Session management is not working in spring security -

-

my spring-security.xml:

<?xml version="1.0" encoding="utf-8"?> <beans xmlns="http://www.springframework.org/schema/beans"     xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"      xmlns:security="http://www.springframework.org/schema/security"     xmlns:p="http://www.springframework.org/schema/p"      xsi:schemalocation="http://www.springframework.org/schema/beans              http://www.springframework.org/schema/beans/spring-beans-3.0.xsd             http://www.springframework.org/schema/security               http://www.springframework.org/schema/security/spring-security-3.0.xsd">      <!-- configure spring-security  -->      <security:global-method-security pre-post-annotations="enabled" />     <!-- <security:global-method-security secured-annotations="enabled" /> -->      <security:http auto-config="false" use-expressions="true" access-denied-page="/access-deniad"              entry-point-ref="authenticationentrypoint">         <security:intercept-url pattern="/retailenterprisesuite/login.do" access="permitall"  requires-channel="https" />         <security:intercept-url pattern="/admin" access="hasrole('role_admin')" requires-channel="https"/>         <!-- <security:intercept-url pattern="/common" access="hasrole('role_user')"/> -->         <security:intercept-url pattern="/users" access="hasrole('role_user')"/>         <security:intercept-url pattern="/*" access="permitall" requires-channel="any"/>          <security:logout                  invalidate-session="true"                  logout-success-url="/login.html"                  logout-url=""/>          <!--              querying sessionregistry authenticated users , sessions             http://static.springsource.org/spring-security/site/docs/3.1.x/reference/session-mgmt.html#list-authenticated-principals          -->         <security:custom-filter ref="authenticationfilter" position="form_login_filter"/>         <security:custom-filter ref="concurrencyfilter" position="concurrent_session_filter"/>         <security:custom-filter ref="singleentryfilter" after="form_login_filter"/>         <security:session-management session-authentication-strategy-ref="sas"/>     </security:http>        <bean id="singleentryfilter" class="com.stc.res.filter.singleentryfilter"              p:redirecturi="/login.html">             <property name="guarduri">                 <list>                     <!-- <value>/index.html</value> -->                     <value>/index.html</value>                     <!-- <value>/index.html</value>                     <value>/index.html</value>                     <value>/index.html</value>                     <value>/index.html</value> -->                 </list>             </property>     </bean>     <bean id="authenticationfilter" class="org.springframework.security.web.authentication.usernamepasswordauthenticationfilter"         p:sessionauthenticationstrategy-ref="sas"         p:authenticationmanager-ref="authenticationmanager"          p:authenticationfailurehandler-ref="customauthenticationfailurehandler"         p:authenticationsuccesshandler-ref="customauthenticationsuccesshandler"/>      <!-- need set default failure url here -->     <bean id="customauthenticationfailurehandler" class="org.springframework.security.web.authentication.simpleurlauthenticationfailurehandler"         p:defaultfailureurl="/loginfailed" />       <!-- need set default target url here -->       <bean id= "customauthenticationsuccesshandler"  class="org.springframework.security.web.authentication.simpleurlauthenticationsuccesshandler">         <property name="redirectstrategy" ref="customsuccessredirstrategy" />      </bean>     <!-- <bean id="customauthenticationsuccesshandler" class="org.springframework.security.web.authentication.simpleurlauthenticationsuccesshandler"          p:redirectstrategy-ref="customsuccessredirstrategy" /> -->      <bean id= "customsuccessredirstrategy"  class=" com.stc.res.customeredirection.customsuccessredirection"> </bean>           <!-- authenticationentrypoint responsible redirecting user particular page, login page,             whenever server sends response requiring authentication -->     <!-- see spring-security reference 5.4.1 more info -->     <bean id="authenticationentrypoint"  class="org.springframework.security.web.authentication.loginurlauthenticationentrypoint"         p:loginformurl="/login.html"/>      <!-- declare authentication-manager use custom userdetailsservice -->     <!-- it's important set alias here because it's used authenticationfilter -->     <security:authentication-manager alias="authenticationmanager">        <security:authentication-provider user-service-ref="userservice">         <security:password-encoder ref="passwordencoder">                   <security:salt-source ref="saltsource"/>         </security:password-encoder>         </security:authentication-provider>          <security:authentication-provider user-service-ref="jdbcuserservice"/>      </security:authentication-manager>      <bean id="userservice"  class="com.stc.res.service.userloginservice" >         <property name="usrlogindao" ref="userlogindao"/>     </bean>       <bean id="userlogindao" class = "com.stc.res.dao.userlogindao" />      <bean id="jdbcuserservice" class="com.stc.res.service.jdbcuserservice">         <property name="customjdbcdao" ref="custjdbcdao"/>     </bean>      <bean id="custjdbcdao"  class= "com.stc.res.dao.customjdbcdaoimpl">         <property name="datasource" ref="datasource"/>     </bean>       <bean id="jdbcadminuserservice" class="com.stc.res.controller.jdbcadminuserservice">         <property name="datasource" ref="datasource"/>         <property name="authenticationmanager" ref="authenticationmanager"/>     </bean>       <!-- use sha  encoder since user's passwords stored md5 in database -->     <bean class="org.springframework.security.authentication.encoding.shapasswordencoder" id="passwordencoder"/>     <bean class="org.springframework.security.authentication.dao.reflectionsaltsource" id="saltsource">             <property name="userpropertytouse" value="username"/>     </bean>      <!-- <security:bean id="remembermeservices" class="org.springframework.security.ui.rememberme.persistenttokenbasedremembermeservices">          <property name="tokenrepository" ref="jdbctokenrepository" />          <property name="userdetailsservice" ref="userservice" />          <property name="key" value="springrocks" />          <property name="alwaysremember" value="false" />     </security:bean>     uses database table maintain set of persistent login data      <security:bean id="jdbctokenrepository" class="org.springframework.security.ui.rememberme.jdbctokenrepositoryimpl">          <property name="createtableonstartup" value="false" />          <property name="datasource" ref="datasource" />      </security:bean>     -->        <!-- in-memory list of users. no need access external database layer.             see spring security 3.1 reference 5.2.1 in-memory authentication -->      <!-- john's password admin, while jane;s password user  -->        <!-- filter required concurrent session handling package              concurrentsessionfilter requires 2 properties, sessionregistry, points              instance of sessionregistryimpl, , expiredurl, points page display when session has expired.             see: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/session-mgmt.html#list-authenticated-principals -->     <bean id="concurrencyfilter" class="org.springframework.security.web.session.concurrentsessionfilter"             p:sessionregistry-ref="sessionregistry"              p:expiredurl="/login.html" />      <!--  defines concrete concurrent control strategy               checks whether user in question should allowed proceed, comparing number of               sessions have active configured maximumsessions value. sessionregistry               used source of data on authenticated users , session data.              see: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/session/concurrentsessioncontrolstrategy.html-->     <bean id="sas" class="org.springframework.security.web.authentication.session.concurrentsessioncontrolstrategy"             p:maximumsessions="1"  error-if-maximum-exceeded="true" >             <constructor-arg name="sessionregistry" ref="sessionregistry" />     </bean>      <!-- maintains registry of sessioninformation instances            see: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/core/session/sessionregistry.html -->     <bean id="sessionregistry" class="org.springframework.security.core.session.sessionregistryimpl" />   </beans>

