diff --git a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
index 3df5775afc..6bd9570cf9 100644
--- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@@ -62,6 +62,7 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
+import org.springframework.security.core.session.ReactiveSessionRegistry;
import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
import org.springframework.security.oauth2.client.InMemoryReactiveOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService;
@@ -124,19 +125,26 @@ import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.security.web.server.authentication.AnonymousAuthenticationWebFilter;
import org.springframework.security.web.server.authentication.AuthenticationConverterServerWebExchangeMatcher;
import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
+import org.springframework.security.web.server.authentication.ConcurrentSessionControlServerAuthenticationSuccessHandler;
+import org.springframework.security.web.server.authentication.DelegatingServerAuthenticationSuccessHandler;
import org.springframework.security.web.server.authentication.HttpBasicServerAuthenticationEntryPoint;
import org.springframework.security.web.server.authentication.HttpStatusServerEntryPoint;
+import org.springframework.security.web.server.authentication.InvalidateLeastUsedServerMaximumSessionsExceededHandler;
import org.springframework.security.web.server.authentication.ReactivePreAuthenticatedAuthenticationManager;
import org.springframework.security.web.server.authentication.RedirectServerAuthenticationEntryPoint;
import org.springframework.security.web.server.authentication.RedirectServerAuthenticationFailureHandler;
import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler;
+import org.springframework.security.web.server.authentication.RegisterSessionServerAuthenticationSuccessHandler;
import org.springframework.security.web.server.authentication.ServerAuthenticationConverter;
import org.springframework.security.web.server.authentication.ServerAuthenticationEntryPointFailureHandler;
import org.springframework.security.web.server.authentication.ServerAuthenticationFailureHandler;
import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler;
import org.springframework.security.web.server.authentication.ServerFormLoginAuthenticationConverter;
import org.springframework.security.web.server.authentication.ServerHttpBasicAuthenticationConverter;
+import org.springframework.security.web.server.authentication.ServerMaximumSessionsExceededHandler;
import org.springframework.security.web.server.authentication.ServerX509AuthenticationConverter;
+import org.springframework.security.web.server.authentication.SessionLimit;
+import org.springframework.security.web.server.authentication.WebFilterChainServerAuthenticationSuccessHandler;
import org.springframework.security.web.server.authentication.logout.DelegatingServerLogoutHandler;
import org.springframework.security.web.server.authentication.logout.LogoutWebFilter;
import org.springframework.security.web.server.authentication.logout.SecurityContextServerLogoutHandler;
@@ -312,6 +320,8 @@ public class ServerHttpSecurity {
private LoginPageSpec loginPage = new LoginPageSpec();
+ private SessionManagementSpec sessionManagement;
+
private ReactiveAuthenticationManager authenticationManager;
private ServerSecurityContextRepository securityContextRepository;
@@ -360,6 +370,7 @@ public class ServerHttpSecurity {
}
/**
+ *
* Adds a {@link WebFilter} before specific position.
* @param webFilter the {@link WebFilter} to add
* @param order the place before which to insert the {@link WebFilter}
@@ -743,6 +754,36 @@ public class ServerHttpSecurity {
return this;
}
+ /**
+ * Configures Session Management. An example configuration is provided below:
+ *
+ * @Bean
+ * SecurityWebFilterChain filterChain(ServerHttpSecurity http, ReactiveSessionRegistry sessionRegistry) {
+ * http
+ * // ...
+ * .sessionManagement((sessionManagement) -> sessionManagement
+ * .concurrentSessions((concurrentSessions) -> concurrentSessions
+ * .maxSessions(1)
+ * .maxSessionsPreventsLogin(true)
+ * .sessionRegistry(sessionRegistry)
+ * )
+ * );
+ * return http.build();
+ * }
+ *
+ * @param customizer the {@link Customizer} to provide more options for the
+ * {@link SessionManagementSpec}
+ * @return the {@link ServerHttpSecurity} to continue configuring
+ * @since 6.3
+ */
+ public ServerHttpSecurity sessionManagement(Customizer customizer) {
+ if (this.sessionManagement == null) {
+ this.sessionManagement = new SessionManagementSpec();
+ }
+ customizer.customize(this.sessionManagement);
+ return this;
+ }
+
/**
* Configures password management. An example configuration is provided below:
*
@@ -1517,6 +1558,9 @@ public class ServerHttpSecurity {
}
WebFilter securityContextRepositoryWebFilter = securityContextRepositoryWebFilter();
this.webFilters.add(securityContextRepositoryWebFilter);
+ if (this.sessionManagement != null) {
+ this.sessionManagement.configure(this);
+ }
if (this.httpsRedirectSpec != null) {
this.httpsRedirectSpec.configure(this);
}
@@ -1907,6 +1951,249 @@ public class ServerHttpSecurity {
}
+ /**
+ * Configures how sessions are managed.
+ */
+ public class SessionManagementSpec {
+
+ private ConcurrentSessionsSpec concurrentSessions;
+
+ private ServerAuthenticationSuccessHandler authenticationSuccessHandler;
+
+ private ReactiveSessionRegistry sessionRegistry;
+
+ private SessionLimit sessionLimit = SessionLimit.UNLIMITED;
+
+ private ServerMaximumSessionsExceededHandler maximumSessionsExceededHandler = new InvalidateLeastUsedServerMaximumSessionsExceededHandler();
+
+ /**
+ * Configures how many sessions are allowed for a given user.
+ * @param customizer the customizer to provide more options
+ * @return the {@link SessionManagementSpec} to customize
+ */
+ public SessionManagementSpec concurrentSessions(Customizer customizer) {
+ if (this.concurrentSessions == null) {
+ this.concurrentSessions = new ConcurrentSessionsSpec();
+ }
+ customizer.customize(this.concurrentSessions);
+ return this;
+ }
+
+ void configure(ServerHttpSecurity http) {
+ if (this.concurrentSessions != null) {
+ ReactiveSessionRegistry reactiveSessionRegistry = getSessionRegistry();
+ ConcurrentSessionControlServerAuthenticationSuccessHandler concurrentSessionControlStrategy = new ConcurrentSessionControlServerAuthenticationSuccessHandler(
+ reactiveSessionRegistry);
+ concurrentSessionControlStrategy.setSessionLimit(this.sessionLimit);
+ concurrentSessionControlStrategy.setMaximumSessionsExceededHandler(this.maximumSessionsExceededHandler);
+ RegisterSessionServerAuthenticationSuccessHandler registerSessionAuthenticationStrategy = new RegisterSessionServerAuthenticationSuccessHandler(
+ reactiveSessionRegistry);
+ this.authenticationSuccessHandler = new DelegatingServerAuthenticationSuccessHandler(
+ concurrentSessionControlStrategy, registerSessionAuthenticationStrategy);
+ SessionRegistryWebFilter sessionRegistryWebFilter = new SessionRegistryWebFilter(
+ reactiveSessionRegistry);
+ configureSuccessHandlerOnAuthenticationFilters();
+ http.addFilterAfter(sessionRegistryWebFilter, SecurityWebFiltersOrder.HTTP_HEADERS_WRITER);
+ }
+ }
+
+ private void configureSuccessHandlerOnAuthenticationFilters() {
+ if (ServerHttpSecurity.this.formLogin != null) {
+ ServerHttpSecurity.this.formLogin.defaultSuccessHandlers.add(0, this.authenticationSuccessHandler);
+ }
+ if (ServerHttpSecurity.this.oauth2Login != null) {
+ ServerHttpSecurity.this.oauth2Login.defaultSuccessHandlers.add(0, this.authenticationSuccessHandler);
+ }
+ if (ServerHttpSecurity.this.httpBasic != null) {
+ ServerHttpSecurity.this.httpBasic.defaultSuccessHandlers.add(0, this.authenticationSuccessHandler);
+ }
+ }
+
+ private ReactiveSessionRegistry getSessionRegistry() {
+ if (this.sessionRegistry == null) {
+ this.sessionRegistry = getBeanOrNull(ReactiveSessionRegistry.class);
+ }
+ if (this.sessionRegistry == null) {
+ throw new IllegalStateException(
+ "A ReactiveSessionRegistry is needed for concurrent session management");
+ }
+ return this.sessionRegistry;
+ }
+
+ /**
+ * Configures how many sessions are allowed for a given user.
+ */
+ public class ConcurrentSessionsSpec {
+
+ /**
+ * Sets the {@link ReactiveSessionRegistry} to use.
+ * @param reactiveSessionRegistry the {@link ReactiveSessionRegistry} to use
+ * @return the {@link ConcurrentSessionsSpec} to continue customizing
+ */
+ public ConcurrentSessionsSpec sessionRegistry(ReactiveSessionRegistry reactiveSessionRegistry) {
+ SessionManagementSpec.this.sessionRegistry = reactiveSessionRegistry;
+ return this;
+ }
+
+ /**
+ * Sets the maximum number of sessions allowed for any user. You can use
+ * {@link SessionLimit#of(int)} to specify a positive integer or
+ * {@link SessionLimit#UNLIMITED} to allow unlimited sessions. To customize
+ * the maximum number of sessions on a per-user basis, you can provide a
+ * custom {@link SessionLimit} implementation, like so:
+ * http
+ * .sessionManagement((sessions) -> sessions
+ * .concurrentSessions((concurrency) -> concurrency
+ * .maximumSessions((authentication) -> {
+ * if (authentication.getName().equals("admin")) {
+ * return Mono.empty() // unlimited sessions for admin
+ * }
+ * return Mono.just(1); // one session for every other user
+ * })
+ * )
+ * )
+ *
+ * @param sessionLimit the maximum number of sessions allowed for any user
+ * @return the {@link ConcurrentSessionsSpec} to continue customizing
+ */
+ public ConcurrentSessionsSpec maximumSessions(SessionLimit sessionLimit) {
+ Assert.notNull(sessionLimit, "sessionLimit cannot be null");
+ SessionManagementSpec.this.sessionLimit = sessionLimit;
+ return this;
+ }
+
+ /**
+ * Sets the {@link ServerMaximumSessionsExceededHandler} to use when the
+ * maximum number of sessions is exceeded.
+ * @param maximumSessionsExceededHandler the
+ * {@link ServerMaximumSessionsExceededHandler} to use
+ * @return the {@link ConcurrentSessionsSpec} to continue customizing
+ */
+ public ConcurrentSessionsSpec maximumSessionsExceededHandler(
+ ServerMaximumSessionsExceededHandler maximumSessionsExceededHandler) {
+ Assert.notNull(maximumSessionsExceededHandler, "maximumSessionsExceededHandler cannot be null");
+ SessionManagementSpec.this.maximumSessionsExceededHandler = maximumSessionsExceededHandler;
+ return this;
+ }
+
+ }
+
+ private static final class SessionRegistryWebFilter implements WebFilter {
+
+ private final ReactiveSessionRegistry sessionRegistry;
+
+ private SessionRegistryWebFilter(ReactiveSessionRegistry sessionRegistry) {
+ Assert.notNull(sessionRegistry, "sessionRegistry cannot be null");
+ this.sessionRegistry = sessionRegistry;
+ }
+
+ @Override
+ public Mono filter(ServerWebExchange exchange, WebFilterChain chain) {
+ return chain.filter(new SessionRegistryWebExchange(exchange));
+ }
+
+ private final class SessionRegistryWebExchange extends ServerWebExchangeDecorator {
+
+ private final Mono sessionMono;
+
+ private SessionRegistryWebExchange(ServerWebExchange delegate) {
+ super(delegate);
+ this.sessionMono = delegate.getSession()
+ .flatMap((session) -> SessionRegistryWebFilter.this.sessionRegistry
+ .updateLastAccessTime(session.getId())
+ .thenReturn(session))
+ .map(SessionRegistryWebSession::new);
+ }
+
+ @Override
+ public Mono getSession() {
+ return this.sessionMono;
+ }
+
+ }
+
+ private final class SessionRegistryWebSession implements WebSession {
+
+ private final WebSession session;
+
+ private SessionRegistryWebSession(WebSession session) {
+ this.session = session;
+ }
+
+ @Override
+ public String getId() {
+ return this.session.getId();
+ }
+
+ @Override
+ public Map getAttributes() {
+ return this.session.getAttributes();
+ }
+
+ @Override
+ public void start() {
+ this.session.start();
+ }
+
+ @Override
+ public boolean isStarted() {
+ return this.session.isStarted();
+ }
+
+ @Override
+ public Mono changeSessionId() {
+ String currentId = this.session.getId();
+ return SessionRegistryWebFilter.this.sessionRegistry.removeSessionInformation(currentId)
+ .flatMap((information) -> this.session.changeSessionId().thenReturn(information))
+ .flatMap((information) -> {
+ information = information.withSessionId(this.session.getId());
+ return SessionRegistryWebFilter.this.sessionRegistry.saveSessionInformation(information);
+ });
+ }
+
+ @Override
+ public Mono invalidate() {
+ String currentId = this.session.getId();
+ return SessionRegistryWebFilter.this.sessionRegistry.removeSessionInformation(currentId)
+ .flatMap((information) -> this.session.invalidate());
+ }
+
+ @Override
+ public Mono save() {
+ return this.session.save();
+ }
+
+ @Override
+ public boolean isExpired() {
+ return this.session.isExpired();
+ }
+
+ @Override
+ public Instant getCreationTime() {
+ return this.session.getCreationTime();
+ }
+
+ @Override
+ public Instant getLastAccessTime() {
+ return this.session.getLastAccessTime();
+ }
+
+ @Override
+ public void setMaxIdleTime(Duration maxIdleTime) {
+ this.session.setMaxIdleTime(maxIdleTime);
+ }
+
+ @Override
+ public Duration getMaxIdleTime() {
+ return this.session.getMaxIdleTime();
+ }
+
+ }
+
+ }
+
+ }
+
/**
* Configures HTTPS redirection rules
*
@@ -2211,6 +2498,11 @@ public class ServerHttpSecurity {
private ServerAuthenticationFailureHandler authenticationFailureHandler;
+ private final List defaultSuccessHandlers = new ArrayList<>(
+ List.of(new WebFilterChainServerAuthenticationSuccessHandler()));
+
+ private List authenticationSuccessHandlers = new ArrayList<>();
+
private HttpBasicSpec() {
List entryPoints = new ArrayList<>();
entryPoints
@@ -2221,6 +2513,40 @@ public class ServerHttpSecurity {
this.entryPoint = defaultEntryPoint;
}
+ /**
+ * The {@link ServerAuthenticationSuccessHandler} used after authentication
+ * success. Defaults to {@link WebFilterChainServerAuthenticationSuccessHandler}.
+ * Note that this method clears previously added success handlers via
+ * {@link #authenticationSuccessHandler(Consumer)}
+ * @param authenticationSuccessHandler the success handler to use
+ * @return the {@link HttpBasicSpec} to continue configuring
+ * @since 6.3
+ */
+ public HttpBasicSpec authenticationSuccessHandler(
+ ServerAuthenticationSuccessHandler authenticationSuccessHandler) {
+ Assert.notNull(authenticationSuccessHandler, "authenticationSuccessHandler cannot be null");
+ authenticationSuccessHandler((handlers) -> {
+ handlers.clear();
+ handlers.add(authenticationSuccessHandler);
+ });
+ return this;
+ }
+
+ /**
+ * Allows customizing the list of {@link ServerAuthenticationSuccessHandler}. The
+ * default list contains a
+ * {@link WebFilterChainServerAuthenticationSuccessHandler}.
+ * @param handlersConsumer the handlers consumer
+ * @return the {@link HttpBasicSpec} to continue configuring
+ * @since 6.3
+ */
+ public HttpBasicSpec authenticationSuccessHandler(
+ Consumer> handlersConsumer) {
+ Assert.notNull(handlersConsumer, "handlersConsumer cannot be null");
+ handlersConsumer.accept(this.authenticationSuccessHandlers);
+ return this;
+ }
+
/**
* The {@link ReactiveAuthenticationManager} used to authenticate. Defaults to
* {@link ServerHttpSecurity#authenticationManager(ReactiveAuthenticationManager)}.
@@ -2306,9 +2632,17 @@ public class ServerHttpSecurity {
authenticationFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
authenticationFilter.setAuthenticationConverter(new ServerHttpBasicAuthenticationConverter());
authenticationFilter.setSecurityContextRepository(this.securityContextRepository);
+ authenticationFilter.setAuthenticationSuccessHandler(getAuthenticationSuccessHandler(http));
http.addFilterAt(authenticationFilter, SecurityWebFiltersOrder.HTTP_BASIC);
}
+ private ServerAuthenticationSuccessHandler getAuthenticationSuccessHandler(ServerHttpSecurity http) {
+ if (this.authenticationSuccessHandlers.isEmpty()) {
+ return new DelegatingServerAuthenticationSuccessHandler(this.defaultSuccessHandlers);
+ }
+ return new DelegatingServerAuthenticationSuccessHandler(this.authenticationSuccessHandlers);
+ }
+
private ServerAuthenticationFailureHandler authenticationFailureHandler() {
if (this.authenticationFailureHandler != null) {
return this.authenticationFailureHandler;
@@ -2380,6 +2714,9 @@ public class ServerHttpSecurity {
private final RedirectServerAuthenticationSuccessHandler defaultSuccessHandler = new RedirectServerAuthenticationSuccessHandler(
"/");
+ private final List defaultSuccessHandlers = new ArrayList<>(
+ List.of(this.defaultSuccessHandler));
+
private RedirectServerAuthenticationEntryPoint defaultEntryPoint;
private ReactiveAuthenticationManager authenticationManager;
@@ -2394,7 +2731,7 @@ public class ServerHttpSecurity {
private ServerAuthenticationFailureHandler authenticationFailureHandler;
- private ServerAuthenticationSuccessHandler authenticationSuccessHandler = this.defaultSuccessHandler;
+ private List authenticationSuccessHandlers = new ArrayList<>();
private FormLoginSpec() {
}
@@ -2412,14 +2749,34 @@ public class ServerHttpSecurity {
/**
* The {@link ServerAuthenticationSuccessHandler} used after authentication
- * success. Defaults to {@link RedirectServerAuthenticationSuccessHandler}.
+ * success. Defaults to {@link RedirectServerAuthenticationSuccessHandler}. Note
+ * that this method clears previously added success handlers via
+ * {@link #authenticationSuccessHandler(Consumer)}
* @param authenticationSuccessHandler the success handler to use
* @return the {@link FormLoginSpec} to continue configuring
*/
public FormLoginSpec authenticationSuccessHandler(
ServerAuthenticationSuccessHandler authenticationSuccessHandler) {
Assert.notNull(authenticationSuccessHandler, "authenticationSuccessHandler cannot be null");
- this.authenticationSuccessHandler = authenticationSuccessHandler;
+ authenticationSuccessHandler((handlers) -> {
+ handlers.clear();
+ handlers.add(authenticationSuccessHandler);
+ });
+ return this;
+ }
+
+ /**
+ * Allows customizing the list of {@link ServerAuthenticationSuccessHandler}. The
+ * default list contains a {@link RedirectServerAuthenticationSuccessHandler} that
+ * redirects to "/".
+ * @param handlersConsumer the handlers consumer
+ * @return the {@link FormLoginSpec} to continue configuring
+ * @since 6.3
+ */
+ public FormLoginSpec authenticationSuccessHandler(
+ Consumer> handlersConsumer) {
+ Assert.notNull(handlersConsumer, "handlersConsumer cannot be null");
+ handlersConsumer.accept(this.authenticationSuccessHandlers);
return this;
}
@@ -2552,11 +2909,18 @@ public class ServerHttpSecurity {
authenticationFilter.setRequiresAuthenticationMatcher(this.requiresAuthenticationMatcher);
authenticationFilter.setAuthenticationFailureHandler(this.authenticationFailureHandler);
authenticationFilter.setAuthenticationConverter(new ServerFormLoginAuthenticationConverter());
- authenticationFilter.setAuthenticationSuccessHandler(this.authenticationSuccessHandler);
+ authenticationFilter.setAuthenticationSuccessHandler(getAuthenticationSuccessHandler(http));
authenticationFilter.setSecurityContextRepository(this.securityContextRepository);
http.addFilterAt(authenticationFilter, SecurityWebFiltersOrder.FORM_LOGIN);
}
+ private ServerAuthenticationSuccessHandler getAuthenticationSuccessHandler(ServerHttpSecurity http) {
+ if (this.authenticationSuccessHandlers.isEmpty()) {
+ return new DelegatingServerAuthenticationSuccessHandler(this.defaultSuccessHandlers);
+ }
+ return new DelegatingServerAuthenticationSuccessHandler(this.authenticationSuccessHandlers);
+ }
+
}
private final class LoginPageSpec {
@@ -3735,7 +4099,12 @@ public class ServerHttpSecurity {
private ReactiveOidcSessionRegistry oidcSessionRegistry;
- private ServerAuthenticationSuccessHandler authenticationSuccessHandler;
+ private final RedirectServerAuthenticationSuccessHandler defaultAuthenticationSuccessHandler = new RedirectServerAuthenticationSuccessHandler();
+
+ private final List defaultSuccessHandlers = new ArrayList<>(
+ List.of(this.defaultAuthenticationSuccessHandler));
+
+ private List authenticationSuccessHandlers = new ArrayList<>();
private ServerAuthenticationFailureHandler authenticationFailureHandler;
@@ -3783,7 +4152,8 @@ public class ServerHttpSecurity {
/**
* The {@link ServerAuthenticationSuccessHandler} used after authentication
* success. Defaults to {@link RedirectServerAuthenticationSuccessHandler}
- * redirecting to "/".
+ * redirecting to "/". Note that this method clears previously added success
+ * handlers via {@link #authenticationSuccessHandler(Consumer)}
* @param authenticationSuccessHandler the success handler to use
* @return the {@link OAuth2LoginSpec} to customize
* @since 5.2
@@ -3791,7 +4161,25 @@ public class ServerHttpSecurity {
public OAuth2LoginSpec authenticationSuccessHandler(
ServerAuthenticationSuccessHandler authenticationSuccessHandler) {
Assert.notNull(authenticationSuccessHandler, "authenticationSuccessHandler cannot be null");
- this.authenticationSuccessHandler = authenticationSuccessHandler;
+ authenticationSuccessHandler((handlers) -> {
+ handlers.clear();
+ handlers.add(authenticationSuccessHandler);
+ });
+ return this;
+ }
+
+ /**
+ * Allows customizing the list of {@link ServerAuthenticationSuccessHandler}. The
+ * default list contains a {@link RedirectServerAuthenticationSuccessHandler} that
+ * redirects to "/".
+ * @param handlersConsumer the handlers consumer
+ * @return the {@link OAuth2LoginSpec} to continue configuring
+ * @since 6.3
+ */
+ public OAuth2LoginSpec authenticationSuccessHandler(
+ Consumer> handlersConsumer) {
+ Assert.notNull(handlersConsumer, "handlersConsumer cannot be null");
+ handlersConsumer.accept(this.authenticationSuccessHandlers);
return this;
}
@@ -4041,12 +4429,11 @@ public class ServerHttpSecurity {
}
private ServerAuthenticationSuccessHandler getAuthenticationSuccessHandler(ServerHttpSecurity http) {
- if (this.authenticationSuccessHandler == null) {
- RedirectServerAuthenticationSuccessHandler handler = new RedirectServerAuthenticationSuccessHandler();
- handler.setRequestCache(http.requestCache.requestCache);
- this.authenticationSuccessHandler = handler;
+ this.defaultAuthenticationSuccessHandler.setRequestCache(http.requestCache.requestCache);
+ if (this.authenticationSuccessHandlers.isEmpty()) {
+ return new DelegatingServerAuthenticationSuccessHandler(this.defaultSuccessHandlers);
}
- return this.authenticationSuccessHandler;
+ return new DelegatingServerAuthenticationSuccessHandler(this.authenticationSuccessHandlers);
}
private ServerAuthenticationFailureHandler getAuthenticationFailureHandler() {
diff --git a/config/src/main/kotlin/org/springframework/security/config/web/server/ServerHttpSecurityDsl.kt b/config/src/main/kotlin/org/springframework/security/config/web/server/ServerHttpSecurityDsl.kt
index 300a3d6a60..639130f17f 100644
--- a/config/src/main/kotlin/org/springframework/security/config/web/server/ServerHttpSecurityDsl.kt
+++ b/config/src/main/kotlin/org/springframework/security/config/web/server/ServerHttpSecurityDsl.kt
@@ -682,6 +682,36 @@ class ServerHttpSecurityDsl(private val http: ServerHttpSecurity, private val in
this.http.oidcLogout(oidcLogoutCustomizer)
}
+ /**
+ * Configures Session Management support.
+ *
+ * Example:
+ *
+ * ```
+ * @Configuration
+ * @EnableWebFluxSecurity
+ * open class SecurityConfig {
+ *
+ * @Bean
+ * open fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+ * return http {
+ * sessionManagement {
+ * sessionConcurrency { }
+ * }
+ * }
+ * }
+ * }
+ * ```
+ *
+ * @param sessionManagementConfig custom configuration to configure the Session Management
+ * @since 6.3
+ * @see [ServerSessionManagementDsl]
+ */
+ fun sessionManagement(sessionManagementConfig: ServerSessionManagementDsl.() -> Unit) {
+ val sessionManagementCustomizer = ServerSessionManagementDsl().apply(sessionManagementConfig).get()
+ this.http.sessionManagement(sessionManagementCustomizer)
+ }
+
/**
* Apply all configurations to the provided [ServerHttpSecurity]
*/
diff --git a/config/src/main/kotlin/org/springframework/security/config/web/server/ServerSessionConcurrencyDsl.kt b/config/src/main/kotlin/org/springframework/security/config/web/server/ServerSessionConcurrencyDsl.kt
new file mode 100644
index 0000000000..b2dad3a574
--- /dev/null
+++ b/config/src/main/kotlin/org/springframework/security/config/web/server/ServerSessionConcurrencyDsl.kt
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.web.server
+
+import org.springframework.security.core.session.ReactiveSessionRegistry
+import org.springframework.security.web.server.authentication.ServerMaximumSessionsExceededHandler
+import org.springframework.security.web.server.authentication.SessionLimit
+
+/**
+ * A Kotlin DSL to configure [ServerHttpSecurity] Session Concurrency support using idiomatic Kotlin code.
+ *
+ * @author Marcus da Coregio
+ * @since 6.3
+ */
+@ServerSecurityMarker
+class ServerSessionConcurrencyDsl {
+ var maximumSessions: SessionLimit? = null
+ var maximumSessionsExceededHandler: ServerMaximumSessionsExceededHandler? = null
+ var sessionRegistry: ReactiveSessionRegistry? = null
+
+ internal fun get(): (ServerHttpSecurity.SessionManagementSpec.ConcurrentSessionsSpec) -> Unit {
+ return { sessionConcurrency ->
+ maximumSessions?.also {
+ sessionConcurrency.maximumSessions(maximumSessions!!)
+ }
+ maximumSessionsExceededHandler?.also {
+ sessionConcurrency.maximumSessionsExceededHandler(maximumSessionsExceededHandler!!)
+ }
+ sessionRegistry?.also {
+ sessionConcurrency.sessionRegistry(sessionRegistry!!)
+ }
+ }
+ }
+}
diff --git a/config/src/main/kotlin/org/springframework/security/config/web/server/ServerSessionManagementDsl.kt b/config/src/main/kotlin/org/springframework/security/config/web/server/ServerSessionManagementDsl.kt
new file mode 100644
index 0000000000..4858baa244
--- /dev/null
+++ b/config/src/main/kotlin/org/springframework/security/config/web/server/ServerSessionManagementDsl.kt
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.web.server
+
+/**
+ * A Kotlin DSL to configure [ServerHttpSecurity] Session Management using idiomatic Kotlin code.
+ *
+ * @author Marcus da Coregio
+ * @since 6.3
+ */
+@ServerSecurityMarker
+class ServerSessionManagementDsl {
+ private var sessionConcurrency: ((ServerHttpSecurity.SessionManagementSpec.ConcurrentSessionsSpec) -> Unit)? = null
+
+ /**
+ * Enables Session Management support.
+ *
+ * Example:
+ *
+ * ```
+ * @Configuration
+ * @EnableWebFluxSecurity
+ * open class SecurityConfig {
+ *
+ * @Bean
+ * open fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+ * return http {
+ * sessionManagement {
+ * sessionConcurrency {
+ * maximumSessions = { authentication -> Mono.just(1) }
+ * }
+ * }
+ * }
+ * }
+ * }
+ * ```
+ *
+ * @param backChannelConfig custom configurations to configure OIDC 1.0 Back-Channel Logout support
+ * @see [ServerOidcBackChannelLogoutDsl]
+ */
+ fun sessionConcurrency(sessionConcurrencyConfig: ServerSessionConcurrencyDsl.() -> Unit) {
+ this.sessionConcurrency = ServerSessionConcurrencyDsl().apply(sessionConcurrencyConfig).get()
+ }
+
+ internal fun get(): (ServerHttpSecurity.SessionManagementSpec) -> Unit {
+ return { sessionManagement ->
+ sessionConcurrency?.also { sessionManagement.concurrentSessions(sessionConcurrency) }
+ }
+ }
+}
diff --git a/config/src/test/java/org/springframework/security/config/web/server/ServerHttpSecurityTests.java b/config/src/test/java/org/springframework/security/config/web/server/ServerHttpSecurityTests.java
index b8bcb40a67..fe3a0b4c2f 100644
--- a/config/src/test/java/org/springframework/security/config/web/server/ServerHttpSecurityTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/ServerHttpSecurityTests.java
@@ -56,9 +56,11 @@ import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.security.web.server.ServerRedirectStrategy;
import org.springframework.security.web.server.WebFilterChainProxy;
import org.springframework.security.web.server.authentication.AnonymousAuthenticationWebFilterTests;
+import org.springframework.security.web.server.authentication.DelegatingServerAuthenticationSuccessHandler;
import org.springframework.security.web.server.authentication.HttpBasicServerAuthenticationEntryPoint;
import org.springframework.security.web.server.authentication.HttpStatusServerEntryPoint;
import org.springframework.security.web.server.authentication.ServerAuthenticationFailureHandler;
+import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler;
import org.springframework.security.web.server.authentication.ServerX509AuthenticationConverter;
import org.springframework.security.web.server.authentication.logout.DelegatingServerLogoutHandler;
import org.springframework.security.web.server.authentication.logout.LogoutWebFilter;
@@ -592,6 +594,7 @@ public class ServerHttpSecurityTests {
}
@Test
+ @SuppressWarnings("unchecked")
public void shouldConfigureRequestCacheForOAuth2LoginAuthenticationEntryPointAndSuccessHandler() {
ServerRequestCache requestCache = spy(new WebSessionServerRequestCache());
ReactiveClientRegistrationRepository clientRegistrationRepository = mock(
@@ -613,8 +616,11 @@ public class ServerHttpSecurityTests {
OAuth2LoginAuthenticationWebFilter authenticationWebFilter = getWebFilter(securityFilterChain,
OAuth2LoginAuthenticationWebFilter.class)
.get();
- Object handler = ReflectionTestUtils.getField(authenticationWebFilter, "authenticationSuccessHandler");
- assertThat(ReflectionTestUtils.getField(handler, "requestCache")).isSameAs(requestCache);
+ DelegatingServerAuthenticationSuccessHandler handler = (DelegatingServerAuthenticationSuccessHandler) ReflectionTestUtils
+ .getField(authenticationWebFilter, "authenticationSuccessHandler");
+ List delegates = (List) ReflectionTestUtils
+ .getField(handler, "delegates");
+ assertThat(ReflectionTestUtils.getField(delegates.get(0), "requestCache")).isSameAs(requestCache);
}
@Test
diff --git a/config/src/test/java/org/springframework/security/config/web/server/SessionManagementSpecTests.java b/config/src/test/java/org/springframework/security/config/web/server/SessionManagementSpecTests.java
new file mode 100644
index 0000000000..ca2fcf9f80
--- /dev/null
+++ b/config/src/test/java/org/springframework/security/config/web/server/SessionManagementSpecTests.java
@@ -0,0 +1,624 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.web.server;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import reactor.core.publisher.Mono;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseCookie;
+import org.springframework.security.authentication.ReactiveAuthenticationManager;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.test.SpringTestContext;
+import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.config.users.ReactiveAuthenticationTestConfiguration;
+import org.springframework.security.core.session.ReactiveSessionInformation;
+import org.springframework.security.core.session.ReactiveSessionRegistry;
+import org.springframework.security.core.userdetails.PasswordEncodedUser;
+import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken;
+import org.springframework.security.oauth2.client.registration.InMemoryReactiveClientRegistrationRepository;
+import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
+import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizationRequestResolver;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.TestOAuth2AccessTokens;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
+import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationExchanges;
+import org.springframework.security.oauth2.core.user.OAuth2User;
+import org.springframework.security.oauth2.core.user.TestOAuth2Users;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.security.web.server.authentication.InvalidateLeastUsedServerMaximumSessionsExceededHandler;
+import org.springframework.security.web.server.authentication.PreventLoginServerMaximumSessionsExceededHandler;
+import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler;
+import org.springframework.security.web.server.authentication.ServerAuthenticationConverter;
+import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler;
+import org.springframework.security.web.server.authentication.SessionLimit;
+import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
+import org.springframework.security.web.session.WebSessionStoreReactiveSessionRegistry;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.web.reactive.server.WebTestClient;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.reactive.config.EnableWebFlux;
+import org.springframework.web.reactive.function.BodyInserters;
+import org.springframework.web.server.adapter.WebHttpHandlerBuilder;
+import org.springframework.web.server.session.DefaultWebSessionManager;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
+import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.csrf;
+
+@ExtendWith({ SpringExtension.class, SpringTestContextExtension.class })
+public class SessionManagementSpecTests {
+
+ public final SpringTestContext spring = new SpringTestContext(this);
+
+ WebTestClient client;
+
+ @Autowired
+ public void setApplicationContext(ApplicationContext context) {
+ this.client = WebTestClient.bindToApplicationContext(context).build();
+ }
+
+ @Test
+ void loginWhenMaxSessionPreventsLoginThenSecondLoginFails() {
+ this.spring.register(ConcurrentSessionsMaxSessionPreventsLoginConfig.class).autowire();
+
+ MultiValueMap data = new LinkedMultiValueMap<>();
+ data.add("username", "user");
+ data.add("password", "password");
+
+ ResponseCookie firstLoginSessionCookie = loginReturningCookie(data);
+
+ // second login should fail
+ this.client.mutateWith(csrf())
+ .post()
+ .uri("/login")
+ .contentType(MediaType.MULTIPART_FORM_DATA)
+ .body(BodyInserters.fromFormData(data))
+ .exchange()
+ .expectHeader()
+ .location("/login?error");
+
+ // first login should still be valid
+ this.client.mutateWith(csrf())
+ .get()
+ .uri("/")
+ .cookie(firstLoginSessionCookie.getName(), firstLoginSessionCookie.getValue())
+ .exchange()
+ .expectStatus()
+ .isOk();
+ }
+
+ @Test
+ void httpBasicWhenUsingSavingAuthenticationInWebSessionAndPreventLoginThenSecondRequestFails() {
+ this.spring.register(ConcurrentSessionsHttpBasicWithWebSessionMaxSessionPreventsLoginConfig.class).autowire();
+
+ MultiValueMap data = new LinkedMultiValueMap<>();
+ data.add("username", "user");
+ data.add("password", "password");
+
+ // first request be successful
+ ResponseCookie sessionCookie = this.client.get()
+ .uri("/")
+ .headers((headers) -> headers.setBasicAuth("user", "password"))
+ .exchange()
+ .expectStatus()
+ .isOk()
+ .expectCookie()
+ .exists("SESSION")
+ .returnResult(Void.class)
+ .getResponseCookies()
+ .getFirst("SESSION");
+
+ // request with no session should fail
+ this.client.get()
+ .uri("/")
+ .headers((headers) -> headers.setBasicAuth("user", "password"))
+ .exchange()
+ .expectStatus()
+ .isUnauthorized();
+
+ // request with session obtained from first request should be successful
+ this.client.get()
+ .uri("/")
+ .headers((headers) -> headers.setBasicAuth("user", "password"))
+ .cookie(sessionCookie.getName(), sessionCookie.getValue())
+ .exchange()
+ .expectStatus()
+ .isOk();
+ }
+
+ @Test
+ void loginWhenMaxSessionPerAuthenticationThenUserLoginFailsAndAdminLoginSucceeds() {
+ ConcurrentSessionsMaxSessionPreventsLoginConfig.sessionLimit = (authentication) -> {
+ if (authentication.getName().equals("admin")) {
+ return Mono.empty();
+ }
+ return Mono.just(1);
+ };
+ this.spring.register(ConcurrentSessionsMaxSessionPreventsLoginConfig.class).autowire();
+
+ MultiValueMap data = new LinkedMultiValueMap<>();
+ data.add("username", "user");
+ data.add("password", "password");
+ MultiValueMap adminCreds = new LinkedMultiValueMap<>();
+ adminCreds.add("username", "admin");
+ adminCreds.add("password", "password");
+
+ ResponseCookie userFirstLoginSessionCookie = loginReturningCookie(data);
+ ResponseCookie adminFirstLoginSessionCookie = loginReturningCookie(adminCreds);
+ // second user login should fail
+ this.client.mutateWith(csrf())
+ .post()
+ .uri("/login")
+ .contentType(MediaType.MULTIPART_FORM_DATA)
+ .body(BodyInserters.fromFormData(data))
+ .exchange()
+ .expectHeader()
+ .location("/login?error");
+ // first login should still be valid
+ this.client.mutateWith(csrf())
+ .get()
+ .uri("/")
+ .cookie(userFirstLoginSessionCookie.getName(), userFirstLoginSessionCookie.getValue())
+ .exchange()
+ .expectStatus()
+ .isOk();
+ ResponseCookie adminSecondLoginSessionCookie = loginReturningCookie(adminCreds);
+ this.client.mutateWith(csrf())
+ .get()
+ .uri("/")
+ .cookie(adminFirstLoginSessionCookie.getName(), adminFirstLoginSessionCookie.getValue())
+ .exchange()
+ .expectStatus()
+ .isOk();
+ this.client.mutateWith(csrf())
+ .get()
+ .uri("/")
+ .cookie(adminSecondLoginSessionCookie.getName(), adminSecondLoginSessionCookie.getValue())
+ .exchange()
+ .expectStatus()
+ .isOk();
+ }
+
+ @Test
+ void loginWhenMaxSessionDoesNotPreventLoginThenSecondLoginSucceedsAndFirstSessionIsInvalidated() {
+ ConcurrentSessionsMaxSessionPreventsLoginFalseConfig.sessionLimit = SessionLimit.of(1);
+ this.spring.register(ConcurrentSessionsMaxSessionPreventsLoginFalseConfig.class).autowire();
+
+ MultiValueMap data = new LinkedMultiValueMap<>();
+ data.add("username", "user");
+ data.add("password", "password");
+
+ ResponseCookie firstLoginSessionCookie = loginReturningCookie(data);
+ ResponseCookie secondLoginSessionCookie = loginReturningCookie(data);
+
+ // first login should not be valid
+ this.client.get()
+ .uri("/")
+ .cookie(firstLoginSessionCookie.getName(), firstLoginSessionCookie.getValue())
+ .exchange()
+ .expectStatus()
+ .isFound()
+ .expectHeader()
+ .location("/login");
+
+ // second login should be valid
+ this.client.get()
+ .uri("/")
+ .cookie(secondLoginSessionCookie.getName(), secondLoginSessionCookie.getValue())
+ .exchange()
+ .expectStatus()
+ .isOk();
+ }
+
+ @Test
+ void loginWhenMaxSessionDoesNotPreventLoginThenLeastRecentlyUsedSessionIsInvalidated() {
+ ConcurrentSessionsMaxSessionPreventsLoginFalseConfig.sessionLimit = SessionLimit.of(2);
+ this.spring.register(ConcurrentSessionsMaxSessionPreventsLoginFalseConfig.class).autowire();
+
+ MultiValueMap data = new LinkedMultiValueMap<>();
+ data.add("username", "user");
+ data.add("password", "password");
+
+ ResponseCookie firstLoginSessionCookie = loginReturningCookie(data);
+ ResponseCookie secondLoginSessionCookie = loginReturningCookie(data);
+
+ // update last access time for first request
+ this.client.get()
+ .uri("/")
+ .cookie(firstLoginSessionCookie.getName(), firstLoginSessionCookie.getValue())
+ .exchange()
+ .expectStatus()
+ .isOk();
+
+ ResponseCookie thirdLoginSessionCookie = loginReturningCookie(data);
+
+ // second login should be invalid, it is the least recently used session
+ this.client.get()
+ .uri("/")
+ .cookie(secondLoginSessionCookie.getName(), secondLoginSessionCookie.getValue())
+ .exchange()
+ .expectStatus()
+ .isFound()
+ .expectHeader()
+ .location("/login");
+
+ // first login should be valid
+ this.client.get()
+ .uri("/")
+ .cookie(firstLoginSessionCookie.getName(), firstLoginSessionCookie.getValue())
+ .exchange()
+ .expectStatus()
+ .isOk();
+
+ // third login should be valid
+ this.client.get()
+ .uri("/")
+ .cookie(thirdLoginSessionCookie.getName(), thirdLoginSessionCookie.getValue())
+ .exchange()
+ .expectStatus()
+ .isOk();
+ }
+
+ @Test
+ void oauth2LoginWhenMaxSessionsThenPreventLogin() {
+ OAuth2LoginConcurrentSessionsConfig.maxSessions = 1;
+ OAuth2LoginConcurrentSessionsConfig.preventLogin = true;
+ this.spring.register(OAuth2LoginConcurrentSessionsConfig.class).autowire();
+ prepareOAuth2Config();
+ // @formatter:off
+ ResponseCookie sessionCookie = this.client.get()
+ .uri("/login/oauth2/code/client-credentials")
+ .exchange()
+ .expectStatus().is3xxRedirection()
+ .expectHeader().valueEquals("Location", "/")
+ .expectCookie().exists("SESSION")
+ .returnResult(Void.class)
+ .getResponseCookies()
+ .getFirst("SESSION");
+
+ this.client.get()
+ .uri("/login/oauth2/code/client-credentials")
+ .exchange()
+ .expectHeader().location("/login?error");
+
+ this.client.get().uri("/")
+ .cookie(sessionCookie.getName(), sessionCookie.getValue())
+ .exchange()
+ .expectStatus().isOk()
+ .expectBody(String.class).isEqualTo("ok");
+ // @formatter:on
+ }
+
+ @Test
+ void loginWhenUnlimitedSessionsButSessionsInvalidatedManuallyThenInvalidates() {
+ ConcurrentSessionsMaxSessionPreventsLoginFalseConfig.sessionLimit = SessionLimit.UNLIMITED;
+ this.spring.register(ConcurrentSessionsMaxSessionPreventsLoginFalseConfig.class).autowire();
+ MultiValueMap data = new LinkedMultiValueMap<>();
+ data.add("username", "user");
+ data.add("password", "password");
+
+ ResponseCookie firstLogin = loginReturningCookie(data);
+ ResponseCookie secondLogin = loginReturningCookie(data);
+ this.client.get().uri("/").cookie(firstLogin.getName(), firstLogin.getValue()).exchange().expectStatus().isOk();
+ this.client.get()
+ .uri("/")
+ .cookie(secondLogin.getName(), secondLogin.getValue())
+ .exchange()
+ .expectStatus()
+ .isOk();
+ ReactiveSessionRegistry sessionRegistry = this.spring.getContext().getBean(ReactiveSessionRegistry.class);
+ sessionRegistry.getAllSessions(PasswordEncodedUser.user(), false)
+ .flatMap(ReactiveSessionInformation::invalidate)
+ .blockLast();
+ this.client.get()
+ .uri("/")
+ .cookie(firstLogin.getName(), firstLogin.getValue())
+ .exchange()
+ .expectStatus()
+ .isFound()
+ .expectHeader()
+ .location("/login");
+ this.client.get()
+ .uri("/")
+ .cookie(secondLogin.getName(), secondLogin.getValue())
+ .exchange()
+ .expectStatus()
+ .isFound()
+ .expectHeader()
+ .location("/login");
+ }
+
+ @Test
+ void oauth2LoginWhenMaxSessionDoesNotPreventLoginThenSecondLoginSucceedsAndFirstSessionIsInvalidated() {
+ OAuth2LoginConcurrentSessionsConfig.maxSessions = 1;
+ OAuth2LoginConcurrentSessionsConfig.preventLogin = false;
+ this.spring.register(OAuth2LoginConcurrentSessionsConfig.class).autowire();
+ prepareOAuth2Config();
+ // @formatter:off
+ ResponseCookie firstLoginCookie = this.client.get()
+ .uri("/login/oauth2/code/client-credentials")
+ .exchange()
+ .expectStatus().is3xxRedirection()
+ .expectHeader().valueEquals("Location", "/")
+ .expectCookie().exists("SESSION")
+ .returnResult(Void.class)
+ .getResponseCookies()
+ .getFirst("SESSION");
+ ResponseCookie secondLoginCookie = this.client.get()
+ .uri("/login/oauth2/code/client-credentials")
+ .exchange()
+ .expectStatus().is3xxRedirection()
+ .expectHeader().valueEquals("Location", "/")
+ .expectCookie().exists("SESSION")
+ .returnResult(Void.class)
+ .getResponseCookies()
+ .getFirst("SESSION");
+
+ this.client.get().uri("/")
+ .cookie(firstLoginCookie.getName(), firstLoginCookie.getValue())
+ .exchange()
+ .expectStatus().isFound()
+ .expectHeader().location("/login");
+
+ this.client.get().uri("/")
+ .cookie(secondLoginCookie.getName(), secondLoginCookie.getValue())
+ .exchange()
+ .expectStatus().isOk()
+ .expectBody(String.class).isEqualTo("ok");
+ // @formatter:on
+ }
+
+ @Test
+ void loginWhenAuthenticationSuccessHandlerOverriddenThenConcurrentSessionHandlersBackOff() {
+ this.spring.register(ConcurrentSessionsFormLoginOverrideAuthenticationSuccessHandlerConfig.class).autowire();
+ MultiValueMap data = new LinkedMultiValueMap<>();
+ data.add("username", "user");
+ data.add("password", "password");
+ // first login should be successful
+ login(data).expectStatus().isFound().expectHeader().location("/");
+ // second login should be successful, there should be no concurrent session
+ // control
+ login(data).expectStatus().isFound().expectHeader().location("/");
+ }
+
+ private void prepareOAuth2Config() {
+ OAuth2LoginConcurrentSessionsConfig config = this.spring.getContext()
+ .getBean(OAuth2LoginConcurrentSessionsConfig.class);
+ ServerAuthenticationConverter converter = config.authenticationConverter;
+ ReactiveAuthenticationManager manager = config.manager;
+ ServerOAuth2AuthorizationRequestResolver resolver = config.resolver;
+ OAuth2AuthorizationExchange exchange = TestOAuth2AuthorizationExchanges.success();
+ OAuth2User user = TestOAuth2Users.create();
+ OAuth2AccessToken accessToken = TestOAuth2AccessTokens.noScopes();
+ OAuth2LoginAuthenticationToken result = new OAuth2LoginAuthenticationToken(
+ TestClientRegistrations.clientRegistration().build(), exchange, user, user.getAuthorities(),
+ accessToken);
+ given(converter.convert(any())).willReturn(Mono.just(new TestingAuthenticationToken("a", "b", "c")));
+ given(manager.authenticate(any())).willReturn(Mono.just(result));
+ given(resolver.resolve(any())).willReturn(Mono.empty());
+ }
+
+ private ResponseCookie loginReturningCookie(MultiValueMap data) {
+ return login(data).expectCookie()
+ .exists("SESSION")
+ .returnResult(Void.class)
+ .getResponseCookies()
+ .getFirst("SESSION");
+ }
+
+ private WebTestClient.ResponseSpec login(MultiValueMap data) {
+ return this.client.mutateWith(csrf())
+ .post()
+ .uri("/login")
+ .contentType(MediaType.MULTIPART_FORM_DATA)
+ .body(BodyInserters.fromFormData(data))
+ .exchange();
+ }
+
+ @Configuration
+ @EnableWebFlux
+ @EnableWebFluxSecurity
+ @Import(Config.class)
+ static class ConcurrentSessionsMaxSessionPreventsLoginConfig {
+
+ static SessionLimit sessionLimit = SessionLimit.of(1);
+
+ @Bean
+ SecurityWebFilterChain springSecurity(ServerHttpSecurity http) {
+ // @formatter:off
+ http
+ .authorizeExchange((exchanges) -> exchanges.anyExchange().authenticated())
+ .formLogin(Customizer.withDefaults())
+ .sessionManagement((sessionManagement) -> sessionManagement
+ .concurrentSessions((concurrentSessions) -> concurrentSessions
+ .maximumSessions(sessionLimit)
+ .maximumSessionsExceededHandler(new PreventLoginServerMaximumSessionsExceededHandler())
+ )
+ );
+ // @formatter:on
+ return http.build();
+ }
+
+ }
+
+ @Configuration
+ @EnableWebFlux
+ @EnableWebFluxSecurity
+ @Import(Config.class)
+ static class OAuth2LoginConcurrentSessionsConfig {
+
+ static int maxSessions = 1;
+
+ static boolean preventLogin = true;
+
+ ReactiveAuthenticationManager manager = mock(ReactiveAuthenticationManager.class);
+
+ ServerAuthenticationConverter authenticationConverter = mock(ServerAuthenticationConverter.class);
+
+ ServerOAuth2AuthorizationRequestResolver resolver = mock(ServerOAuth2AuthorizationRequestResolver.class);
+
+ ServerAuthenticationSuccessHandler successHandler = mock(ServerAuthenticationSuccessHandler.class);
+
+ @Bean
+ SecurityWebFilterChain springSecurityFilter(ServerHttpSecurity http) {
+ // @formatter:off
+ http
+ .authorizeExchange((exchanges) -> exchanges
+ .anyExchange().authenticated()
+ )
+ .oauth2Login((oauth2Login) -> oauth2Login
+ .authenticationConverter(this.authenticationConverter)
+ .authenticationManager(this.manager)
+ .authorizationRequestResolver(this.resolver)
+ )
+ .sessionManagement((sessionManagement) -> sessionManagement
+ .concurrentSessions((concurrentSessions) -> concurrentSessions
+ .maximumSessions(SessionLimit.of(maxSessions))
+ .maximumSessionsExceededHandler(preventLogin
+ ? new PreventLoginServerMaximumSessionsExceededHandler()
+ : new InvalidateLeastUsedServerMaximumSessionsExceededHandler())
+ )
+ );
+ // @formatter:on
+ return http.build();
+ }
+
+ @Bean
+ InMemoryReactiveClientRegistrationRepository clientRegistrationRepository() {
+ return new InMemoryReactiveClientRegistrationRepository(
+ TestClientRegistrations.clientCredentials().build());
+ }
+
+ }
+
+ @Configuration
+ @EnableWebFlux
+ @EnableWebFluxSecurity
+ @Import(Config.class)
+ static class ConcurrentSessionsMaxSessionPreventsLoginFalseConfig {
+
+ static SessionLimit sessionLimit = SessionLimit.of(1);
+
+ @Bean
+ SecurityWebFilterChain springSecurity(ServerHttpSecurity http) {
+ // @formatter:off
+ http
+ .authorizeExchange((exchanges) -> exchanges.anyExchange().authenticated())
+ .formLogin(Customizer.withDefaults())
+ .sessionManagement((sessionManagement) -> sessionManagement
+ .concurrentSessions((concurrentSessions) -> concurrentSessions
+ .maximumSessions(sessionLimit)
+ )
+ );
+ // @formatter:on
+ return http.build();
+ }
+
+ }
+
+ @Configuration
+ @EnableWebFlux
+ @EnableWebFluxSecurity
+ @Import(Config.class)
+ static class ConcurrentSessionsFormLoginOverrideAuthenticationSuccessHandlerConfig {
+
+ @Bean
+ SecurityWebFilterChain springSecurity(ServerHttpSecurity http) {
+ // @formatter:off
+ http
+ .authorizeExchange((exchanges) -> exchanges.anyExchange().authenticated())
+ .formLogin((login) -> login
+ .authenticationSuccessHandler(new RedirectServerAuthenticationSuccessHandler("/"))
+ )
+ .sessionManagement((sessionManagement) -> sessionManagement
+ .concurrentSessions((concurrentSessions) -> concurrentSessions
+ .maximumSessions(SessionLimit.of(1))
+ .maximumSessionsExceededHandler(new PreventLoginServerMaximumSessionsExceededHandler())
+ )
+ );
+ // @formatter:on
+ return http.build();
+ }
+
+ }
+
+ @Configuration
+ @EnableWebFlux
+ @EnableWebFluxSecurity
+ @Import(Config.class)
+ static class ConcurrentSessionsHttpBasicWithWebSessionMaxSessionPreventsLoginConfig {
+
+ @Bean
+ SecurityWebFilterChain springSecurity(ServerHttpSecurity http) {
+ // @formatter:off
+ http
+ .authorizeExchange((exchanges) -> exchanges.anyExchange().authenticated())
+ .httpBasic((basic) -> basic
+ .securityContextRepository(new WebSessionServerSecurityContextRepository())
+ )
+ .sessionManagement((sessionManagement) -> sessionManagement
+ .concurrentSessions((concurrentSessions) -> concurrentSessions
+ .maximumSessions(SessionLimit.of(1))
+ .maximumSessionsExceededHandler(new PreventLoginServerMaximumSessionsExceededHandler())
+ )
+ );
+ // @formatter:on
+ return http.build();
+ }
+
+ }
+
+ @Configuration
+ @Import({ ReactiveAuthenticationTestConfiguration.class, DefaultController.class })
+ static class Config {
+
+ @Bean(WebHttpHandlerBuilder.WEB_SESSION_MANAGER_BEAN_NAME)
+ DefaultWebSessionManager webSessionManager() {
+ return new DefaultWebSessionManager();
+ }
+
+ @Bean
+ ReactiveSessionRegistry reactiveSessionRegistry(DefaultWebSessionManager webSessionManager) {
+ return new WebSessionStoreReactiveSessionRegistry(webSessionManager.getSessionStore());
+ }
+
+ }
+
+ @RestController
+ static class DefaultController {
+
+ @GetMapping("/")
+ String index() {
+ return "ok";
+ }
+
+ }
+
+}
diff --git a/config/src/test/kotlin/org/springframework/security/config/web/server/ServerSessionManagementDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/web/server/ServerSessionManagementDslTests.kt
new file mode 100644
index 0000000000..eda22ac6be
--- /dev/null
+++ b/config/src/test/kotlin/org/springframework/security/config/web/server/ServerSessionManagementDslTests.kt
@@ -0,0 +1,283 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.web.server
+
+import org.junit.Test
+import org.junit.jupiter.api.extension.ExtendWith
+import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.context.ApplicationContext
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Configuration
+import org.springframework.context.annotation.Import
+import org.springframework.http.MediaType
+import org.springframework.http.ResponseCookie
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity
+import org.springframework.security.config.test.SpringTestContext
+import org.springframework.security.config.test.SpringTestContextExtension
+import org.springframework.security.config.users.ReactiveAuthenticationTestConfiguration
+import org.springframework.security.core.session.ReactiveSessionRegistry
+import org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers
+import org.springframework.security.web.server.SecurityWebFilterChain
+import org.springframework.security.web.server.authentication.InvalidateLeastUsedServerMaximumSessionsExceededHandler
+import org.springframework.security.web.server.authentication.PreventLoginServerMaximumSessionsExceededHandler
+import org.springframework.security.web.server.authentication.SessionLimit
+import org.springframework.security.web.session.WebSessionStoreReactiveSessionRegistry
+import org.springframework.test.web.reactive.server.WebTestClient
+import org.springframework.util.LinkedMultiValueMap
+import org.springframework.util.MultiValueMap
+import org.springframework.web.bind.annotation.GetMapping
+import org.springframework.web.bind.annotation.RestController
+import org.springframework.web.reactive.config.EnableWebFlux
+import org.springframework.web.reactive.function.BodyInserters
+import org.springframework.web.server.adapter.WebHttpHandlerBuilder
+import org.springframework.web.server.session.DefaultWebSessionManager
+import reactor.core.publisher.Mono
+
+/**
+ * Tests for [ServerSessionManagementDsl]
+ *
+ * @author Marcus da Coregio
+ */
+@ExtendWith(SpringTestContextExtension::class)
+class ServerSessionManagementDslTests {
+
+ @JvmField
+ val spring = SpringTestContext(this)
+
+ private lateinit var client: WebTestClient
+
+ @Autowired
+ fun setup(context: ApplicationContext) {
+ this.client = WebTestClient
+ .bindToApplicationContext(context)
+ .configureClient()
+ .build()
+ }
+
+ @Test
+ fun `login when max sessions prevent login then second login fails`() {
+ this.spring.register(ConcurrentSessionsMaxSessionPreventsLoginTrueConfig::class.java).autowire()
+
+ val data: MultiValueMap = LinkedMultiValueMap()
+ data.add("username", "user")
+ data.add("password", "password")
+
+ val firstLoginSessionCookie = loginReturningCookie(data)
+
+ // second login should fail
+ this.client.mutateWith(SecurityMockServerConfigurers.csrf())
+ .post()
+ .uri("/login")
+ .contentType(MediaType.MULTIPART_FORM_DATA)
+ .body(BodyInserters.fromFormData(data))
+ .exchange()
+ .expectHeader()
+ .location("/login?error")
+
+ // first login should still be valid
+ this.client.mutateWith(SecurityMockServerConfigurers.csrf())
+ .get()
+ .uri("/")
+ .cookie(firstLoginSessionCookie!!.name, firstLoginSessionCookie.value)
+ .exchange()
+ .expectStatus()
+ .isOk()
+ }
+
+ @Test
+ fun `login when max sessions does not prevent login then seconds login succeeds and first session is invalidated`() {
+ ConcurrentSessionsMaxSessionPreventsLoginFalseConfig.maxSessions = 1
+ this.spring.register(SessionManagementSpecTests.ConcurrentSessionsMaxSessionPreventsLoginFalseConfig::class.java)
+ .autowire()
+
+ val data: MultiValueMap = LinkedMultiValueMap()
+ data.add("username", "user")
+ data.add("password", "password")
+
+ val firstLoginSessionCookie = loginReturningCookie(data)
+ val secondLoginSessionCookie = loginReturningCookie(data)
+
+ // first login should not be valid
+ this.client.get()
+ .uri("/")
+ .cookie(firstLoginSessionCookie!!.name, firstLoginSessionCookie.value)
+ .exchange()
+ .expectStatus()
+ .isFound()
+ .expectHeader()
+ .location("/login")
+
+ // second login should be valid
+ this.client.get()
+ .uri("/")
+ .cookie(secondLoginSessionCookie!!.name, secondLoginSessionCookie.value)
+ .exchange()
+ .expectStatus()
+ .isOk()
+ }
+
+ @Test
+ fun `login when max sessions does not prevent login then least recently used session is invalidated`() {
+ ConcurrentSessionsMaxSessionPreventsLoginFalseConfig.maxSessions = 2
+ this.spring.register(ConcurrentSessionsMaxSessionPreventsLoginFalseConfig::class.java).autowire()
+ val data: MultiValueMap = LinkedMultiValueMap()
+ data.add("username", "user")
+ data.add("password", "password")
+ val firstLoginSessionCookie = loginReturningCookie(data)
+ val secondLoginSessionCookie = loginReturningCookie(data)
+
+ // update last access time for first request
+ this.client.get()
+ .uri("/")
+ .cookie(firstLoginSessionCookie!!.name, firstLoginSessionCookie.value)
+ .exchange()
+ .expectStatus()
+ .isOk()
+ val thirdLoginSessionCookie = loginReturningCookie(data)
+
+ // second login should be invalid, it is the least recently used session
+ this.client.get()
+ .uri("/")
+ .cookie(secondLoginSessionCookie!!.name, secondLoginSessionCookie.value)
+ .exchange()
+ .expectStatus()
+ .isFound()
+ .expectHeader()
+ .location("/login")
+
+ // first login should be valid
+ this.client.get()
+ .uri("/")
+ .cookie(firstLoginSessionCookie.name, firstLoginSessionCookie.value)
+ .exchange()
+ .expectStatus()
+ .isOk()
+
+ // third login should be valid
+ this.client.get()
+ .uri("/")
+ .cookie(thirdLoginSessionCookie!!.name, thirdLoginSessionCookie.value)
+ .exchange()
+ .expectStatus()
+ .isOk()
+ }
+
+ private fun loginReturningCookie(data: MultiValueMap): ResponseCookie? {
+ return login(data).expectCookie()
+ .exists("SESSION")
+ .returnResult(Void::class.java)
+ .responseCookies
+ .getFirst("SESSION")
+ }
+
+ private fun login(data: MultiValueMap): WebTestClient.ResponseSpec {
+ return client.mutateWith(SecurityMockServerConfigurers.csrf())
+ .post()
+ .uri("/login")
+ .contentType(MediaType.MULTIPART_FORM_DATA)
+ .body(BodyInserters.fromFormData(data))
+ .exchange()
+ .expectStatus()
+ .is3xxRedirection()
+ .expectHeader()
+ .location("/")
+ }
+
+ @Configuration
+ @EnableWebFlux
+ @EnableWebFluxSecurity
+ @Import(Config::class)
+ open class ConcurrentSessionsMaxSessionPreventsLoginFalseConfig {
+
+ companion object {
+ var maxSessions = 1
+ }
+
+ @Bean
+ open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
+ return http {
+ authorizeExchange {
+ authorize(anyExchange, authenticated)
+ }
+ formLogin { }
+ sessionManagement {
+ sessionConcurrency {
+ maximumSessions = SessionLimit.of(maxSessions)
+ maximumSessionsExceededHandler = InvalidateLeastUsedServerMaximumSessionsExceededHandler()
+ }
+ }
+ }
+ }
+
+ }
+
+ @Configuration
+ @EnableWebFlux
+ @EnableWebFluxSecurity
+ @Import(Config::class)
+ open class ConcurrentSessionsMaxSessionPreventsLoginTrueConfig {
+
+ @Bean
+ open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
+ return http {
+ authorizeExchange {
+ authorize(anyExchange, authenticated)
+ }
+ formLogin { }
+ sessionManagement {
+ sessionConcurrency {
+ maximumSessions = SessionLimit.of(1)
+ maximumSessionsExceededHandler =
+ PreventLoginServerMaximumSessionsExceededHandler()
+ }
+ }
+ }
+ }
+
+ }
+
+ @Configuration
+ @Import(
+ ReactiveAuthenticationTestConfiguration::class,
+ DefaultController::class
+ )
+ open class Config {
+
+ @Bean(WebHttpHandlerBuilder.WEB_SESSION_MANAGER_BEAN_NAME)
+ open fun webSessionManager(): DefaultWebSessionManager {
+ return DefaultWebSessionManager()
+ }
+
+ @Bean
+ open fun reactiveSessionRegistry(webSessionManager: DefaultWebSessionManager): ReactiveSessionRegistry {
+ return WebSessionStoreReactiveSessionRegistry(webSessionManager.sessionStore)
+ }
+
+ }
+
+ @RestController
+ open class DefaultController {
+
+ @GetMapping("/")
+ fun index(): String {
+ return "ok"
+ }
+
+ }
+
+
+}
diff --git a/core/src/main/java/org/springframework/security/core/session/InMemoryReactiveSessionRegistry.java b/core/src/main/java/org/springframework/security/core/session/InMemoryReactiveSessionRegistry.java
new file mode 100644
index 0000000000..046a039505
--- /dev/null
+++ b/core/src/main/java/org/springframework/security/core/session/InMemoryReactiveSessionRegistry.java
@@ -0,0 +1,95 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.core.session;
+
+import java.util.Collections;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+import java.util.concurrent.CopyOnWriteArraySet;
+
+import reactor.core.publisher.Flux;
+import reactor.core.publisher.Mono;
+
+/**
+ * Provides an in-memory implementation of {@link ReactiveSessionRegistry}.
+ *
+ * @author Marcus da Coregio
+ * @since 6.3
+ */
+public class InMemoryReactiveSessionRegistry implements ReactiveSessionRegistry {
+
+ private final ConcurrentMap> sessionIdsByPrincipal;
+
+ private final Map sessionById;
+
+ public InMemoryReactiveSessionRegistry() {
+ this.sessionIdsByPrincipal = new ConcurrentHashMap<>();
+ this.sessionById = new ConcurrentHashMap<>();
+ }
+
+ public InMemoryReactiveSessionRegistry(ConcurrentMap> sessionIdsByPrincipal,
+ Map sessionById) {
+ this.sessionIdsByPrincipal = sessionIdsByPrincipal;
+ this.sessionById = sessionById;
+ }
+
+ @Override
+ public Flux getAllSessions(Object principal, boolean includeExpiredSessions) {
+ return Flux.fromIterable(this.sessionIdsByPrincipal.getOrDefault(principal, Collections.emptySet()))
+ .map(this.sessionById::get)
+ .filter((sessionInformation) -> includeExpiredSessions || !sessionInformation.isExpired());
+ }
+
+ @Override
+ public Mono saveSessionInformation(ReactiveSessionInformation information) {
+ this.sessionById.put(information.getSessionId(), information);
+ this.sessionIdsByPrincipal.computeIfAbsent(information.getPrincipal(), (key) -> new CopyOnWriteArraySet<>())
+ .add(information.getSessionId());
+ return Mono.empty();
+ }
+
+ @Override
+ public Mono getSessionInformation(String sessionId) {
+ return Mono.justOrEmpty(this.sessionById.get(sessionId));
+ }
+
+ @Override
+ public Mono removeSessionInformation(String sessionId) {
+ return getSessionInformation(sessionId).doOnNext((sessionInformation) -> {
+ this.sessionById.remove(sessionId);
+ Set sessionsUsedByPrincipal = this.sessionIdsByPrincipal.get(sessionInformation.getPrincipal());
+ if (sessionsUsedByPrincipal != null) {
+ sessionsUsedByPrincipal.remove(sessionId);
+ if (sessionsUsedByPrincipal.isEmpty()) {
+ this.sessionIdsByPrincipal.remove(sessionInformation.getPrincipal());
+ }
+ }
+ });
+ }
+
+ @Override
+ public Mono updateLastAccessTime(String sessionId) {
+ ReactiveSessionInformation session = this.sessionById.get(sessionId);
+ if (session != null) {
+ return session.refreshLastRequest().thenReturn(session);
+ }
+ return Mono.empty();
+ }
+
+}
diff --git a/core/src/main/java/org/springframework/security/core/session/ReactiveSessionInformation.java b/core/src/main/java/org/springframework/security/core/session/ReactiveSessionInformation.java
new file mode 100644
index 0000000000..6ebfdb9141
--- /dev/null
+++ b/core/src/main/java/org/springframework/security/core/session/ReactiveSessionInformation.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.core.session;
+
+import java.io.Serial;
+import java.io.Serializable;
+import java.time.Instant;
+
+import reactor.core.publisher.Mono;
+
+import org.springframework.security.core.SpringSecurityCoreVersion;
+import org.springframework.util.Assert;
+
+public class ReactiveSessionInformation implements Serializable {
+
+ @Serial
+ private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
+ private Instant lastAccessTime;
+
+ private final Object principal;
+
+ private final String sessionId;
+
+ private boolean expired = false;
+
+ public ReactiveSessionInformation(Object principal, String sessionId, Instant lastAccessTime) {
+ Assert.notNull(principal, "principal cannot be null");
+ Assert.hasText(sessionId, "sessionId cannot be null");
+ Assert.notNull(lastAccessTime, "lastAccessTime cannot be null");
+ this.principal = principal;
+ this.sessionId = sessionId;
+ this.lastAccessTime = lastAccessTime;
+ }
+
+ public ReactiveSessionInformation withSessionId(String sessionId) {
+ return new ReactiveSessionInformation(this.principal, sessionId, this.lastAccessTime);
+ }
+
+ public Mono invalidate() {
+ return Mono.fromRunnable(() -> this.expired = true);
+ }
+
+ public Mono refreshLastRequest() {
+ this.lastAccessTime = Instant.now();
+ return Mono.empty();
+ }
+
+ public Instant getLastAccessTime() {
+ return this.lastAccessTime;
+ }
+
+ public Object getPrincipal() {
+ return this.principal;
+ }
+
+ public String getSessionId() {
+ return this.sessionId;
+ }
+
+ public boolean isExpired() {
+ return this.expired;
+ }
+
+ public void setLastAccessTime(Instant lastAccessTime) {
+ this.lastAccessTime = lastAccessTime;
+ }
+
+}
diff --git a/core/src/main/java/org/springframework/security/core/session/ReactiveSessionRegistry.java b/core/src/main/java/org/springframework/security/core/session/ReactiveSessionRegistry.java
new file mode 100644
index 0000000000..b5da453164
--- /dev/null
+++ b/core/src/main/java/org/springframework/security/core/session/ReactiveSessionRegistry.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.core.session;
+
+import reactor.core.publisher.Flux;
+import reactor.core.publisher.Mono;
+
+/**
+ * Maintains a registry of {@link ReactiveSessionInformation} instances.
