TechQA.

[spring-session]sessionManagement settings don't work

20 views Asked by At 
http.sessionManagement(session -> session
                .sessionConcurrency(concurrency -> concurrency
                        .sessionRegistry(sessionRegistry())
                        .maximumSessions(1)
                        .maxSessionsPreventsLogin(true)
                        .expiredSessionStrategy(event -> {
                            HttpServletResponse response = event.getResponse();
                            response.setContentType(MediaType.APPLICATION_JSON_VALUE);
                            response.setCharacterEncoding("UTF-8");
                            objectMapper.writeValue(response.getWriter(),"세션이 만료되었거나 다른곳에서 로그인 되었습니다");
                        }))
                .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
        );
 http.addFilterAt(loginAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);


    @Bean
    public AbstractAuthenticationProcessingFilter loginAuthenticationFilter() {
        LoginAuthenticationFilter loginAuthenticationFilter = new LoginAuthenticationFilter("/login", objectMapper);
        loginAuthenticationFilter.setAuthenticationManager(authenticationManager());
        loginAuthenticationFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
        loginAuthenticationFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler());
        loginAuthenticationFilter.setSecurityContextRepository(new HttpSessionSecurityContextRepository());
//        loginAuthenticationFilter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
        return loginAuthenticationFilter;
    }


    @Bean
    public SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        ConcurrentSessionControlAuthenticationStrategy sessionControlAuthenticationStrategy = new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry());
        sessionControlAuthenticationStrategy.setMaximumSessions(2);
        return sessionControlAuthenticationStrategy;
    }
    @Bean
    public SessionRegistry sessionRegistry() {
        return new SpringSessionBackedSessionRegistry<>(redisSessionRepository);
    }

SessionManagement configuration(maximumSessions, maxSessionsPreventsLogin) is not working in Spring Security. To control sessions, SessionAuthenticationStrategy must be configured in the user authentication filter. Am I misunderstanding something?

Although I debugged SessionManagerFilter, it didn't work. I found out that the user authentication filter controls concurrent session access. However, (maximumSessions, maxSessionsPreventsLogin) didn't work.

spring-session
Original Q&A
0

There are 0 answers

Related Questions in SPRING-SESSION

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions