java.lang.Object | ||
↳ | org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy | |
↳ | org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy |
Strategy which handles concurrent session-control, in addition to the functionality provided by the base class.
When invoked following an authentication, it will check whether the user in question should be allowed to proceed,
by comparing the number of sessions they already have active with the configured maximumSessions value.
The SessionRegistry
is used as the source of data on authenticated users and session data.
If a user has reached the maximum number of permitted sessions, the behaviour depends on the
exceptionIfMaxExceeded property. The default behaviour is to expired the least recently used session, which
will be invalidated by the ConcurrentSessionFilter
if accessed again. If exceptionIfMaxExceeded is
set to true, however, the user will be prevented from starting a new authenticated session.
This strategy can be injected into both the SessionManagementFilter
and instances of
AbstractAuthenticationProcessingFilter
(typically UsernamePasswordAuthenticationFilter
).
Fields | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
messages |
[Expand]
Inherited Fields | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
|
Public Constructors | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Public Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Called when a user is newly authenticated.
| |||||||||||
Sets the exceptionIfMaximumExceeded property, which determines whether the user should be prevented
from opening more sessions than allowed.
| |||||||||||
Sets the maxSessions property.
| |||||||||||
Protected Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Allows subclasses to customise behaviour when too many sessions are detected.
| |||||||||||
Method intended for use by subclasses to override the maximum number of sessions that are permitted for
a particular authentication.
| |||||||||||
Called when the session has been changed and the old attributes have been migrated to the new session.
|
[Expand]
Inherited Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
| |||||||||||
From class
java.lang.Object
| |||||||||||
From interface
org.springframework.context.MessageSourceAware
| |||||||||||
From interface
org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
|
sessionRegistry | the session registry which should be updated when the authenticated session is changed. |
---|
Called when a user is newly authenticated.
If a session already exists, and matches the session Id from the client, a new session will be created, and the
session attributes copied to it (if migrateSessionAttributes
is set).
The sessionRegistry will be updated with the new session information. If the client's requested session Id is
invalid, nothing will be done, since there is no need to change the session Id if it doesn't match the current
session.
If there is no session, no action is taken unless the alwaysCreateSession
property is set, in which
case a session will be created if one doesn't already exist.
Sets the exceptionIfMaximumExceeded property, which determines whether the user should be prevented from opening more sessions than allowed. If set to true, a SessionAuthenticationException will be raised.
exceptionIfMaximumExceeded | defaults to false. |
---|
Sets the maxSessions property. The default value is 1. Use -1 for unlimited sessions.
maximumSessions | the maximimum number of permitted sessions a user can have open simultaneously. |
---|
Allows subclasses to customise behaviour when too many sessions are detected.
sessions | either null or all unexpired sessions associated with the principal |
---|---|
allowableSessions | the number of concurrent sessions the user is allowed to have |
registry | an instance of the SessionRegistry for subclass use
|
Method intended for use by subclasses to override the maximum number of sessions that are permitted for
a particular authentication. The default implementation simply returns the maximumSessions
value
for the bean.
authentication | to determine the maximum sessions for |
---|
Called when the session has been changed and the old attributes have been migrated to the new session. Only called if a session existed to start with. Allows subclasses to plug in additional behaviour.
originalSessionId | the original session identifier |
---|---|
newSession | the newly created session |
auth | the token for the newly authenticated principal |