+ *
+ * @author Marcus da Coregio
+ * @since 6.3
+ */
+public interface ReactiveSessionRegistry {
+
+ /**
+ * Gets all the known {@link ReactiveSessionInformation} instances for the specified
+ * principal.
+ * @param principal the principal
+ * @return the {@link ReactiveSessionInformation} instances associated with the
+ * principal
+ */
+ Flux getAllSessions(Object principal, boolean includeExpiredSessions);
+
+ /**
+ * Saves the {@link ReactiveSessionInformation}
+ * @param information the {@link ReactiveSessionInformation} to save
+ * @return a {@link Mono} that completes when the session is saved
+ */
+ Mono saveSessionInformation(ReactiveSessionInformation information);
+
+ /**
+ * Gets the {@link ReactiveSessionInformation} for the specified session identifier.
+ * @param sessionId the session identifier
+ * @return the {@link ReactiveSessionInformation} for the session.
+ */
+ Mono getSessionInformation(String sessionId);
+
+ /**
+ * Removes the specified session from the registry.
+ * @param sessionId the session identifier
+ * @return a {@link Mono} that completes when the session is removed
+ */
+ Mono removeSessionInformation(String sessionId);
+
+ /**
+ * Updates the last accessed time of the {@link ReactiveSessionInformation}
+ * @param sessionId the session identifier
+ * @return a {@link Mono} that completes when the session is updated
+ */
+ Mono updateLastAccessTime(String sessionId);
+
+}
diff --git a/docs/modules/ROOT/nav.adoc b/docs/modules/ROOT/nav.adoc
index bc29759352..9dd4779406 100644
--- a/docs/modules/ROOT/nav.adoc
+++ b/docs/modules/ROOT/nav.adoc
@@ -129,6 +129,8 @@
** Authentication
*** xref:reactive/authentication/x509.adoc[X.509 Authentication]
*** xref:reactive/authentication/logout.adoc[Logout]
+*** Session Management
+**** xref:reactive/authentication/concurrent-sessions-control.adoc[Concurrent Sessions Control]
** Authorization
*** xref:reactive/authorization/authorize-http-requests.adoc[Authorize HTTP Requests]
*** xref:reactive/authorization/method.adoc[EnableReactiveMethodSecurity]
diff --git a/docs/modules/ROOT/pages/reactive/authentication/concurrent-sessions-control.adoc b/docs/modules/ROOT/pages/reactive/authentication/concurrent-sessions-control.adoc
new file mode 100644
index 0000000000..480c269381
--- /dev/null
+++ b/docs/modules/ROOT/pages/reactive/authentication/concurrent-sessions-control.adoc
@@ -0,0 +1,465 @@
+[[reactive-concurrent-sessions-control]]
+= Concurrent Sessions Control
+
+Similar to xref:servlet/authentication/session-management.adoc#ns-concurrent-sessions[Servlet's Concurrent Sessions Control], Spring Security also provides support to limit the number of concurrent sessions a user can have in a Reactive application.
+
+When you set up Concurrent Sessions Control in Spring Security, it monitors authentications carried out through Form Login, xref:reactive/oauth2/login/index.adoc[OAuth 2.0 Login], and HTTP Basic authentication by hooking into the way those authentication mechanisms handle authentication success.
+More specifically, the session management DSL will add the {security-api-url}org/springframework/security/web/server/authentication/ConcurrentSessionControlServerAuthenticationSuccessHandler.html[ConcurrentSessionControlServerAuthenticationSuccessHandler] and the {security-api-url}org/springframework/security/web/server/authentication/RegisterSessionServerAuthenticationSuccessHandler.html[RegisterSessionServerAuthenticationSuccessHandler] to the list of `ServerAuthenticationSuccessHandler` used by the authentication filter.
+
+The following sections contains examples of how to configure Concurrent Sessions Control.
+
+* <>
+* <>
+* <>
+* <>
+* <>
+
+[[reactive-concurrent-sessions-control-limit]]
+== Limiting Concurrent Sessions
+
+By default, Spring Security will allow any number of concurrent sessions for a user.
+To limit the number of concurrent sessions, you can use the `maximumSessions` DSL method:
+
+.Configuring one session for any user
+[tabs]
+======
+Java::
++
+[source,java,role="primary"]
+----
+@Bean
+SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
+ http
+ // ...
+ .sessionManagement((sessions) -> sessions
+ .concurrentSessions((concurrency) -> concurrency
+ .maximumSessions(SessionLimit.of(1))
+ );
+ return http.build();
+}
+
+@Bean
+ReactiveSessionRegistry reactiveSessionRegistry(WebSessionManager webSessionManager) {
+ return new WebSessionStoreReactiveSessionRegistry(((DefaultWebSessionManager) webSessionManager).getSessionStore());
+}
+----
+
+Kotlin::
++
+[source,kotlin,role="secondary"]
+----
+@Bean
+open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
+ return http {
+ // ...
+ sessionManagement {
+ sessionConcurrency {
+ maximumSessions = SessionLimit.of(1)
+ }
+ }
+ }
+}
+@Bean
+open fun reactiveSessionRegistry(webSessionManager: WebSessionManager): ReactiveSessionRegistry {
+ return WebSessionStoreReactiveSessionRegistry((webSessionManager as DefaultWebSessionManager).sessionStore)
+}
+----
+======
+
+The above configuration allows one session for any user.
+Similarly, you can also allow unlimited sessions by using the `SessionLimit#UNLIMITED` constant:
+
+.Configuring unlimited sessions
+[tabs]
+======
+Java::
++
+[source,java,role="primary"]
+----
+@Bean
+SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
+ http
+ // ...
+ .sessionManagement((sessions) -> sessions
+ .concurrentSessions((concurrency) -> concurrency
+ .maximumSessions(SessionLimit.UNLIMITED))
+ );
+ return http.build();
+}
+
+@Bean
+ReactiveSessionRegistry reactiveSessionRegistry(WebSessionManager webSessionManager) {
+ return new WebSessionStoreReactiveSessionRegistry(((DefaultWebSessionManager) webSessionManager).getSessionStore());
+}
+----
+
+Kotlin::
++
+[source,kotlin,role="secondary"]
+----
+@Bean
+open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
+ return http {
+ // ...
+ sessionManagement {
+ sessionConcurrency {
+ maximumSessions = SessionLimit.UNLIMITED
+ }
+ }
+ }
+}
+@Bean
+open fun reactiveSessionRegistry(webSessionManager: WebSessionManager): ReactiveSessionRegistry {
+ return WebSessionStoreReactiveSessionRegistry((webSessionManager as DefaultWebSessionManager).sessionStore)
+}
+----
+======
+
+Since the `maximumSessions` method accepts a `SessionLimit` interface, which in turn extends `Function>`, you can have a more complex logic to determine the maximum number of sessions based on the user's authentication:
+
+.Configuring maximumSessions based on `Authentication`
+[tabs]
+======
+Java::
++
+[source,java,role="primary"]
+----
+@Bean
+SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
+ http
+ // ...
+ .sessionManagement((sessions) -> sessions
+ .concurrentSessions((concurrency) -> concurrency
+ .maximumSessions(maxSessions()))
+ );
+ return http.build();
+}
+
+private SessionLimit maxSessions() {
+ return (authentication) -> {
+ if (authentication.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_UNLIMITED_SESSIONS"))) {
+ return Mono.empty(); // allow unlimited sessions for users with ROLE_UNLIMITED_SESSIONS
+ }
+ if (authentication.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_ADMIN"))) {
+ return Mono.just(2); // allow two sessions for admins
+ }
+ return Mono.just(1); // allow one session for every other user
+ };
+}
+
+@Bean
+ReactiveSessionRegistry reactiveSessionRegistry(WebSessionManager webSessionManager) {
+ return new WebSessionStoreReactiveSessionRegistry(((DefaultWebSessionManager) webSessionManager).getSessionStore());
+}
+----
+
+Kotlin::
++
+[source,kotlin,role="secondary"]
+----
+@Bean
+open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
+ return http {
+ // ...
+ sessionManagement {
+ sessionConcurrency {
+ maximumSessions = maxSessions()
+ }
+ }
+ }
+}
+
+fun maxSessions(): SessionLimit {
+ return { authentication ->
+ if (authentication.authorities.contains(SimpleGrantedAuthority("ROLE_UNLIMITED_SESSIONS"))) Mono.empty
+ if (authentication.authorities.contains(SimpleGrantedAuthority("ROLE_ADMIN"))) Mono.just(2)
+ Mono.just(1)
+ }
+}
+
+@Bean
+open fun reactiveSessionRegistry(webSessionManager: WebSessionManager): ReactiveSessionRegistry {
+ return WebSessionStoreReactiveSessionRegistry((webSessionManager as DefaultWebSessionManager).sessionStore)
+}
+----
+======
+
+When the maximum number of sessions is exceeded, by default, the least recently used session(s) will be expired.
+If you want to change that behavior, you can <>.
+
+[[concurrent-sessions-control-custom-strategy]]
+== Handling Maximum Number of Sessions Exceeded
+
+By default, when the maximum number of sessions is exceeded, the least recently used session(s) will be expired by using the {security-api-url}org/springframework/security/web/server/authentication/session/InvalidateLeastUsedMaximumSessionsExceededHandler.html[InvalidateLeastUsedMaximumSessionsExceededHandler].
+Spring Security also provides another implementation that prevents the user from creating new sessions by using the {security-api-url}org/springframework/security/web/server/authentication/session/PreventLoginMaximumSessionsExceededHandler.html[PreventLoginMaximumSessionsExceededHandler].
+If you want to use your own strategy, you can provide a different implementation of {security-api-url}org/springframework/security/web/server/authentication/session/ServerMaximumSessionsExceededHandler.html[ServerMaximumSessionsExceededHandler].
+
+.Configuring maximumSessionsExceededHandler
+[tabs]
+======
+Java::
++
+[source,java,role="primary"]
+----
+@Bean
+SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
+ http
+ // ...
+ .sessionManagement((sessions) -> sessions
+ .concurrentSessions((concurrency) -> concurrency
+ .maximumSessions(SessionLimit.of(1))
+ .maximumSessionsExceededHandler(new PreventLoginMaximumSessionsExceededHandler())
+ )
+ );
+ return http.build();
+}
+
+@Bean
+ReactiveSessionRegistry reactiveSessionRegistry(WebSessionManager webSessionManager) {
+ return new WebSessionStoreReactiveSessionRegistry(((DefaultWebSessionManager) webSessionManager).getSessionStore());
+}
+----
+
+Kotlin::
++
+[source,kotlin,role="secondary"]
+----
+@Bean
+open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
+ return http {
+ // ...
+ sessionManagement {
+ sessionConcurrency {
+ maximumSessions = SessionLimit.of(1)
+ maximumSessionsExceededHandler = PreventLoginMaximumSessionsExceededHandler()
+ }
+ }
+ }
+}
+
+@Bean
+open fun reactiveSessionRegistry(webSessionManager: WebSessionManager): ReactiveSessionRegistry {
+ return WebSessionStoreReactiveSessionRegistry((webSessionManager as DefaultWebSessionManager).sessionStore)
+}
+----
+======
+
+[[reactive-concurrent-sessions-control-specify-session-registry]]
+== Specifying a `ReactiveSessionRegistry`
+
+In order to keep track of the user's sessions, Spring Security uses a {security-api-url}org/springframework/security/core/session/ReactiveSessionRegistry.html[ReactiveSessionRegistry], and, every time a user logs in, their session information is saved.
+Typically, in a Spring WebFlux application, you will use the {security-api-url}/org/springframework/security/web/session/WebSessionStoreReactiveSessionRegistry.html[WebSessionStoreReactiveSessionRegistry] which makes sure that the `WebSession` is invalidated whenever the `ReactiveSessionInformation` is invalidated.
+
+Spring Security ships with {security-api-url}/org/springframework/security/web/session/WebSessionStoreReactiveSessionRegistry.html[WebSessionStoreReactiveSessionRegistry] and {security-api-url}org/springframework/security/core/session/InMemoryReactiveSessionRegistry.html[InMemoryReactiveSessionRegistry] implementations of `ReactiveSessionRegistry`.
+
+[NOTE]
+====
+When creating the `WebSessionStoreReactiveSessionRegistry`, you need to provide the `WebSessionStore` that is being used by your application.
+If you are using Spring WebFlux, you can use the `WebSessionManager` bean (which is usually an instance of `DefaultWebSessionManager`) to get the `WebSessionStore`.
+====
+
+To specify a `ReactiveSessionRegistry` implementation you can either declare it as a bean:
+
+.ReactiveSessionRegistry as a Bean
+[tabs]
+======
+Java::
++
+[source,java,role="primary"]
+----
+@Bean
+SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
+ http
+ // ...
+ .sessionManagement((sessions) -> sessions
+ .concurrentSessions((concurrency) -> concurrency
+ .maximumSessions(SessionLimit.of(1))
+ )
+ );
+ return http.build();
+}
+
+@Bean
+ReactiveSessionRegistry reactiveSessionRegistry() {
+ return new InMemoryReactiveSessionRegistry();
+}
+----
+
+Kotlin::
++
+[source,kotlin,role="secondary"]
+----
+@Bean
+open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
+ return http {
+ // ...
+ sessionManagement {
+ sessionConcurrency {
+ maximumSessions = SessionLimit.of(1)
+ }
+ }
+ }
+}
+
+@Bean
+open fun reactiveSessionRegistry(): ReactiveSessionRegistry {
+ return InMemoryReactiveSessionRegistry()
+}
+----
+======
+
+or you can use the `sessionRegistry` DSL method:
+
+.ReactiveSessionRegistry using sessionRegistry DSL method
+[tabs]
+======
+Java::
++
+[source,java,role="primary"]
+----
+@Bean
+SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
+ http
+ // ...
+ .sessionManagement((sessions) -> sessions
+ .concurrentSessions((concurrency) -> concurrency
+ .maximumSessions(SessionLimit.of(1))
+ .sessionRegistry(new InMemoryReactiveSessionRegistry())
+ )
+ );
+ return http.build();
+}
+----
+
+Kotlin::
++
+[source,kotlin,role="secondary"]
+----
+@Bean
+open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
+ return http {
+ // ...
+ sessionManagement {
+ sessionConcurrency {
+ maximumSessions = SessionLimit.of(1)
+ sessionRegistry = InMemoryReactiveSessionRegistry()
+ }
+ }
+ }
+}
+----
+======
+
+[[reactive-concurrent-sessions-control-manually-invalidating-sessions]]
+== Invalidating Registered User's Sessions
+
+At times, it is handy to be able to invalidate all or some of a user's sessions.
+For example, when a user changes their password, you may want to invalidate all of their sessions so that they are forced to log in again.
+To do that, you can use the `ReactiveSessionRegistry` bean to retrieve all the user's sessions and then invalidate them:
+
+.Using ReactiveSessionRegistry to invalidate sessions manually
+[tabs]
+======
+Java::
++
+[source,java,role="primary"]
+----
+public class SessionControl {
+ private final ReactiveSessionRegistry reactiveSessionRegistry;
+
+ public SessionControl(ReactiveSessionRegistry reactiveSessionRegistry) {
+ this.reactiveSessionRegistry = reactiveSessionRegistry;
+ }
+
+ public Mono invalidateSessions(String username) {
+ return this.reactiveSessionRegistry.getAllSessions(username)
+ .flatMap(ReactiveSessionInformation::invalidate)
+ .then();
+ }
+}
+----
+======
+
+[[disabling-for-authentication-filters]]
+== Disabling It for Some Authentication Filters
+
+By default, Concurrent Sessions Control will be configured automatically for Form Login, OAuth 2.0 Login, and HTTP Basic authentication as long as they do not specify an `ServerAuthenticationSuccessHandler` themselves.
