Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-03-03 20:09:18 +00:00
Code Issues Packages Projects Releases Wiki Activity
spring-security/docs/modules/ROOT/pages/reactive/authentication/concurrent-sessions-control.adoc

465 lines
15 KiB
Plaintext
Raw Normal View History

Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
[[reactive-concurrent-sessions-control]]
= Concurrent Sessions Control
Similar to xref:servlet/authentication/session-management.adoc#ns-concurrent-sessions[Servlet's Concurrent Sessions Control], Spring Security also provides support to limit the number of concurrent sessions a user can have in a Reactive application.
When you set up Concurrent Sessions Control in Spring Security, it monitors authentications carried out through Form Login, xref:reactive/oauth2/login/index.adoc[OAuth 2.0 Login], and HTTP Basic authentication by hooking into the way those authentication mechanisms handle authentication success.
More specifically, the session management DSL will add the {security-api-url}org/springframework/security/web/server/authentication/ConcurrentSessionControlServerAuthenticationSuccessHandler.html[ConcurrentSessionControlServerAuthenticationSuccessHandler] and the {security-api-url}org/springframework/security/web/server/authentication/RegisterSessionServerAuthenticationSuccessHandler.html[RegisterSessionServerAuthenticationSuccessHandler] to the list of `ServerAuthenticationSuccessHandler` used by the authentication filter.
The following sections contains examples of how to configure Concurrent Sessions Control.
* <<reactive-concurrent-sessions-control-limit,I want to limit the number of concurrent sessions a user can have>>
* <<concurrent-sessions-control-custom-strategy,I want to customize the strategy used when the maximum number of sessions is exceeded>>
* <<reactive-concurrent-sessions-control-specify-session-registry,I want to know how to specify a `ReactiveSessionRegistry`>>
* <<concurrent-sessions-control-sample,I want to see a sample application that uses Concurrent Sessions Control>>
* <<disabling-for-authentication-filters,I want to know how to disable it for some authentication filter>>
[[reactive-concurrent-sessions-control-limit]]
== Limiting Concurrent Sessions
By default, Spring Security will allow any number of concurrent sessions for a user.
To limit the number of concurrent sessions, you can use the `maximumSessions` DSL method:
.Configuring one session for any user
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
http
// ...
.sessionManagement((sessions) -> sessions
.concurrentSessions((concurrency) -> concurrency
.maximumSessions(SessionLimit.of(1))
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
)
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
);
return http.build();
}
@Bean
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
ReactiveSessionRegistry reactiveSessionRegistry() {
return new InMemoryReactiveSessionRegistry();
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
sessionManagement {
sessionConcurrency {
maximumSessions = SessionLimit.of(1)
}
}
}
}
@Bean
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
open fun reactiveSessionRegistry(): ReactiveSessionRegistry {
return InMemoryReactiveSessionRegistry()
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
}
----
======
The above configuration allows one session for any user.
Similarly, you can also allow unlimited sessions by using the `SessionLimit#UNLIMITED` constant:
.Configuring unlimited sessions
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
http
// ...
.sessionManagement((sessions) -> sessions
.concurrentSessions((concurrency) -> concurrency
.maximumSessions(SessionLimit.UNLIMITED))
);
return http.build();
}
@Bean
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
ReactiveSessionRegistry reactiveSessionRegistry() {
return new InMemoryReactiveSessionRegistry();
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
sessionManagement {
sessionConcurrency {
maximumSessions = SessionLimit.UNLIMITED
}
}
}
}
@Bean
open fun reactiveSessionRegistry(webSessionManager: WebSessionManager): ReactiveSessionRegistry {
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
return InMemoryReactiveSessionRegistry()
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
}
----
======
Since the `maximumSessions` method accepts a `SessionLimit` interface, which in turn extends `Function<Authentication, Mono<Integer>>`, you can have a more complex logic to determine the maximum number of sessions based on the user's authentication:
.Configuring maximumSessions based on `Authentication`
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
http
// ...
