Concurrent session control classes never invoked

647 Views Asked by user180940 At 10 April 2015 at 22:16

This is using Spring Security 4.0 RELEASE and Spring Security CAS.

I'm setting up session concurrency management using Java Config:

http
  .sessionManagement()
  .maximumSessions(1)
  .maxSessionsPreventsLogin(false)
  .expiredUrl("/tooManySessions")
  .and()
  .and();

HttpSessionEventublisher is enabled in a WebApplicationInitializer and I can confirm it is working as I'm using it for other stuff too that is working:

@Override
protected void registerDispatcherServlet(ServletContext servletContext) {
    super.registerDispatcherServlet(servletContext);


    // to handle session creation and destruction events
    servletContext.addListener(new HttpSessionEventPublisher());
}

However at runtime it looks like the code is never called.

Note that I'm using Spring Security CAs. Could this impact session concurrency management?

Original Q&A

There are 1 best solutions below

user180940 On 14 April 2015 at 15:30

Turns out that to get Session Management working with CAS when using Java Config (don't know about XML config) you need to make sure you explicitly set SessionAuthenticationStrategy(s) on CASAuthorizationFilter.

I solved this by using an ObjectPostProcessor on CsfrFilter (doing it in session manangement setup would not get the Csrf specific SessionAuthenticationStrategy):

final CasAuthenticationFilter casAuthenticationFilter = casAuthenticationFilter();

http
        .csrf()
            .withObjectPostProcessor(new ObjectPostProcessor<CsrfFilter>() {
                @Override
                public <O extends CsrfFilter> O postProcess(O csrfFilter) {

                    try {
                        final SessionAuthenticationStrategy sessionAuthenticationStrategy = httpFinal.getSharedObject(SessionAuthenticationStrategy.class);
                        if (sessionAuthenticationStrategy == null || !(sessionAuthenticationStrategy instanceof CompositeSessionAuthenticationStrategy)) {
                            throw new IllegalStateException("Cannot get CompositeSessionAuthenticationStrategy");
                        }
                        casAuthenticationFilter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy);
                    } catch (Exception e) {
                        throw new IllegalStateException("Cannot get ahold of CasAuthenticationFilter in CsrfFilter post-processor");
                    }

                    return csrfFilter;

                }
            });
}

Concurrent session control classes never invoked

There are 1 best solutions below

Related Questions in JAVA

Related Questions in SPRING-SECURITY

Related Questions in SESSION-MANAGEMENT

Related Questions in SPRING-SECURITY-CAS

Trending Questions

Popular # Hahtags

Popular Questions