+For example, the following configuration will disable Concurrent Sessions Control for Form Login:
+
+.Disabling Concurrent Sessions Control for Form Login
+[tabs]
+======
+Java::
++
+[source,java,role="primary"]
+----
+@Bean
+SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
+ http
+ // ...
+ .formLogin((login) -> login
+ .authenticationSuccessHandler(new RedirectServerAuthenticationSuccessHandler("/"))
+ )
+ .sessionManagement((sessions) -> sessions
+ .concurrentSessions((concurrency) -> concurrency
+ .maximumSessions(SessionLimit.of(1))
+ )
+ );
+ return http.build();
+}
+----
+
+Kotlin::
++
+[source,kotlin,role="secondary"]
+----
+@Bean
+open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
+ return http {
+ // ...
+ formLogin {
+ authenticationSuccessHandler = RedirectServerAuthenticationSuccessHandler("/")
+ }
+ sessionManagement {
+ sessionConcurrency {
+ maximumSessions = SessionLimit.of(1)
+ }
+ }
+ }
+}
+----
+======
+
+=== Adding Additional Success Handlers Without Disabling Concurrent Sessions Control
+
+You can also include additional `ServerAuthenticationSuccessHandler` instances to the list of handlers used by the authentication filter without disabling Concurrent Sessions Control.
+To do that you can use the `authenticationSuccessHandler(Consumer>)` method:
+
+.Adding additional handlers
+[tabs]
+======
+Java::
++
+[source,java,role="primary"]
+----
+@Bean
+SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
+ http
+ // ...
+ .formLogin((login) -> login
+ .authenticationSuccessHandler((handlers) -> handlers.add(new MyAuthenticationSuccessHandler()))
+ )
+ .sessionManagement((sessions) -> sessions
+ .concurrentSessions((concurrency) -> concurrency
+ .maximumSessions(SessionLimit.of(1))
+ )
+ );
+ return http.build();
+}
+----
+======
+
+[[concurrent-sessions-control-sample]]
+== Checking a Sample Application
+
+You can check the {gh-samples-url}/reactive/webflux/java/session-management/maximum-sessions[sample application here].
diff --git a/docs/modules/ROOT/pages/whats-new.adoc b/docs/modules/ROOT/pages/whats-new.adoc
index b7751f2f0b..f163563774 100644
--- a/docs/modules/ROOT/pages/whats-new.adoc
+++ b/docs/modules/ROOT/pages/whats-new.adoc
@@ -3,3 +3,7 @@
Spring Security 6.3 provides a number of new features.
Below are the highlights of the release.
+
+== Configuration
+
+- https://github.com/spring-projects/spring-security/issues/6192[gh-6192] - xref:reactive/authentication/concurrent-sessions-control.adoc[docs] Add Concurrent Sessions Control on WebFlux
diff --git a/web/src/main/java/org/springframework/security/web/authentication/session/SessionAuthenticationException.java b/web/src/main/java/org/springframework/security/web/authentication/session/SessionAuthenticationException.java
index b4159f8e58..db1650b3a9 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/session/SessionAuthenticationException.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/session/SessionAuthenticationException.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -19,12 +19,15 @@ package org.springframework.security.web.authentication.session;
import org.springframework.security.core.AuthenticationException;
/**
- * Thrown by an SessionAuthenticationStrategy to indicate that an authentication
- * object is not valid for the current session, typically because the same user has
- * exceeded the number of sessions they are allowed to have concurrently.
+ * Thrown by an {@link SessionAuthenticationStrategy} or
+ * {@link ServerSessionAuthenticationStrategy} to indicate that an authentication object
+ * is not valid for the current session, typically because the same user has exceeded the
+ * number of sessions they are allowed to have concurrently.
*
* @author Luke Taylor
* @since 3.0
+ * @see SessionAuthenticationStrategy
+ * @see ServerSessionAuthenticationStrategy
*/
public class SessionAuthenticationException extends AuthenticationException {
diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/ConcurrentSessionControlServerAuthenticationSuccessHandler.java b/web/src/main/java/org/springframework/security/web/server/authentication/ConcurrentSessionControlServerAuthenticationSuccessHandler.java
new file mode 100644
index 0000000000..d65951719f
--- /dev/null
+++ b/web/src/main/java/org/springframework/security/web/server/authentication/ConcurrentSessionControlServerAuthenticationSuccessHandler.java
@@ -0,0 +1,111 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.authentication;
+
+import java.util.List;
+
+import reactor.core.publisher.Mono;
+import reactor.util.function.Tuples;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.session.ReactiveSessionInformation;
+import org.springframework.security.core.session.ReactiveSessionRegistry;
+import org.springframework.security.web.server.WebFilterExchange;
+import org.springframework.util.Assert;
+import org.springframework.web.server.WebSession;
+
+/**
+ * Controls the number of sessions a user can have concurrently authenticated in an
+ * application. It also allows for customizing behaviour when an authentication attempt is
+ * made while the user already has the maximum number of sessions open. By default, it
+ * allows a maximum of 1 session per user, if the maximum is exceeded, the user's least
+ * recently used session(s) will be expired.
+ *
+ * @author Marcus da Coregio
+ * @since 6.3
+ * @see ServerMaximumSessionsExceededHandler
+ * @see RegisterSessionServerAuthenticationSuccessHandler
+ */
+public final class ConcurrentSessionControlServerAuthenticationSuccessHandler
+ implements ServerAuthenticationSuccessHandler {
+
+ private final ReactiveSessionRegistry sessionRegistry;
+
+ private SessionLimit sessionLimit = SessionLimit.of(1);
+
+ private ServerMaximumSessionsExceededHandler maximumSessionsExceededHandler = new InvalidateLeastUsedServerMaximumSessionsExceededHandler();
+
+ public ConcurrentSessionControlServerAuthenticationSuccessHandler(ReactiveSessionRegistry sessionRegistry) {
+ Assert.notNull(sessionRegistry, "sessionRegistry cannot be null");
+ this.sessionRegistry = sessionRegistry;
+ }
+
+ @Override
+ public Mono onAuthenticationSuccess(WebFilterExchange exchange, Authentication authentication) {
+ return this.sessionLimit.apply(authentication)
+ .flatMap((maxSessions) -> handleConcurrency(exchange, authentication, maxSessions));
+ }
+
+ private Mono handleConcurrency(WebFilterExchange exchange, Authentication authentication,
+ Integer maximumSessions) {
+ return this.sessionRegistry.getAllSessions(authentication.getPrincipal(), false)
+ .collectList()
+ .flatMap((registeredSessions) -> exchange.getExchange()
+ .getSession()
+ .map((currentSession) -> Tuples.of(currentSession, registeredSessions)))
+ .flatMap((sessionTuple) -> {
+ WebSession currentSession = sessionTuple.getT1();
+ List registeredSessions = sessionTuple.getT2();
+ int registeredSessionsCount = registeredSessions.size();
+ if (registeredSessionsCount < maximumSessions) {
+ return Mono.empty();
+ }
+ if (registeredSessionsCount == maximumSessions) {
+ for (ReactiveSessionInformation registeredSession : registeredSessions) {
+ if (registeredSession.getSessionId().equals(currentSession.getId())) {
+ return Mono.empty();
+ }
+ }
+ }
+ return this.maximumSessionsExceededHandler
+ .handle(new MaximumSessionsContext(authentication, registeredSessions, maximumSessions));
+ });
+ }
+
+ /**
+ * Sets the strategy used to resolve the maximum number of sessions that are allowed
+ * for a specific {@link Authentication}. By default, it returns {@code 1} for any
+ * authentication.
+ * @param sessionLimit the {@link SessionLimit} to use
+ */
+ public void setSessionLimit(SessionLimit sessionLimit) {
+ Assert.notNull(sessionLimit, "sessionLimit cannot be null");
+ this.sessionLimit = sessionLimit;
+ }
+
+ /**
+ * Sets the {@link ServerMaximumSessionsExceededHandler} to use. The default is
+ * {@link InvalidateLeastUsedServerMaximumSessionsExceededHandler}.
+ * @param maximumSessionsExceededHandler the
+ * {@link ServerMaximumSessionsExceededHandler} to use
+ */
+ public void setMaximumSessionsExceededHandler(ServerMaximumSessionsExceededHandler maximumSessionsExceededHandler) {
+ Assert.notNull(maximumSessionsExceededHandler, "maximumSessionsExceededHandler cannot be null");
+ this.maximumSessionsExceededHandler = maximumSessionsExceededHandler;
+ }
+
+}
diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/DelegatingServerAuthenticationSuccessHandler.java b/web/src/main/java/org/springframework/security/web/server/authentication/DelegatingServerAuthenticationSuccessHandler.java
index 851e80620a..d74ffed43c 100644
--- a/web/src/main/java/org/springframework/security/web/server/authentication/DelegatingServerAuthenticationSuccessHandler.java
+++ b/web/src/main/java/org/springframework/security/web/server/authentication/DelegatingServerAuthenticationSuccessHandler.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -42,6 +42,16 @@ public class DelegatingServerAuthenticationSuccessHandler implements ServerAuthe
this.delegates = Arrays.asList(delegates);
}
+ /**
+ * Creates a new instance with the provided list of delegates
+ * @param delegates the {@link List} of {@link ServerAuthenticationSuccessHandler}
+ * @since 6.3
+ */
+ public DelegatingServerAuthenticationSuccessHandler(List delegates) {
+ Assert.notEmpty(delegates, "delegates cannot be null or empty");
+ this.delegates = delegates;
+ }
+
@Override
public Mono onAuthenticationSuccess(WebFilterExchange exchange, Authentication authentication) {
return Flux.fromIterable(this.delegates)
diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/InvalidateLeastUsedServerMaximumSessionsExceededHandler.java b/web/src/main/java/org/springframework/security/web/server/authentication/InvalidateLeastUsedServerMaximumSessionsExceededHandler.java
new file mode 100644
index 0000000000..efc4a3b674
--- /dev/null
+++ b/web/src/main/java/org/springframework/security/web/server/authentication/InvalidateLeastUsedServerMaximumSessionsExceededHandler.java
@@ -0,0 +1,61 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.authentication;
+
+import java.util.ArrayList;
+import java.util.Comparator;
+import java.util.List;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import reactor.core.publisher.Flux;
+import reactor.core.publisher.Mono;
+
+import org.springframework.core.log.LogMessage;
+import org.springframework.security.core.session.ReactiveSessionInformation;
+
+/**
+ * Implementation of {@link ServerMaximumSessionsExceededHandler} that invalidates the
+ * least recently used session(s). It only invalidates the amount of sessions that exceed
+ * the maximum allowed. For example, if the maximum was exceeded by 1, only the least
+ * recently used session will be invalidated.
+ *
+ * @author Marcus da Coregio
+ * @since 6.3
+ */
+public final class InvalidateLeastUsedServerMaximumSessionsExceededHandler
+ implements ServerMaximumSessionsExceededHandler {
+
+ private final Log logger = LogFactory.getLog(getClass());
+
+ @Override
+ public Mono handle(MaximumSessionsContext context) {
+ List sessions = new ArrayList<>(context.getSessions());
+ sessions.sort(Comparator.comparing(ReactiveSessionInformation::getLastAccessTime));
+ int maximumSessionsExceededBy = sessions.size() - context.getMaximumSessionsAllowed() + 1;
+ List leastRecentlyUsedSessionsToInvalidate = sessions.subList(0,
+ maximumSessionsExceededBy);
+
+ return Flux.fromIterable(leastRecentlyUsedSessionsToInvalidate)
+ .doOnComplete(() -> this.logger
+ .debug(LogMessage.format("Invalidated %d least recently used sessions for authentication %s",
+ leastRecentlyUsedSessionsToInvalidate.size(), context.getAuthentication().getName())))
+ .flatMap(ReactiveSessionInformation::invalidate)
+ .then();
+ }
+
+}
diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/MaximumSessionsContext.java b/web/src/main/java/org/springframework/security/web/server/authentication/MaximumSessionsContext.java
new file mode 100644
index 0000000000..0875051b78
--- /dev/null
+++ b/web/src/main/java/org/springframework/security/web/server/authentication/MaximumSessionsContext.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.authentication;
+
+import java.util.List;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.session.ReactiveSessionInformation;
+
+public final class MaximumSessionsContext {
+
+ private final Authentication authentication;
+
+ private final List sessions;
+
+ private final int maximumSessionsAllowed;
+
+ public MaximumSessionsContext(Authentication authentication, List sessions,
+ int maximumSessionsAllowed) {
+ this.authentication = authentication;
+ this.sessions = sessions;
+ this.maximumSessionsAllowed = maximumSessionsAllowed;
+ }
+
+ public Authentication getAuthentication() {
+ return this.authentication;
+ }
+
+ public List getSessions() {
+ return this.sessions;
+ }
+
+ public int getMaximumSessionsAllowed() {
+ return this.maximumSessionsAllowed;
+ }
+
+}
diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/PreventLoginServerMaximumSessionsExceededHandler.java b/web/src/main/java/org/springframework/security/web/server/authentication/PreventLoginServerMaximumSessionsExceededHandler.java
new file mode 100644
index 0000000000..a98f8795e6
--- /dev/null
+++ b/web/src/main/java/org/springframework/security/web/server/authentication/PreventLoginServerMaximumSessionsExceededHandler.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.authentication;
+
+import reactor.core.publisher.Mono;
+
+import org.springframework.security.web.authentication.session.SessionAuthenticationException;
+
+/**
+ * Returns a {@link Mono} that terminates with {@link SessionAuthenticationException} when
+ * the maximum number of sessions for a user has been reached.
+ *
+ * @author Marcus da Coregio
+ * @since 6.3
+ */
+public final class PreventLoginServerMaximumSessionsExceededHandler implements ServerMaximumSessionsExceededHandler {
+
+ @Override
+ public Mono handle(MaximumSessionsContext context) {
+ return Mono
+ .error(new SessionAuthenticationException("Maximum sessions of " + context.getMaximumSessionsAllowed()
+ + " for authentication '" + context.getAuthentication().getName() + "' exceeded"));
+ }
+
+}
diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/RegisterSessionServerAuthenticationSuccessHandler.java b/web/src/main/java/org/springframework/security/web/server/authentication/RegisterSessionServerAuthenticationSuccessHandler.java
new file mode 100644
index 0000000000..bc086e23cb
--- /dev/null
+++ b/web/src/main/java/org/springframework/security/web/server/authentication/RegisterSessionServerAuthenticationSuccessHandler.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.authentication;
+
+import reactor.core.publisher.Mono;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.session.ReactiveSessionInformation;
+import org.springframework.security.core.session.ReactiveSessionRegistry;
+import org.springframework.security.web.server.WebFilterExchange;
+import org.springframework.util.Assert;
+
+/**
+ * An implementation of {@link ServerAuthenticationSuccessHandler} that will register a
+ * {@link ReactiveSessionInformation} with the provided {@link ReactiveSessionRegistry}.
+ *
+ * @author Marcus da Coregio
+ * @since 6.3
+ */
+public final class RegisterSessionServerAuthenticationSuccessHandler implements ServerAuthenticationSuccessHandler {
+
+ private final ReactiveSessionRegistry sessionRegistry;
+
+ public RegisterSessionServerAuthenticationSuccessHandler(ReactiveSessionRegistry sessionRegistry) {
+ Assert.notNull(sessionRegistry, "sessionRegistry cannot be null");
+ this.sessionRegistry = sessionRegistry;
+ }
+
+ @Override
+ public Mono onAuthenticationSuccess(WebFilterExchange exchange, Authentication authentication) {
+ return exchange.getExchange()
+ .getSession()
+ .map((session) -> new ReactiveSessionInformation(authentication.getPrincipal(), session.getId(),
+ session.getLastAccessTime()))
+ .flatMap(this.sessionRegistry::saveSessionInformation);
+ }
+
+}
diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/ServerMaximumSessionsExceededHandler.java b/web/src/main/java/org/springframework/security/web/server/authentication/ServerMaximumSessionsExceededHandler.java
new file mode 100644
index 0000000000..6b90cbcd10
--- /dev/null
+++ b/web/src/main/java/org/springframework/security/web/server/authentication/ServerMaximumSessionsExceededHandler.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.authentication;
+
+import reactor.core.publisher.Mono;
+
+/**
+ * Strategy for handling the scenario when the maximum number of sessions for a user has
+ * been reached.
+ *
+ * @author Marcus da Coregio
+ * @since 6.3
+ */
+public interface ServerMaximumSessionsExceededHandler {
+
+ /**
+ * Handles the scenario when the maximum number of sessions for a user has been
+ * reached.
