- * By default uses {@link SessionRegistryImpl},
- * although any SessionRegistry may be used.
+ * By default uses {@link SessionRegistryImpl}, although any
+ * SessionRegistry may be used.
*
null or all unexpired sessions
- * associated with the principal
+ * @param sessionId the session ID of the present request
+ * @param sessions either null or all unexpired sessions
+ * associated with the principal
* @param allowableSessions DOCUMENT ME!
- * @param registry an instance of the SessionRegistry for
- * subclass use
+ * @param registry an instance of the SessionRegistry for
+ * subclass use
+ *
* @throws ConcurrentLoginException DOCUMENT ME!
*/
protected void allowableSessionsExceeded(String sessionId,
- SessionInformation[] sessions, int allowableSessions,
- SessionRegistry registry) {
+ SessionInformation[] sessions, int allowableSessions,
+ SessionRegistry registry) {
if (exceptionIfMaximumExceeded || (sessions == null)) {
throw new ConcurrentLoginException(messages.getMessage(
"ConcurrentSessionControllerImpl.exceededAllowed",
- new Object[]{new Integer(allowableSessions)},
+ new Object[] {new Integer(allowableSessions)},
"Maximum sessions of {0} for this principal exceeded"));
}
@@ -82,8 +88,8 @@ public class ConcurrentSessionControllerImpl implements ConcurrentSessionControl
for (int i = 0; i < sessions.length; i++) {
if ((leastRecentlyUsed == null)
- || sessions[i].getLastRequest()
- .before(leastRecentlyUsed.getLastRequest())) {
+ || sessions[i].getLastRequest()
+ .before(leastRecentlyUsed.getLastRequest())) {
leastRecentlyUsed = sessions[i];
}
}
@@ -92,16 +98,17 @@ public class ConcurrentSessionControllerImpl implements ConcurrentSessionControl
}
public void checkAuthenticationAllowed(Authentication request)
- throws AuthenticationException {
+ throws AuthenticationException {
Assert.notNull(request,
- "Authentication request cannot be null (violation of interface contract)");
+ "Authentication request cannot be null (violation of interface contract)");
Object principal = SessionRegistryUtils
- .obtainPrincipalFromAuthentication(request);
+ .obtainPrincipalFromAuthentication(request);
String sessionId = SessionRegistryUtils
- .obtainSessionIdFromAuthentication(request);
+ .obtainSessionIdFromAuthentication(request);
- SessionInformation[] sessions = sessionRegistry.getAllSessions(principal);
+ SessionInformation[] sessions = sessionRegistry.getAllSessions(principal,
+ false);
int sessionCount = 0;
@@ -111,7 +118,7 @@ public class ConcurrentSessionControllerImpl implements ConcurrentSessionControl
int allowableSessions = getMaximumSessionsForThisUser(request);
Assert.isTrue(allowableSessions != 0,
- "getMaximumSessionsForThisUser() must return either -1 to allow unlimited logins, or a positive integer to specify a maximum");
+ "getMaximumSessionsForThisUser() must return either -1 to allow unlimited logins, or a positive integer to specify a maximum");
if (sessionCount < allowableSessions) {
return;
@@ -124,41 +131,40 @@ public class ConcurrentSessionControllerImpl implements ConcurrentSessionControl
}
}
- allowableSessionsExceeded(sessionId, sessions,
- allowableSessions, sessionRegistry);
+ allowableSessionsExceeded(sessionId, sessions, allowableSessions,
+ sessionRegistry);
}
/**
- * Method intended for use by subclasses to override the maximum
- * number of sessions that are permitted for a particular
- * authentication. The default implementation simply returns the
- * maximumSessions value for the bean.
+ * Method intended for use by subclasses to override the maximum number of
+ * sessions that are permitted for a particular authentication. The
+ * default implementation simply returns the maximumSessions
+ * value for the bean.
