
        </value>
      </property>
    </bean>
    
  6. Add concurrent session controller reference to existing bean definition with id authenticationManager. Insert an additional property element with ref attribute into the existing bean.
    applicationContext-spring-security.xml
    <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
      <property name="providers">
        <list>
          <!-- omitted -->
       </list>
      </property>
      <property name="sessionController" ref="concurrentSessionController" />
    </bean>
    

Caveats

The Pentaho User Console (PUC) will not redirect to an error page if concurrent session limit for a user is succeeded. Therefore, you will get a generic "Login Error" dialog instead of being redirected to an error page. However, you can see the error page in action by using request parameter authentication (after logging in as joe on another machine): http://localhost:8080/pentaho/Home?userid=joe&password=password

References

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.