and configured in web.xml:

<filter>     <filter-name>springsecurityfilterchain</filter-name>     <filter-class>org.springframework.web.filter.delegatingfilterproxy</filter-class>   </filter>   <filter-mapping>     <filter-name>springsecurityfilterchain</filter-name>     <url-pattern>/*</url-pattern>     <dispatcher>request</dispatcher>     <dispatcher>error</dispatcher>   </filter-mapping>   <listener>     <listener-class>org.springframework.web.context.contextloaderlistener</listener-class>   </listener>   <filter>     <display-name>mycustomfilter</display-name>     <filter-name>mycustomfilter</filter-name>     <filter-class>com.stc.res.filter.mycustomfilter</filter-class>   </filter>   <filter-mapping>     <filter-name>mycustomfilter</filter-name>     <url-pattern>/mycustomfilter</url-pattern>   </filter-mapping>   listener>     <listener-class>     org.springframework.security.web.session.httpsessioneventpublisher     </listener-class>   </listener>

please let me know fault in code, , please guide me. new spring-security. user can login different browser, without logging out.

have tried snippet official documentation (preventing multiple logins):

<security:http ... >      ....      <security:session-management>         <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />     </security:session-management>         </security:http>

Comments

Post a Comment

Popular posts from this blog

SVG stroke-linecap doesn't work for circles in Firefox? -

-
i've got problem svg stroke-linecap attribute. i've got circular progress bar in angularjs , set outer circle (blue one) have rounded "ends". @ fiddle . <svg ... height="130" width="130"> <!-- ngif: background --> <circle ... ng-if="background" fill="#fff" class="ng-scope" stroke-width="13" stroke="#cc3399" r="57.5" cy="65" cx="65" stroke-linecap="round" /> <!-- end ngif: background --> <circle ... fill="none" stroke-dashoffset="36.12831551628261" stroke-dasharray="361.28315516282623" stroke-width="13" stroke="#432db3" stroke-linecap="round" r="57.5" cy="65" cx="65" transform="rotate(-89.9, 65, 65)" /> </svg> how can that? ...
Read more

routes - Laravel 4 Wildcard Routing to Different Controllers -

-
realizing i'm going take beating this, have several questions "best practices" when constructing laravel route. do laravel routes run "first come first serve" top bottom? if route found, pass control controller (or perform action) , terminate? i have part of application acts url shortner. so, route looks this: route::get('/{id}', array('as' => 'home.text', 'uses' => 'homecontroller@text'), function($id){ //make sure id exists before pushing controller. if (storage::where('shortcode','=', $id)->count() > 0) { // route found } }); how can improved? one, i'm not sure how pass processing on controller conditionally.. sort of controller::make() ..? 3) there better way in laravel check if record exists versus doing mode::where('column','=','value')->count() 4) have legacy urls http://url.com/?...
Read more

cross browser - XSLT namespace-alias Not Working in Firefox or Chrome -

-
i transforming xhtml xhtml, need xslt stylesheet part of resulting document (the stylesheet contained in <script type"text/template"> element. using the xsl:namespace-alias instruction, works fine in ie, fails in both chrome , firefox. here relevant code: <xsl:output doctype-system="about:legacy-compat" omit-xml-declaration="yes" indent="yes" method="html" media-type="application/xhml" encoding="utf-8"/> <xsl:namespace-alias stylesheet-prefix="wxsl" result-prefix="xsl" /> <xsl:template match="head"> <!-- code omitted clarity --> <script type="text/template"> <wxsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/xsl/transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:eli="local"> ...
Read more