Got the examples workingt (should have added the >concurrent-session-control> element inside <http>.
When I log in with RFF it works. When I log in with IE it fails and the following log is printed. [WARN ] [o.s.s.e.a.LoggerListener] Authentication event AuthenticationFailureConcurrentLoginEvent: bob; details: org.springframework.security.ui.webauthenticationdeta...@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: AF6D6BAC8E69E734BA1AAF556DC03593; exception: Maximum sessions of 1 for this principal exceeded Bob On Thu, Sep 16, 2010 at 12:31 PM, Bob Schellink <[email protected]> wrote: > Hi Conor, > > I don't know this feature. Which version of Spring and Spring-security > are you using? I did a quick test with the click-examples which uses > spring-2.5.6 and security 2.0.4 but the xml doesn't validate when I > add <concurrent-session-control>. > > Spring security is a filter while Click is a Servlet so I can't see > how Click would interfere with Spring at all. There must be some > difference between your two demos that leads to the issue. > Implementation wise I would think Spring tracks logins in the session. > Again Click doesn't touch the session variables so this shouldn't be > an issue either. > > Kind regards > > Bob > > On Thu, Sep 16, 2010 at 11:03 AM, C Jennings <[email protected]> wrote: >> Hello - >> I have run into an unfortunate problem with trying to use Spring Security >> with >> Apache Click. >> >> I have all components working correctly with Spring Security except for the >> "concurrent session control "feature whereby a user should be only able to >> log >> on to the application once. Concurrent sessions should not be allowed. Within >> Spring Security, this is easily configured as shown below. >> >> In web.xml add a listener: >> >> <listener> >> <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class> >> >> </listener> >> >> In Spring security configuration: >> <http> >> ... >> <concurrent-session-control max-sessions="1" >> exception-if-maximum-exceeded="true"/> >> </http> >> >> >> Now I have two prototypes of a Web application, one that uses Click and the >> other that doesn't. The concurrent-session-control feature works fine in the >> non-Click version. However, I can sign in on multiple browser windows with >> the >> Click version for the same signed in user. >> >> If anyone has had any success with implementing this Spring Security feature >> with Click, I would greatly appreciate your input as I was hoping to be able >> to >> use the Click framework for our upcoming project having devoted a fair >> amount of >> time ramping up on it's features. If you'd like to see more information from >> my >> configuration files, please let me know and I'll email to this thread.. >> >> Thank You.. >> >> Conor >> >> >> >> >