+ * @param context the context with information about the sessions and the user
+ * @return an empty {@link Mono} that completes when the handling is done
+ */
+ Mono handle(MaximumSessionsContext context);
+
+}
diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/SessionLimit.java b/web/src/main/java/org/springframework/security/web/server/authentication/SessionLimit.java
new file mode 100644
index 0000000000..ce96937500
--- /dev/null
+++ b/web/src/main/java/org/springframework/security/web/server/authentication/SessionLimit.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.authentication;
+
+import java.util.function.Function;
+
+import reactor.core.publisher.Mono;
+
+import org.springframework.security.core.Authentication;
+
+/**
+ * Represents the maximum number of sessions allowed. Use {@link #UNLIMITED} to indicate
+ * that there is no limit.
+ *
+ * @author Marcus da Coregio
+ * @since 6.3
+ * @see ConcurrentSessionControlServerAuthenticationSuccessHandler
+ */
+public interface SessionLimit extends Function> {
+
+ /**
+ * Represents unlimited sessions. This is just a shortcut to return
+ * {@link Mono#empty()} for any user.
+ */
+ SessionLimit UNLIMITED = (authentication) -> Mono.empty();
+
+ /**
+ * Creates a {@link SessionLimit} that always returns the given value for any user
+ * @param maxSessions the maximum number of sessions allowed
+ * @return a {@link SessionLimit} instance that returns the given value.
+ */
+ static SessionLimit of(int maxSessions) {
+ return (authentication) -> Mono.just(maxSessions);
+ }
+
+}
diff --git a/web/src/main/java/org/springframework/security/web/session/WebSessionStoreReactiveSessionRegistry.java b/web/src/main/java/org/springframework/security/web/session/WebSessionStoreReactiveSessionRegistry.java
new file mode 100644
index 0000000000..5d8cd5cc4d
--- /dev/null
+++ b/web/src/main/java/org/springframework/security/web/session/WebSessionStoreReactiveSessionRegistry.java
@@ -0,0 +1,100 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.session;
+
+import reactor.core.publisher.Flux;
+import reactor.core.publisher.Mono;
+
+import org.springframework.security.core.session.InMemoryReactiveSessionRegistry;
+import org.springframework.security.core.session.ReactiveSessionInformation;
+import org.springframework.security.core.session.ReactiveSessionRegistry;
+import org.springframework.util.Assert;
+import org.springframework.web.server.WebSession;
+import org.springframework.web.server.session.WebSessionStore;
+
+/**
+ * A {@link ReactiveSessionRegistry} implementation that uses a {@link WebSessionStore} to
+ * invalidate a {@link WebSession} when the {@link ReactiveSessionInformation} is
+ * invalidated.
+ *
+ * @author Marcus da Coregio
+ * @since 6.3
+ */
+public final class WebSessionStoreReactiveSessionRegistry implements ReactiveSessionRegistry {
+
+ private final WebSessionStore webSessionStore;
+
+ private ReactiveSessionRegistry sessionRegistry = new InMemoryReactiveSessionRegistry();
+
+ public WebSessionStoreReactiveSessionRegistry(WebSessionStore webSessionStore) {
+ Assert.notNull(webSessionStore, "webSessionStore cannot be null");
+ this.webSessionStore = webSessionStore;
+ }
+
+ @Override
+ public Flux getAllSessions(Object principal, boolean includeExpiredSessions) {
+ return this.sessionRegistry.getAllSessions(principal, includeExpiredSessions).map(WebSessionInformation::new);
+ }
+
+ @Override
+ public Mono saveSessionInformation(ReactiveSessionInformation information) {
+ return this.sessionRegistry.saveSessionInformation(new WebSessionInformation(information));
+ }
+
+ @Override
+ public Mono getSessionInformation(String sessionId) {
+ return this.sessionRegistry.getSessionInformation(sessionId).map(WebSessionInformation::new);
+ }
+
+ @Override
+ public Mono removeSessionInformation(String sessionId) {
+ return this.sessionRegistry.removeSessionInformation(sessionId).map(WebSessionInformation::new);
+ }
+
+ @Override
+ public Mono updateLastAccessTime(String sessionId) {
+ return this.sessionRegistry.updateLastAccessTime(sessionId).map(WebSessionInformation::new);
+ }
+
+ /**
+ * Sets the {@link ReactiveSessionRegistry} to use.
+ * @param sessionRegistry the {@link ReactiveSessionRegistry} to use. Cannot be null.
+ */
+ public void setSessionRegistry(ReactiveSessionRegistry sessionRegistry) {
+ Assert.notNull(sessionRegistry, "sessionRegistry cannot be null");
+ this.sessionRegistry = sessionRegistry;
+ }
+
+ final class WebSessionInformation extends ReactiveSessionInformation {
+
+ WebSessionInformation(ReactiveSessionInformation sessionInformation) {
+ super(sessionInformation.getPrincipal(), sessionInformation.getSessionId(),
+ sessionInformation.getLastAccessTime());
+ }
+
+ @Override
+ public Mono invalidate() {
+ return WebSessionStoreReactiveSessionRegistry.this.webSessionStore.retrieveSession(getSessionId())
+ .flatMap(WebSession::invalidate)
+ .then(Mono
+ .defer(() -> WebSessionStoreReactiveSessionRegistry.this.removeSessionInformation(getSessionId())))
+ .then(Mono.defer(super::invalidate));
+ }
+
+ }
+
+}
diff --git a/web/src/test/java/org/springframework/security/web/server/authentication/DelegatingServerAuthenticationSuccessHandlerTests.java b/web/src/test/java/org/springframework/security/web/server/authentication/DelegatingServerAuthenticationSuccessHandlerTests.java
index 75852dbccc..444e745276 100644
--- a/web/src/test/java/org/springframework/security/web/server/authentication/DelegatingServerAuthenticationSuccessHandlerTests.java
+++ b/web/src/test/java/org/springframework/security/web/server/authentication/DelegatingServerAuthenticationSuccessHandlerTests.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -17,6 +17,8 @@
package org.springframework.security.web.server.authentication;
import java.time.Duration;
+import java.util.Collections;
+import java.util.List;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
@@ -74,9 +76,15 @@ public class DelegatingServerAuthenticationSuccessHandlerTests {
}
@Test
- public void constructorWhenEmptyThenIllegalArgumentException() {
- assertThatIllegalArgumentException().isThrownBy(
- () -> new DelegatingServerAuthenticationSuccessHandler(new ServerAuthenticationSuccessHandler[0]));
+ public void constructorWhenNullListThenIllegalArgumentException() {
+ assertThatIllegalArgumentException().isThrownBy(() -> new DelegatingServerAuthenticationSuccessHandler(
+ (List) null));
+ }
+
+ @Test
+ public void constructorWhenEmptyListThenIllegalArgumentException() {
+ assertThatIllegalArgumentException()
+ .isThrownBy(() -> new DelegatingServerAuthenticationSuccessHandler(Collections.emptyList()));
}
@Test
diff --git a/web/src/test/java/org/springframework/security/web/server/authentication/session/ConcurrentSessionControlServerAuthenticationSuccessHandlerTests.java b/web/src/test/java/org/springframework/security/web/server/authentication/session/ConcurrentSessionControlServerAuthenticationSuccessHandlerTests.java
new file mode 100644
index 0000000000..88c97e2e22
--- /dev/null
+++ b/web/src/test/java/org/springframework/security/web/server/authentication/session/ConcurrentSessionControlServerAuthenticationSuccessHandlerTests.java
@@ -0,0 +1,171 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.authentication.session;
+
+import java.time.Instant;
+import java.util.Arrays;
+import java.util.List;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.ArgumentCaptor;
+import reactor.core.publisher.Flux;
+import reactor.core.publisher.Mono;
+
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.mock.http.server.reactive.MockServerHttpResponse;
+import org.springframework.mock.web.server.MockWebSession;
+import org.springframework.security.authentication.TestAuthentication;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.session.ReactiveSessionInformation;
+import org.springframework.security.core.session.ReactiveSessionRegistry;
+import org.springframework.security.web.server.WebFilterExchange;
+import org.springframework.security.web.server.authentication.ConcurrentSessionControlServerAuthenticationSuccessHandler;
+import org.springframework.security.web.server.authentication.MaximumSessionsContext;
+import org.springframework.security.web.server.authentication.ServerMaximumSessionsExceededHandler;
+import org.springframework.security.web.server.authentication.SessionLimit;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilterChain;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
+
+/**
+ * Tests for {@link ConcurrentSessionControlServerAuthenticationSuccessHandler}.
+ *
+ * @author Marcus da Coregio
+ */
+class ConcurrentSessionControlServerAuthenticationSuccessHandlerTests {
+
+ private ConcurrentSessionControlServerAuthenticationSuccessHandler strategy;
+
+ ReactiveSessionRegistry sessionRegistry = mock();
+
+ ServerWebExchange exchange = mock();
+
+ WebFilterChain chain = mock();
+
+ ServerMaximumSessionsExceededHandler handler = mock();
+
+ ArgumentCaptor contextCaptor = ArgumentCaptor.forClass(MaximumSessionsContext.class);
+
+ @BeforeEach
+ void setup() {
+ given(this.exchange.getResponse()).willReturn(new MockServerHttpResponse());
+ given(this.exchange.getRequest()).willReturn(MockServerHttpRequest.get("/").build());
+ given(this.exchange.getSession()).willReturn(Mono.just(new MockWebSession()));
+ given(this.handler.handle(any())).willReturn(Mono.empty());
+ this.strategy = new ConcurrentSessionControlServerAuthenticationSuccessHandler(this.sessionRegistry);
+ this.strategy.setMaximumSessionsExceededHandler(this.handler);
+ }
+
+ @Test
+ void constructorWhenNullRegistryThenException() {
+ assertThatIllegalArgumentException()
+ .isThrownBy(() -> new ConcurrentSessionControlServerAuthenticationSuccessHandler(null))
+ .withMessage("sessionRegistry cannot be null");
+ }
+
+ @Test
+ void setMaximumSessionsForAuthenticationWhenNullThenException() {
+ assertThatIllegalArgumentException().isThrownBy(() -> this.strategy.setSessionLimit(null))
+ .withMessage("sessionLimit cannot be null");
+ }
+
+ @Test
+ void setMaximumSessionsExceededHandlerWhenNullThenException() {
+ assertThatIllegalArgumentException().isThrownBy(() -> this.strategy.setMaximumSessionsExceededHandler(null))
+ .withMessage("maximumSessionsExceededHandler cannot be null");
+ }
+
+ @Test
+ void onAuthenticationWhenSessionLimitIsUnlimitedThenDoNothing() {
+ ServerMaximumSessionsExceededHandler handler = mock(ServerMaximumSessionsExceededHandler.class);
+ this.strategy.setSessionLimit(SessionLimit.UNLIMITED);
+ this.strategy.setMaximumSessionsExceededHandler(handler);
+ this.strategy.onAuthenticationSuccess(null, TestAuthentication.authenticatedUser()).block();
+ verifyNoInteractions(handler, this.sessionRegistry);
+ }
+
+ @Test
+ void onAuthenticationWhenMaximumSessionsIsOneAndExceededThenHandlerIsCalled() {
+ Authentication authentication = TestAuthentication.authenticatedUser();
+ List sessions = Arrays.asList(createSessionInformation("100"),
+ createSessionInformation("101"));
+ given(this.sessionRegistry.getAllSessions(authentication.getPrincipal(), false))
+ .willReturn(Flux.fromIterable(sessions));
+ this.strategy.onAuthenticationSuccess(new WebFilterExchange(this.exchange, this.chain), authentication).block();
+ verify(this.handler).handle(this.contextCaptor.capture());
+ assertThat(this.contextCaptor.getValue().getMaximumSessionsAllowed()).isEqualTo(1);
+ assertThat(this.contextCaptor.getValue().getSessions()).isEqualTo(sessions);
+ assertThat(this.contextCaptor.getValue().getAuthentication()).isEqualTo(authentication);
+ }
+
+ @Test
+ void onAuthenticationWhenMaximumSessionsIsGreaterThanOneAndExceededThenHandlerIsCalled() {
+ this.strategy.setSessionLimit(SessionLimit.of(5));
+ Authentication authentication = TestAuthentication.authenticatedUser();
+ List sessions = Arrays.asList(createSessionInformation("100"),
+ createSessionInformation("101"), createSessionInformation("102"), createSessionInformation("103"),
+ createSessionInformation("104"));
+ given(this.sessionRegistry.getAllSessions(authentication.getPrincipal(), false))
+ .willReturn(Flux.fromIterable(sessions));
+ this.strategy.onAuthenticationSuccess(new WebFilterExchange(this.exchange, this.chain), authentication).block();
+ verify(this.handler).handle(this.contextCaptor.capture());
+ assertThat(this.contextCaptor.getValue().getMaximumSessionsAllowed()).isEqualTo(5);
+ assertThat(this.contextCaptor.getValue().getSessions()).isEqualTo(sessions);
+ assertThat(this.contextCaptor.getValue().getAuthentication()).isEqualTo(authentication);
+ }
+
+ @Test
+ void onAuthenticationWhenMaximumSessionsForUsersAreDifferentThenHandlerIsCalledWhereNeeded() {
+ Authentication user = TestAuthentication.authenticatedUser();
+ Authentication admin = TestAuthentication.authenticatedAdmin();
+ this.strategy.setSessionLimit((authentication) -> {
+ if (authentication.equals(user)) {
+ return Mono.just(1);
+ }
+ return Mono.just(3);
+ });
+
+ List userSessions = Arrays.asList(createSessionInformation("100"));
+ List adminSessions = Arrays.asList(createSessionInformation("200"),
+ createSessionInformation("201"));
+
+ given(this.sessionRegistry.getAllSessions(user.getPrincipal(), false))
+ .willReturn(Flux.fromIterable(userSessions));
+ given(this.sessionRegistry.getAllSessions(admin.getPrincipal(), false))
+ .willReturn(Flux.fromIterable(adminSessions));
+
+ this.strategy.onAuthenticationSuccess(new WebFilterExchange(this.exchange, this.chain), user).block();
+ this.strategy.onAuthenticationSuccess(new WebFilterExchange(this.exchange, this.chain), admin).block();
+ verify(this.handler).handle(this.contextCaptor.capture());
+ assertThat(this.contextCaptor.getValue().getMaximumSessionsAllowed()).isEqualTo(1);
+ assertThat(this.contextCaptor.getValue().getSessions()).isEqualTo(userSessions);
+ assertThat(this.contextCaptor.getValue().getAuthentication()).isEqualTo(user);
+ }
+
+ private ReactiveSessionInformation createSessionInformation(String sessionId) {
+ return new ReactiveSessionInformation(sessionId, "principal", Instant.now());
+ }
+
+}
diff --git a/web/src/test/java/org/springframework/security/web/server/authentication/session/InMemoryReactiveSessionRegistryTests.java b/web/src/test/java/org/springframework/security/web/server/authentication/session/InMemoryReactiveSessionRegistryTests.java
new file mode 100644
index 0000000000..ceca216a21
--- /dev/null
+++ b/web/src/test/java/org/springframework/security/web/server/authentication/session/InMemoryReactiveSessionRegistryTests.java
@@ -0,0 +1,107 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.authentication.session;
+
+import java.time.Instant;
+import java.time.LocalDate;
+import java.time.ZoneOffset;
+import java.util.List;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.security.authentication.TestAuthentication;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.session.InMemoryReactiveSessionRegistry;
+import org.springframework.security.core.session.ReactiveSessionInformation;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Tests for {@link InMemoryReactiveSessionRegistry}.
