Hi everyone,
I have written the following code in the infrastructure/core/boot directory
to set the number of concurrent user sessions at 1:
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.sessionRegistry(sessionRegistry());
}
// Work around https://jira.spring.io/browse/SEC-2855
@Bean
public SessionRegistry sessionRegistry() {
SessionRegistry sessionRegistry = new SessionRegistryImpl();
return sessionRegistry;
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws
Exception {
auth
.inMemoryAuthentication()
.withUser("mifos").password("password").roles("USER");
}
// Register HttpSessionEventPublisher
@Bean
public static ServletListenerRegistrationBean
httpSessionEventPublisher() {
return new ServletListenerRegistrationBean(new
HttpSessionEventPublisher());
}
}
I have also registered the Spring Security filter created above in the
AbstractSecurityWebApplicationInitializer in the infrastructure/core/boot
directory as follows:
public class SecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
protected Class<?>[] getRootConfigClasses() {
return new Class[] { WebSecurityConfig.class };
}
}
However, I am still able to log into multiple browser sessions from my
machine. Any advise on what I am doing wrong with my code? Thanks in
advance.
--
Kind Regards
Usman Khaliq
Programmer and R&D Lead
iDT Labs
5 Foday Drive,Regent Road,Hill Station
Freetown,Sierra Leone
Tel: +92334 3777 059/ + 232 77 775 775
Skype: usman.khaliq
Website:www.idtlabs.sl
