В Птн, 03/06/2005 в 08:37 +0200, Olve Hansen пишет: > ons, 01,.06.2005 kl. 12.47 +0300, skrev Krutyakov Roman: > > Hello, > > > > Is there any way to access to HttpSession by its id? > > I have an application based on Tapestry 4 and Spring with Acegi and > > want > > to control concurrent user logins. > > After successful user authentication i need to check does this user > > already have non-expired session (for > > Acegi have this option built in. > > Forum messages discussing this feature: > http://forum.springframework.org/viewtopic.php?t=3935&start=0&postdays=0&postorder=asc&highlight=same+user > http://forum.springframework.org/viewtopic.php?t=4289&highlight=same > +user > > The feature described in the ref docs: > http://acegisecurity.sourceforge.net/docbook/acegi.html#security-authentication-concurrent-login > this is solution for forbidding login when same user is already logged in, ie "first wins" rule. I need "last wins" rule implementation.
This is getting off-tapestry topic.
Of course.. I see from the acegi source that this could be done, but it is not configurable. The ConcurrentSessionControllerImpl keeps a list of all session ids for each logged in principal, so it should be possible in some way. It also publishes an event ConcurrentSessionViolationEvent so that another bean registered to receive events might do something interesting with that one.
I just take this from the top of my head, so I really don't know if it is possible, but it should be. The logic should be to tell acegi to log out the session id of the other user (the first one) on his next request (when the session in question is available), not invalidating the first users session from another users request.
HTH
Olve
signature.asc
Description: This is a digitally signed message part