+ */
+class InMemoryReactiveSessionRegistryTests {
+
+ InMemoryReactiveSessionRegistry sessionRegistry = new InMemoryReactiveSessionRegistry();
+
+ Instant now = LocalDate.of(2023, 11, 21).atStartOfDay().toInstant(ZoneOffset.UTC);
+
+ @Test
+ void saveWhenPrincipalThenRegisterPrincipalSession() {
+ Authentication authentication = TestAuthentication.authenticatedUser();
+ ReactiveSessionInformation sessionInformation = new ReactiveSessionInformation(authentication.getPrincipal(),
+ "1234", this.now);
+ this.sessionRegistry.saveSessionInformation(sessionInformation).block();
+ List principalSessions = this.sessionRegistry
+ .getAllSessions(authentication.getPrincipal(), false)
+ .collectList()
+ .block();
+ assertThat(principalSessions).hasSize(1);
+ assertThat(this.sessionRegistry.getSessionInformation("1234").block()).isNotNull();
+ }
+
+ @Test
+ void getAllSessionsWhenMultipleSessionsThenReturnAll() {
+ Authentication authentication = TestAuthentication.authenticatedUser();
+ ReactiveSessionInformation sessionInformation1 = new ReactiveSessionInformation(authentication.getPrincipal(),
+ "1234", this.now);
+ ReactiveSessionInformation sessionInformation2 = new ReactiveSessionInformation(authentication.getPrincipal(),
+ "4321", this.now);
+ ReactiveSessionInformation sessionInformation3 = new ReactiveSessionInformation(authentication.getPrincipal(),
+ "9876", this.now);
+ this.sessionRegistry.saveSessionInformation(sessionInformation1).block();
+ this.sessionRegistry.saveSessionInformation(sessionInformation2).block();
+ this.sessionRegistry.saveSessionInformation(sessionInformation3).block();
+ List sessions = this.sessionRegistry
+ .getAllSessions(authentication.getPrincipal(), false)
+ .collectList()
+ .block();
+ assertThat(sessions).hasSize(3);
+ assertThat(this.sessionRegistry.getSessionInformation("1234").block()).isNotNull();
+ assertThat(this.sessionRegistry.getSessionInformation("4321").block()).isNotNull();
+ assertThat(this.sessionRegistry.getSessionInformation("9876").block()).isNotNull();
+ }
+
+ @Test
+ void removeSessionInformationThenSessionIsRemoved() {
+ Authentication authentication = TestAuthentication.authenticatedUser();
+ ReactiveSessionInformation sessionInformation = new ReactiveSessionInformation(authentication.getPrincipal(),
+ "1234", this.now);
+ this.sessionRegistry.saveSessionInformation(sessionInformation).block();
+ this.sessionRegistry.removeSessionInformation("1234").block();
+ List sessions = this.sessionRegistry.getAllSessions(authentication.getName(), false)
+ .collectList()
+ .block();
+ assertThat(this.sessionRegistry.getSessionInformation("1234").block()).isNull();
+ assertThat(sessions).isEmpty();
+ }
+
+ @Test
+ void updateLastAccessTimeThenUpdated() {
+ Authentication authentication = TestAuthentication.authenticatedUser();
+ ReactiveSessionInformation sessionInformation = new ReactiveSessionInformation(authentication.getPrincipal(),
+ "1234", this.now);
+ this.sessionRegistry.saveSessionInformation(sessionInformation).block();
+ ReactiveSessionInformation saved = this.sessionRegistry.getSessionInformation("1234").block();
+ assertThat(saved.getLastAccessTime()).isNotNull();
+ Instant lastAccessTimeBefore = saved.getLastAccessTime();
+ this.sessionRegistry.updateLastAccessTime("1234").block();
+ saved = this.sessionRegistry.getSessionInformation("1234").block();
+ assertThat(saved.getLastAccessTime()).isNotNull();
+ assertThat(saved.getLastAccessTime()).isAfter(lastAccessTimeBefore);
+ }
+
+}
diff --git a/web/src/test/java/org/springframework/security/web/server/authentication/session/InvalidateLeastUsedServerMaximumSessionsExceededHandlerTests.java b/web/src/test/java/org/springframework/security/web/server/authentication/session/InvalidateLeastUsedServerMaximumSessionsExceededHandlerTests.java
new file mode 100644
index 0000000000..60b6107418
--- /dev/null
+++ b/web/src/test/java/org/springframework/security/web/server/authentication/session/InvalidateLeastUsedServerMaximumSessionsExceededHandlerTests.java
@@ -0,0 +1,91 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.authentication.session;
+
+import java.time.Instant;
+import java.util.List;
+
+import org.junit.jupiter.api.Test;
+import reactor.core.publisher.Mono;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.session.ReactiveSessionInformation;
+import org.springframework.security.web.server.authentication.InvalidateLeastUsedServerMaximumSessionsExceededHandler;
+import org.springframework.security.web.server.authentication.MaximumSessionsContext;
+
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.atLeastOnce;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+
+/**
+ * Tests for {@link InvalidateLeastUsedServerMaximumSessionsExceededHandler}
+ *
+ * @author Marcus da Coregio
+ */
+class InvalidateLeastUsedServerMaximumSessionsExceededHandlerTests {
+
+ InvalidateLeastUsedServerMaximumSessionsExceededHandler handler = new InvalidateLeastUsedServerMaximumSessionsExceededHandler();
+
+ @Test
+ void handleWhenInvokedThenInvalidatesLeastRecentlyUsedSessions() {
+ ReactiveSessionInformation session1 = mock(ReactiveSessionInformation.class);
+ ReactiveSessionInformation session2 = mock(ReactiveSessionInformation.class);
+ given(session1.getLastAccessTime()).willReturn(Instant.ofEpochMilli(1700827760010L));
+ given(session2.getLastAccessTime()).willReturn(Instant.ofEpochMilli(1700827760000L));
+ given(session2.invalidate()).willReturn(Mono.empty());
+ MaximumSessionsContext context = new MaximumSessionsContext(mock(Authentication.class),
+ List.of(session1, session2), 2);
+
+ this.handler.handle(context).block();
+
+ verify(session2).invalidate();
+ verify(session1).getLastAccessTime(); // used by comparator to sort the sessions
+ verify(session2).getLastAccessTime(); // used by comparator to sort the sessions
+ verifyNoMoreInteractions(session2);
+ verifyNoMoreInteractions(session1);
+ }
+
+ @Test
+ void handleWhenMoreThanOneSessionToInvalidateThenInvalidatesAllOfThem() {
+ ReactiveSessionInformation session1 = mock(ReactiveSessionInformation.class);
+ ReactiveSessionInformation session2 = mock(ReactiveSessionInformation.class);
+ ReactiveSessionInformation session3 = mock(ReactiveSessionInformation.class);
+ given(session1.getLastAccessTime()).willReturn(Instant.ofEpochMilli(1700827760010L));
+ given(session2.getLastAccessTime()).willReturn(Instant.ofEpochMilli(1700827760020L));
+ given(session3.getLastAccessTime()).willReturn(Instant.ofEpochMilli(1700827760030L));
+ given(session1.invalidate()).willReturn(Mono.empty());
+ given(session2.invalidate()).willReturn(Mono.empty());
+ MaximumSessionsContext context = new MaximumSessionsContext(mock(Authentication.class),
+ List.of(session1, session2, session3), 2);
+
+ this.handler.handle(context).block();
+
+ // @formatter:off
+ verify(session1).invalidate();
+ verify(session2).invalidate();
+ verify(session1, atLeastOnce()).getLastAccessTime(); // used by comparator to sort the sessions
+ verify(session2, atLeastOnce()).getLastAccessTime(); // used by comparator to sort the sessions
+ verify(session3, atLeastOnce()).getLastAccessTime(); // used by comparator to sort the sessions
+ verifyNoMoreInteractions(session1);
+ verifyNoMoreInteractions(session2);
+ verifyNoMoreInteractions(session3);
+ // @formatter:on
+ }
+
+}
diff --git a/web/src/test/java/org/springframework/security/web/server/authentication/session/PreventLoginServerMaximumSessionsExceededHandlerTests.java b/web/src/test/java/org/springframework/security/web/server/authentication/session/PreventLoginServerMaximumSessionsExceededHandlerTests.java
new file mode 100644
index 0000000000..819489ee43
--- /dev/null
+++ b/web/src/test/java/org/springframework/security/web/server/authentication/session/PreventLoginServerMaximumSessionsExceededHandlerTests.java
@@ -0,0 +1,47 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.authentication.session;
+
+import java.util.Collections;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.security.authentication.TestAuthentication;
+import org.springframework.security.web.authentication.session.SessionAuthenticationException;
+import org.springframework.security.web.server.authentication.MaximumSessionsContext;
+import org.springframework.security.web.server.authentication.PreventLoginServerMaximumSessionsExceededHandler;
+
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+
+/**
+ * Tests for {@link PreventLoginServerMaximumSessionsExceededHandler}.
+ *
+ * @author Marcus da Coregio
+ */
+class PreventLoginServerMaximumSessionsExceededHandlerTests {
+
+ @Test
+ void handleWhenInvokedThenThrowsSessionAuthenticationException() {
+ PreventLoginServerMaximumSessionsExceededHandler handler = new PreventLoginServerMaximumSessionsExceededHandler();
+ MaximumSessionsContext context = new MaximumSessionsContext(TestAuthentication.authenticatedUser(),
+ Collections.emptyList(), 1);
+ assertThatExceptionOfType(SessionAuthenticationException.class)
+ .isThrownBy(() -> handler.handle(context).block())
+ .withMessage("Maximum sessions of 1 for authentication 'user' exceeded");
+ }
+
+}
diff --git a/web/src/test/java/org/springframework/security/web/server/authentication/session/RegisterSessionServerAuthenticationSuccessHandlerTests.java b/web/src/test/java/org/springframework/security/web/server/authentication/session/RegisterSessionServerAuthenticationSuccessHandlerTests.java
new file mode 100644
index 0000000000..1dbe3a6119
--- /dev/null
+++ b/web/src/test/java/org/springframework/security/web/server/authentication/session/RegisterSessionServerAuthenticationSuccessHandlerTests.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.authentication.session;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.ArgumentCaptor;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import reactor.core.publisher.Mono;
+
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.mock.web.server.MockServerWebExchange;
+import org.springframework.mock.web.server.MockWebSession;
+import org.springframework.security.authentication.TestAuthentication;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.session.ReactiveSessionInformation;
+import org.springframework.security.core.session.ReactiveSessionRegistry;
+import org.springframework.security.web.server.WebFilterExchange;
+import org.springframework.security.web.server.authentication.RegisterSessionServerAuthenticationSuccessHandler;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilterChain;
+import org.springframework.web.server.WebSession;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.verify;
+
+@ExtendWith(MockitoExtension.class)
+class RegisterSessionServerAuthenticationSuccessHandlerTests {
+
+ @InjectMocks
+ RegisterSessionServerAuthenticationSuccessHandler strategy;
+
+ @Mock
+ ReactiveSessionRegistry sessionRegistry;
+
+ @Mock
+ WebFilterChain filterChain;
+
+ WebSession session = new MockWebSession();
+
+ ServerWebExchange serverWebExchange = MockServerWebExchange.builder(MockServerHttpRequest.get(""))
+ .session(this.session)
+ .build();
+
+ @Test
+ void constructorWhenSessionRegistryNullThenException() {
+ assertThatIllegalArgumentException()
+ .isThrownBy(() -> new RegisterSessionServerAuthenticationSuccessHandler(null))
+ .withMessage("sessionRegistry cannot be null");
+ }
+
+ @Test
+ void onAuthenticationWhenSessionExistsThenSaveSessionInformation() {
+ given(this.sessionRegistry.saveSessionInformation(any())).willReturn(Mono.empty());
+ WebFilterExchange webFilterExchange = new WebFilterExchange(this.serverWebExchange, this.filterChain);
+ Authentication authentication = TestAuthentication.authenticatedUser();
+ this.strategy.onAuthenticationSuccess(webFilterExchange, authentication).block();
+ ArgumentCaptor captor = ArgumentCaptor.forClass(ReactiveSessionInformation.class);
+ verify(this.sessionRegistry).saveSessionInformation(captor.capture());
+ assertThat(captor.getValue().getSessionId()).isEqualTo(this.session.getId());
+ assertThat(captor.getValue().getLastAccessTime()).isEqualTo(this.session.getLastAccessTime());
+ assertThat(captor.getValue().getPrincipal()).isEqualTo(authentication.getPrincipal());
+ }
+
+}
diff --git a/web/src/test/java/org/springframework/security/web/session/WebSessionStoreReactiveSessionRegistryTests.java b/web/src/test/java/org/springframework/security/web/session/WebSessionStoreReactiveSessionRegistryTests.java
new file mode 100644
index 0000000000..e0430bdfcf
--- /dev/null
+++ b/web/src/test/java/org/springframework/security/web/session/WebSessionStoreReactiveSessionRegistryTests.java
@@ -0,0 +1,138 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.session;
+
+import java.time.Instant;
+import java.util.List;
+
+import org.junit.jupiter.api.Test;
+import reactor.core.publisher.Flux;
+import reactor.core.publisher.Mono;
+
+import org.springframework.security.core.session.ReactiveSessionInformation;
+import org.springframework.security.core.session.ReactiveSessionRegistry;
+import org.springframework.web.server.WebSession;
+import org.springframework.web.server.session.WebSessionStore;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyBoolean;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+
+/**
+ * Tests for {@link WebSessionStoreReactiveSessionRegistry}
+ *
+ * @author Marcus da Coregio
+ */
+class WebSessionStoreReactiveSessionRegistryTests {
+
+ WebSessionStore webSessionStore = mock();
+
+ WebSessionStoreReactiveSessionRegistry registry = new WebSessionStoreReactiveSessionRegistry(this.webSessionStore);
+
+ @Test
+ void constructorWhenWebSessionStoreNullThenException() {
+ assertThatIllegalArgumentException().isThrownBy(() -> new WebSessionStoreReactiveSessionRegistry(null))
+ .withMessage("webSessionStore cannot be null");
+ }
+
+ @Test
+ void getSessionInformationWhenSavedThenReturnsWebSessionInformation() {
+ ReactiveSessionInformation session = createSession();
+ this.registry.saveSessionInformation(session).block();
+ ReactiveSessionInformation saved = this.registry.getSessionInformation(session.getSessionId()).block();
+ assertThat(saved).isInstanceOf(WebSessionStoreReactiveSessionRegistry.WebSessionInformation.class);
+ assertThat(saved.getPrincipal()).isEqualTo(session.getPrincipal());
+ assertThat(saved.getSessionId()).isEqualTo(session.getSessionId());
+ assertThat(saved.getLastAccessTime()).isEqualTo(session.getLastAccessTime());
+ }
+
+ @Test
+ void invalidateWhenReturnedFromGetSessionInformationThenWebSessionInvalidatedAndRemovedFromRegistry() {
+ ReactiveSessionInformation session = createSession();
+ WebSession webSession = mock();
+ given(webSession.invalidate()).willReturn(Mono.empty());
+ given(this.webSessionStore.retrieveSession(session.getSessionId())).willReturn(Mono.just(webSession));
+
+ this.registry.saveSessionInformation(session).block();
+ ReactiveSessionInformation saved = this.registry.getSessionInformation(session.getSessionId()).block();
+ saved.invalidate().block();
+ verify(webSession).invalidate();
+ assertThat(this.registry.getSessionInformation(saved.getSessionId()).block()).isNull();
+ }
+
+ @Test
+ void invalidateWhenReturnedFromRemoveSessionInformationThenWebSessionInvalidatedAndRemovedFromRegistry() {
+ ReactiveSessionInformation session = createSession();
+ WebSession webSession = mock();
+ given(webSession.invalidate()).willReturn(Mono.empty());
+ given(this.webSessionStore.retrieveSession(session.getSessionId())).willReturn(Mono.just(webSession));
+
+ this.registry.saveSessionInformation(session).block();
+ ReactiveSessionInformation saved = this.registry.removeSessionInformation(session.getSessionId()).block();
+ saved.invalidate().block();
+ verify(webSession).invalidate();
+ assertThat(this.registry.getSessionInformation(saved.getSessionId()).block()).isNull();
+ }
+
+ @Test
+ void invalidateWhenReturnedFromGetAllSessionsThenWebSessionInvalidatedAndRemovedFromRegistry() {
+ ReactiveSessionInformation session = createSession();
+ WebSession webSession = mock();
+ given(webSession.invalidate()).willReturn(Mono.empty());
+ given(this.webSessionStore.retrieveSession(session.getSessionId())).willReturn(Mono.just(webSession));
+
+ this.registry.saveSessionInformation(session).block();
+ List saved = this.registry.getAllSessions(session.getPrincipal(), false)
+ .collectList()
+ .block();
+ saved.forEach((info) -> info.invalidate().block());
+ verify(webSession).invalidate();
+ assertThat(this.registry.getAllSessions(session.getPrincipal(), false).collectList().block()).isEmpty();
+ }
+
+ @Test
+ void setSessionRegistryThenUses() {
+ ReactiveSessionRegistry sessionRegistry = mock();
+ given(sessionRegistry.saveSessionInformation(any())).willReturn(Mono.empty());
+ given(sessionRegistry.removeSessionInformation(any())).willReturn(Mono.empty());
+ given(sessionRegistry.updateLastAccessTime(any())).willReturn(Mono.empty());
+ given(sessionRegistry.getSessionInformation(any())).willReturn(Mono.empty());
+ given(sessionRegistry.getAllSessions(any(), anyBoolean())).willReturn(Flux.empty());
+ this.registry.setSessionRegistry(sessionRegistry);
+ ReactiveSessionInformation session = createSession();
+ this.registry.saveSessionInformation(session).block();
+ verify(sessionRegistry).saveSessionInformation(any());
+ this.registry.removeSessionInformation(session.getSessionId()).block();
+ verify(sessionRegistry).removeSessionInformation(any());
+ this.registry.updateLastAccessTime(session.getSessionId()).block();
+ verify(sessionRegistry).updateLastAccessTime(any());
+ this.registry.getSessionInformation(session.getSessionId()).block();
+ verify(sessionRegistry).getSessionInformation(any());
+ this.registry.getAllSessions(session.getPrincipal(), false).blockFirst();
+ verify(sessionRegistry).getAllSessions(any(), eq(false));
+ }
+
+ private static ReactiveSessionInformation createSession() {
+ return new ReactiveSessionInformation("principal", "sessionId", Instant.now());
+ }
+
+}