mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-27 06:12:27 +00:00
Add ConcurrentSessionController details.
This commit is contained in:
Ben Alex
parent
81e84067ae
commit
45761058e7
@ -26,7 +26,7 @@
|
|||||||
|
|
||||||
<subtitle>Reference Documentation</subtitle>
|
<subtitle>Reference Documentation</subtitle>
|
||||||
|
|
||||||
<releaseinfo>0.8.1</releaseinfo>
|
<releaseinfo>0.8.2</releaseinfo>
|
||||||
|
|
||||||
<authorgroup>
|
<authorgroup>
|
||||||
<author>
|
<author>
|
||||||
@ -1475,6 +1475,69 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
|
|||||||
bean context configuration shown above.</para>
|
bean context configuration shown above.</para>
|
||||||
</sect2>
|
</sect2>
|
||||||
|
|
||||||
|
<sect2 id="security-authentication-concurrent-login">
|
||||||
|
<title>Concurrent Session Support</title>
|
||||||
|
|
||||||
|
<para>Acegi Security is able to stop the same principal authenticating
|
||||||
|
to the same web application multiple times concurrently. Put
|
||||||
|
differently, you can stop user "Batman" from logging into a web
|
||||||
|
application twice at the same time. </para>
|
||||||
|
|
||||||
|
<para>To use concurrent session support, you'll need to add the
|
||||||
|
following to web.xml:</para>
|
||||||
|
|
||||||
|
<para><programlisting><listener>
|
||||||
|
<listener-class>net.sf.acegisecurity.ui.session.HttpSessionEventPublisher</listener-class>
|
||||||
|
</listener></programlisting></para>
|
||||||
|
|
||||||
|
<para>The above code causes an <literal>ApplicationEvent</literal> to
|
||||||
|
be published to the Spring <literal>ApplicationContext</literal> every
|
||||||
|
time a <literal>HttpSession</literal> commences or terminates. This is
|
||||||
|
critical, as it allows the
|
||||||
|
<literal>ConcurrentSessionControllerImpl</literal> to be notified when
|
||||||
|
a session ends. Next up you'll need to wire the
|
||||||
|
<literal>ConcurrentSessionControllerImpl</literal> into your existing
|
||||||
|
<literal>ProviderManager</literal>:</para>
|
||||||
|
|
||||||
|
<para><programlisting><bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
|
||||||
|
<property name="providers">
|
||||||
|
<!-- your providers go here -->
|
||||||
|
</property>
|
||||||
|
<property name="sessionController"><ref bean="concurrentSessionController"/></property>
|
||||||
|
</bean>
|
||||||
|
|
||||||
|
<bean id="concurrentSessionController" class="net.sf.acegisecurity.providers.ConcurrentSessionControllerImpl">
|
||||||
|
<property name="maxSessions"><value>1</value></property>
|
||||||
|
</bean></programlisting></para>
|
||||||
|
|
||||||
|
<para>Ensure you do not in-line the
|
||||||
|
<literal>ConcurrentSessionControllerImpl</literal> when declaring it
|
||||||
|
in your XML. This is important, as it appears that in-lined bean
|
||||||
|
declarations do not receive ApplicationEvents.</para>
|
||||||
|
|
||||||
|
<para>The <literal>ConcurrentSessionControllerImpl</literal> relies
|
||||||
|
heavily on the
|
||||||
|
<literal>Authentication.getPrincipal().equals()</literal> method. If
|
||||||
|
you are using a custom <literal>Authentication</literal> object,
|
||||||
|
please keep this in mind. In order for the
|
||||||
|
<literal>ConcurrentSessionControllerImpl</literal> to release a given
|
||||||
|
<literal>HttpSession</literal>, and thus let the user log in to a new
|
||||||
|
<literal>HttpSession</literal>, the existing
|
||||||
|
<literal>HttpSession</literal> must be invalidated. For example, if
|
||||||
|
"Batman" logs into the web application, checks for crimes being
|
||||||
|
commited, and the just closes his browser with out "logging out", he
|
||||||
|
will not be able to log back in until his
|
||||||
|
<literal>HttpSession</literal> is timed out by the server (and a
|
||||||
|
corresponding <literal>ApplicationEvent</literal> is published via
|
||||||
|
<literal>HttpSessionEventPublisher</literal> to the
|
||||||
|
<literal>ConcurrentSessionControllerImpl</literal>). You would have to
|
||||||
|
look at your container's documentation to determine the default
|
||||||
|
timeout period. You can also configure the session timeout in your
|
||||||
|
<literal>web.xml</literal>:<programlisting><session-config>
|
||||||
|
<session-timeout>30</session-timeout>
|
||||||
|
</session-config></programlisting></para>
|
||||||
|
</sect2>
|
||||||
|
|
||||||
<sect2 id="security-authentication-provider-jaas">
|
<sect2 id="security-authentication-provider-jaas">
|
||||||
<title>JAAS Authentication</title>
|
<title>JAAS Authentication</title>
|
||||||
|
|
||||||
@ -2134,7 +2197,7 @@ public boolean supports(Class clazz);</programlisting></para>
|
|||||||
attribute that an <literal>AccessDecisionVoter</literal> will vote to
|
attribute that an <literal>AccessDecisionVoter</literal> will vote to
|
||||||
grant access for. This latter (recommended) approach is usually
|
grant access for. This latter (recommended) approach is usually
|
||||||
achieved through a <literal>ROLE_USER</literal> or
|
achieved through a <literal>ROLE_USER</literal> or
|
||||||
<literal>ROLE_AUTHENTICATED</literal> configuration attribute. </para>
|
<literal>ROLE_AUTHENTICATED</literal> configuration attribute.</para>
|
||||||
</sect2>
|
</sect2>
|
||||||
|
|
||||||
<sect2 id="afterinvocation-acl-aware">
|
<sect2 id="afterinvocation-acl-aware">
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user