Goal: To restrict users from logging in more than once (having multiple HTTP sessions associated with the same username). As a concrete example, consider that joe logs in. Now consider that joe attempts to login from a different machine (or even a different browser within the same machine). We wish to prevent the second login from succeeding.
The steps outlined here use the legacy Spring Security configuration method. (It's the same result as given in the reference below--it just requires more XML.)
- Add filter to web.xml which will keep Spring Security informed about sessions.
- Add new session registry bean to applicationContext-spring-security.xml.
- Add new concurrent session filter bean to applicationContext-spring-security.xml.
- Add new concurrent session controller bean to applicationContext-spring-security.xml.
- Add concurrent session filter reference to existing bean definition with id filterChainProxy. Add concurrentSessionFilter to the end (just before the end of the CDATA).
- Add concurrent session controller reference to existing bean definition with id authenticationManager. Insert an additional property element with ref attribute into the existing bean.
The Pentaho User Console (PUC) will not redirect to an error page if concurrent session limit for a user is succeeded. Therefore, you will get a generic "Login Error" dialog instead of being redirected to an error page. However, you can see the error page in action by using request parameter authentication (after logging in as joe on another machine): http://localhost:8080/pentaho/Home?userid=joe&password=password