Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict Spring Security maximum sessions, and force logout when roles change #2

Open
naturalprogrammer opened this issue Aug 11, 2015 · 0 comments
Open

Restrict Spring Security maximum sessions, and force logout when roles change #2

naturalprogrammer opened this issue Aug 11, 2015 · 0 comments
Labels
help wanted
Milestone
Future

Comments

@naturalprogrammer
Copy link
Owner

Allow application developers to restrict the number of maximum login sessions for a user by using a property such as lemon.security.max-sessions: 5. A default, say 5, can be set.

Coding this feature will also allow us to go a step further and force logout a user when an admin alters his roles.

References:

http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#concurrent-sessions
spring-projects/spring-boot#1537
https://jira.spring.io/browse/SEC-3069

I think we need to add some code to LemonSecurityConfig, like this:

@Override
protected void configure(HttpSecurity http) throws Exception {

     http
          ...
      .sessionManagement()
        .maximumSessions(10)
        .sessionRegistry(sessionRegistry());
     ...
}

/**
 * Until https://jira.spring.io/browse/SEC-2855
 * is closed, we need to have this custom sessionRegistry
 */
@Bean
public SessionRegistry sessionRegistry() {
    SessionRegistry sessionRegistry = new SessionRegistryImpl();
    return sessionRegistry;
}

/**
 * Register HttpSessionEventPublisher. Note that it is declared
 * static to instantiate it very early, before this configuration
 * class is processed.
 * 
 * See http://docs.spring.io/spring-boot/docs/current/reference/html/howto-embedded-servlet-containers.html
 * for how to add a ServletContextListener.
 * 
 * See http://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/context/annotation/Bean.html
 * for how static instantiation works.
 */
@Bean
public static ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
    return new ServletListenerRegistrationBean<HttpSessionEventPublisher>(new HttpSessionEventPublisher());
}

But, for scaling up, won't we need to have our own SessionRegistry implementation, say JPA based, instead of SessionRegistryImpl, which is the in-memory based? I also noticed that SessionRegistryImpl only listens to SessionDestroyedEvent. Should not it be listening to SessionCreatedEvent as well? Need to study more.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
Future
Development

No branches or pull requests
1 participant
@naturalprogrammer