![](/style/images/good.png)
![](/style/images/bad.png)
How to limit Concurrent Login Sessions in a Java web application using Spring Se...
source link: https://javarevisited.blogspot.com/2018/07/spring-security-concurrent-session.html#axzz8Xqmz4J3o
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
How to limit Concurrent Login Sessions in a Java web application using Spring Security? Example
You can configure a maximum number of the session your application support and then Spring security will automatically detect if user breach that limits and direct them to invalid session url you have specified with this tag e.g. to a logout page.
Similar to this, Spring Security provides lots of Out of Box functionality a secure enterprise or web application needed for authentication, authorization, session management, password encoding, secure access, session timeout, etc.
In our spring security example, we have seen how to do LDAP Authentication in an Active directory using spring security and in this spring security example we will see how to limit the number of session users can have in Java web application or restricting concurrent user session.
By the way, if you are new to Spring framework then I also suggest you join a comprehensive and up-to-date course to learn Spring in depth. If you need recommendations, I highly suggest you take a look at Spring Framework 5: Beginner to Guru, one of the comprehensive and hands-on course to learn modern Spring. It' also most up-to-date and covers Spring 5.
Spring Security Example: Limit Number of User Session
You will need to include the following xml snippet in your Spring Security Configuration file mostly named as applicaContext-security.xml. You can name the file whatever you want but just make sure you use the same name in all relevant places.
Here is sample spring security Example of limiting user session in Java web application:
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
The Max-session specifies how many concurrent authenticated session is allowed and if error-if-maximum-exceeded set to true it will flag an error if a user tries to login into another session.
For example, if you try to log in twice from your browser to this spring security application then you will receive an error saying "Maximum Sessions of 1 for this principal exceeded" as shown below:
And, if you don't want to use XML configuration and what to do same thing in Java configuration then you can create a class annotated with @Configuration and define beans for configuring session management.
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration
.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/logout.html").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement()
.invalidSessionUrl("/logout.html")
.maximumSessions(1)
.maxSessionsPreventsLogin(true);
}
}
If you are interested to learn more about advanced Spring security features, I suggest you go through the Learn Spring Security course by Eugen Paraschiv, which the most up-to-date online course on Spring Security and covers new security features from Spring Security 5 release.
Dependency
I strongly recommend using spring security for your new or existing Java web application created using Servlet JSP.
P.S - If you like to learn from a book, then Spring Security in Action by Laurentiu Spilca is a good starting point. The content is not advanced enough for senior developers but for the junior and intermediate programmers, it's a great book.
P.S.S - Also, If you are an experienced Java/JEE Program and want to learn Spring Security end-to-end, I recommend the Learn Spring Security course by Eugen Paraschiv, The definitive guide to secure your Java application. It's useful for both junior and experienced Java Web developers.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK