java - Concurrent session handling with Spring MVC 4 and Spring security not working

Question

I have a requirement to enable concurrent session validation when login a user. I have to log off the existing users and let the new one login.

I have a custom AuthenticationSuccessHandler

public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler{

private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();

public static final String LOGIN_CONTEXT = "/login";

@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
    Authentication authentication) throws IOException, ServletException {

    HttpSession session = request.getSession(true);
    CurrentUser currentUser = (CurrentUser) authentication.getPrincipal();

    session.setAttribute("userInfo", currentUser.getUserInfo());
    redirectStrategy.sendRedirect(request, response, currentUser.getUserInfo().getDefaultUrl()!=null && !currentUser.getUserInfo().getDefaultUrl().isEmpty() ? currentUser.getUserInfo().getDefaultUrl() : "/");
}}

And WebSecurityCofnig is as below.

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    public static final String LOGIN_CONTEXT = "/login";

    @Autowired
    private CustomAuthenticationProvider authProvider;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        auth.authenticationProvider(authProvider);
    }

    @Bean
    public AuthenticationSuccessHandler authenticationSuccessHandler() {

        return new CustomAuthenticationSuccessHandler();
    }
    

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.cors().configurationSource(corsConfigurationSource()).and().csrf().disable().formLogin()
                .loginPage(LOGIN_CONTEXT).failureUrl(LOGIN_CONTEXT + "?login_error=true")
                .successHandler(authenticationSuccessHandler()).loginProcessingUrl(LOGIN_CONTEXT).and()
                .authorizeRequests().antMatchers(LOGIN_CONTEXT, "/assets/**", "/vendor/**", "/scripts/**").permitAll()
                .anyRequest().authenticated().and().logout().deleteCookies("JSESSIONID").invalidateHttpSession(true)
                .logoutSuccessUrl(LOGIN_CONTEXT).logoutUrl("/logout");
        http.sessionManagement().maximumSessions(1).sessionRegistry(sessionRegistry());
        http.headers().frameOptions().disable();
    
    }

    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        final CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
        configuration.setAllowCredentials(true);
        // the below three lines will add the relevant CORS response headers
        configuration.addAllowedOrigin("*");
        configuration.addAllowedHeader("*");
        configuration.addAllowedMethod("*");
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
    
    @Bean
    public SessionRegistry sessionRegistry() {
         return new SessionRegistryImpl();
     }
    
    @Bean
    public HttpSessionEventPublisher httpSessionEventPublisher() {
        return new HttpSessionEventPublisher();
    }
    


}

I have tried to achieve this by http.sessionManagement().maximumSessions(1). But It's not working as expected. I have also followed this article, But Couldn't made it work. Am I missing something here?

question from:https://stackoverflow.com/questions/65868731/concurrent-session-handling-with-spring-mvc-4-and-spring-security-not-working

Answer 1

Waitting for answers