.sessionManagement((sessions) -> sessions
.concurrentSessions((concurrency) -> concurrency
.maximumSessions(maxSessions()))
);
return http.build();
}
private SessionLimit maxSessions() {
return (authentication) -> {
if (authentication.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_UNLIMITED_SESSIONS"))) {
return Mono.empty(); // allow unlimited sessions for users with ROLE_UNLIMITED_SESSIONS
}
if (authentication.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_ADMIN"))) {
return Mono.just(2); // allow two sessions for admins
}
return Mono.just(1); // allow one session for every other user
};
}
@Bean
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
ReactiveSessionRegistry reactiveSessionRegistry() {
return new InMemoryReactiveSessionRegistry();
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
sessionManagement {
sessionConcurrency {
maximumSessions = maxSessions()
}
}
}
}
fun maxSessions(): SessionLimit {
return { authentication ->
if (authentication.authorities.contains(SimpleGrantedAuthority("ROLE_UNLIMITED_SESSIONS"))) Mono.empty
if (authentication.authorities.contains(SimpleGrantedAuthority("ROLE_ADMIN"))) Mono.just(2)
Mono.just(1)
}
}
@Bean
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
open fun reactiveSessionRegistry(): ReactiveSessionRegistry {
return InMemoryReactiveSessionRegistry()
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
}
----
======
When the maximum number of sessions is exceeded, by default, the least recently used session(s) will be expired.
If you want to change that behavior, you can <<concurrent-sessions-control-custom-strategy,customize the strategy used when the maximum number of sessions is exceeded>>.
Clarify the behavior of Concurrent Session Management when an IdP is involved Closes gh-15071
2024-06-05 13:59:24 -03:00
[IMPORTANT]
====
The Concurrent Session Management is not aware if there is another session in some Identity Provider that you might use via xref:reactive/oauth2/login/index.adoc[OAuth 2 Login] for example.
If you also need to invalidate the session against the Identity Provider you must <<concurrent-sessions-control-custom-strategy,include your own implementation of `ServerMaximumSessionsExceededHandler`>>.
====
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
[[concurrent-sessions-control-custom-strategy]]
== Handling Maximum Number of Sessions Exceeded
By default, when the maximum number of sessions is exceeded, the least recently used session(s) will be expired by using the {security-api-url}org/springframework/security/web/server/authentication/session/InvalidateLeastUsedMaximumSessionsExceededHandler.html[InvalidateLeastUsedMaximumSessionsExceededHandler].
Spring Security also provides another implementation that prevents the user from creating new sessions by using the {security-api-url}org/springframework/security/web/server/authentication/session/PreventLoginMaximumSessionsExceededHandler.html[PreventLoginMaximumSessionsExceededHandler].
If you want to use your own strategy, you can provide a different implementation of {security-api-url}org/springframework/security/web/server/authentication/session/ServerMaximumSessionsExceededHandler.html[ServerMaximumSessionsExceededHandler].
.Configuring maximumSessionsExceededHandler
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
Revert "Update max sessions docs" This reverts commit c86fd99c8fb9098eb2818144d7fb17bfe1ddfb61.
2024-02-28 08:30:05 -03:00
SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
http
// ...
.sessionManagement((sessions) -> sessions
.concurrentSessions((concurrency) -> concurrency
.maximumSessions(SessionLimit.of(1))
Revert "Update max sessions docs" This reverts commit c86fd99c8fb9098eb2818144d7fb17bfe1ddfb61.
2024-02-28 08:30:05 -03:00
.maximumSessionsExceededHandler(new PreventLoginMaximumSessionsExceededHandler())
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
)
);
return http.build();
}
@Bean
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
ReactiveSessionRegistry reactiveSessionRegistry() {
return new InMemoryReactiveSessionRegistry();
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
Revert "Update max sessions docs" This reverts commit c86fd99c8fb9098eb2818144d7fb17bfe1ddfb61.
2024-02-28 08:30:05 -03:00
open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
return http {
// ...
sessionManagement {
sessionConcurrency {
maximumSessions = SessionLimit.of(1)
Revert "Update max sessions docs" This reverts commit c86fd99c8fb9098eb2818144d7fb17bfe1ddfb61.
2024-02-28 08:30:05 -03:00
maximumSessionsExceededHandler = PreventLoginMaximumSessionsExceededHandler()
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
}
}
}
}
@Bean
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
open fun reactiveSessionRegistry(): ReactiveSessionRegistry {
return InMemoryReactiveSessionRegistry()
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
}
----
======
[[reactive-concurrent-sessions-control-specify-session-registry]]
== Specifying a `ReactiveSessionRegistry`
In order to keep track of the user's sessions, Spring Security uses a {security-api-url}org/springframework/security/core/session/ReactiveSessionRegistry.html[ReactiveSessionRegistry], and, every time a user logs in, their session information is saved.
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
Spring Security ships with {security-api-url}org/springframework/security/core/session/InMemoryReactiveSessionRegistry.html[InMemoryReactiveSessionRegistry] implementation of `ReactiveSessionRegistry`.