*
* @param authentication to determine the maximum sessions for
- * @return either -1 meaning unlimited, or a positive integer to
- * limit (never zero)
+ *
+ * @return either -1 meaning unlimited, or a positive integer to limit
+ * (never zero)
*/
- protected int getMaximumSessionsForThisUser(
- Authentication authentication) {
+ protected int getMaximumSessionsForThisUser(Authentication authentication) {
return maximumSessions;
}
- public void registerSuccessfulAuthentication(
- Authentication authentication) {
+ public void registerSuccessfulAuthentication(Authentication authentication) {
Assert.notNull(authentication,
- "Authentication cannot be null (violation of interface contract)");
+ "Authentication cannot be null (violation of interface contract)");
Object principal = SessionRegistryUtils
- .obtainPrincipalFromAuthentication(authentication);
+ .obtainPrincipalFromAuthentication(authentication);
String sessionId = SessionRegistryUtils
- .obtainSessionIdFromAuthentication(authentication);
+ .obtainSessionIdFromAuthentication(authentication);
sessionRegistry.removeSessionInformation(sessionId);
sessionRegistry.registerNewSession(sessionId, principal);
}
public void setExceptionIfMaximumExceeded(
- boolean exceptionIfMaximumExceeded) {
+ boolean exceptionIfMaximumExceeded) {
this.exceptionIfMaximumExceeded = exceptionIfMaximumExceeded;
}
@@ -170,8 +176,7 @@ public class ConcurrentSessionControllerImpl implements ConcurrentSessionControl
this.messages = new MessageSourceAccessor(messageSource);
}
- public void setSessionRegistry(
- SessionRegistry sessionRegistry) {
+ public void setSessionRegistry(SessionRegistry sessionRegistry) {
this.sessionRegistry = sessionRegistry;
}
}
diff --git a/core/src/main/java/org/acegisecurity/concurrent/SessionRegistry.java b/core/src/main/java/org/acegisecurity/concurrent/SessionRegistry.java
index b022ca8c19..2eccd0d8f9 100644
--- a/core/src/main/java/org/acegisecurity/concurrent/SessionRegistry.java
+++ b/core/src/main/java/org/acegisecurity/concurrent/SessionRegistry.java
@@ -34,15 +34,20 @@ public interface SessionRegistry {
/**
* Obtains all the known sessions for the specified principal. Sessions
- * that have expired or destroyed are not returned.
+ * that have been destroyed are not returned. Sessions that have expired
+ * may be returned, depending on the passed argument.
*
* @param principal to locate sessions for (should never be
* null)
+ * @param includeExpiredSessions if true, the returned
+ * sessions will also include those that have expired for the
+ * principal
*
- * @return the unexpired and undestroyed sessions for this principal, or
- * null if none were found
+ * @return the matching sessions for this principal, or null
+ * if none were found
*/
- public SessionInformation[] getAllSessions(Object principal);
+ public SessionInformation[] getAllSessions(Object principal,
+ boolean includeExpiredSessions);
/**
* Obtains the session information for the specified
diff --git a/core/src/main/java/org/acegisecurity/concurrent/SessionRegistryImpl.java b/core/src/main/java/org/acegisecurity/concurrent/SessionRegistryImpl.java
index f5aae8b5db..0e83b299da 100644
--- a/core/src/main/java/org/acegisecurity/concurrent/SessionRegistryImpl.java
+++ b/core/src/main/java/org/acegisecurity/concurrent/SessionRegistryImpl.java
@@ -64,7 +64,8 @@ public class SessionRegistryImpl implements SessionRegistry,
return principals.keySet().toArray();
}
- public SessionInformation[] getAllSessions(Object principal) {
+ public SessionInformation[] getAllSessions(Object principal,
+ boolean includeExpiredSessions) {
Set sessionsUsedByPrincipal = (Set) principals.get(principal);
if (sessionsUsedByPrincipal == null) {
@@ -79,7 +80,7 @@ public class SessionRegistryImpl implements SessionRegistry,
String sessionId = (String) iter.next();
SessionInformation sessionInformation = getSessionInformation(sessionId);
- if (!sessionInformation.isExpired()) {
+ if (includeExpiredSessions || !sessionInformation.isExpired()) {
list.add(sessionInformation);
}
}