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
To specify a `ReactiveSessionRegistry` implementation you can either declare it as a bean:
.ReactiveSessionRegistry as a Bean
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
http
// ...
.sessionManagement((sessions) -> sessions
.concurrentSessions((concurrency) -> concurrency
.maximumSessions(SessionLimit.of(1))
)
);
return http.build();
}
@Bean
ReactiveSessionRegistry reactiveSessionRegistry() {
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
return new MyReactiveSessionRegistry();
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
sessionManagement {
sessionConcurrency {
maximumSessions = SessionLimit.of(1)
}
}
}
}
@Bean
open fun reactiveSessionRegistry(): ReactiveSessionRegistry {
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
return MyReactiveSessionRegistry()
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
}
----
======
or you can use the `sessionRegistry` DSL method:
.ReactiveSessionRegistry using sessionRegistry DSL method
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
http
// ...
.sessionManagement((sessions) -> sessions
.concurrentSessions((concurrency) -> concurrency
.maximumSessions(SessionLimit.of(1))
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
.sessionRegistry(new MyReactiveSessionRegistry())
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
)
);
return http.build();
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
sessionManagement {
sessionConcurrency {
maximumSessions = SessionLimit.of(1)
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
sessionRegistry = MyReactiveSessionRegistry()
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
}
}
}
}
----
======
[[reactive-concurrent-sessions-control-manually-invalidating-sessions]]
== Invalidating Registered User's Sessions
At times, it is handy to be able to invalidate all or some of a user's sessions.
For example, when a user changes their password, you may want to invalidate all of their sessions so that they are forced to log in again.
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
To do that, you can use the `ReactiveSessionRegistry` bean to retrieve all the user's sessions, invalidate them, and them remove them from the `WebSessionStore`:
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
.Using ReactiveSessionRegistry to invalidate sessions manually
[tabs]
======
Java::
+
[source,java,role="primary"]
----
public class SessionControl {
private final ReactiveSessionRegistry reactiveSessionRegistry;
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
private final WebSessionStore webSessionStore;
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
public Mono<Void> invalidateSessions(String username) {
return this.reactiveSessionRegistry.getAllSessions(username)
Update Max Sessions on WebFlux Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler Issue gh-6192
2024-02-28 10:06:45 -03:00
.flatMap((session) -> session.invalidate().thenReturn(session))
.flatMap((session) -> this.webSessionStore.removeSession(session.getSessionId()))
Add Max Sessions on WebFlux Closes gh-6192
2023-07-25 15:31:30 -03:00
.then();
}
}
----
======
[[disabling-for-authentication-filters]]
== Disabling It for Some Authentication Filters
By default, Concurrent Sessions Control will be configured automatically for Form Login, OAuth 2.0 Login, and HTTP Basic authentication as long as they do not specify an `ServerAuthenticationSuccessHandler` themselves.
For example, the following configuration will disable Concurrent Sessions Control for Form Login:
.Disabling Concurrent Sessions Control for Form Login
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
http
// ...
.formLogin((login) -> login
.authenticationSuccessHandler(new RedirectServerAuthenticationSuccessHandler("/"))
)
.sessionManagement((sessions) -> sessions
.concurrentSessions((concurrency) -> concurrency
.maximumSessions(SessionLimit.of(1))
)
);
return http.build();
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
formLogin {
authenticationSuccessHandler = RedirectServerAuthenticationSuccessHandler("/")
}
sessionManagement {
sessionConcurrency {
maximumSessions = SessionLimit.of(1)
}
}
}
}
----
======
=== Adding Additional Success Handlers Without Disabling Concurrent Sessions Control
You can also include additional `ServerAuthenticationSuccessHandler` instances to the list of handlers used by the authentication filter without disabling Concurrent Sessions Control.
To do that you can use the `authenticationSuccessHandler(Consumer<List<ServerAuthenticationSuccessHandler>>)` method:
.Adding additional handlers
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
http
// ...
.formLogin((login) -> login
.authenticationSuccessHandler((handlers) -> handlers.add(new MyAuthenticationSuccessHandler()))
)
.sessionManagement((sessions) -> sessions
.concurrentSessions((concurrency) -> concurrency
.maximumSessions(SessionLimit.of(1))
)
);
return http.build();
}
----
======
[[concurrent-sessions-control-sample]]
== Checking a Sample Application
You can check the {gh-samples-url}/reactive/webflux/java/session-management/maximum-sessions[sample application here].
Reference in New Issue Copy Permalink