Invalidate spring security session

java spring session spring-security invalidation
Jeg Bagus picture Jeg Bagus · Jan 6, 2011 · Viewed 22.2k times · Source

i need to invalidate ( or kick ) user session. the application only limit user login only one user per container.

i try to call removeSessionInformation from session registry, its done to unlock the user. so the other user can login with the kicked session user name.

but SessionContextHolder at that user that been kicked is still. so they still have the same authority to access the protected page.

how to invalidate or remove Principal of SessionContextHolder from specified session registry information?

ps : in my old application, i give one variable in UserDomain (UserDetails) that hold HttpSession. and when they need to kick the user, i just invalidate HttpSession from specified UserDomain. the but i don't know how to do it in spring (its more likey to remove Principal of SessionContextHolder than HttpSession). implementation is almost the same with how SessionRegistryImpl do in spring.

Answer

Corin Fletcher picture Corin Fletcher · Jan 6, 2011

You may like to consider Spring Security Concurrency Control. You can configure this to limit the number of concurrent sessions per user and expire (kick) existing sessions if that number is exceeded.

Spring Security Session Management

This is a snippet of our configuration (Spring 3):

<http>
    ...
    <session-management>
        <concurrency-control max-sessions="1"/>
    </session-management>
    ...
</http>

Related questions

spring security - is there an way to get session registry inside my application (without explicilty customizing the concurrentFilter)

I was referring to this thread, and in the second last post by Rob Winch (Spring Security Lead), he mentions that we can have access to the sessionRegisty : <session-management> <concurrency-control session-registry-alias="sessionRegistry"/> </session-management> Therefore, …

Read More
What is the proper way to re-attach detached objects in Hibernate?

I have a situation in which I need to re-attach detached objects to a hibernate session, although an object of the same identity MAY already exist in the session, which will cause errors. Right now, I can do one of …

Read More
remove jsessionid in url rewrite in spring mvc

I am using spring MVC and having a problem in jsessionid, what I found is that jsessionid is injected in the url if cookies isn't enabled in the browser producing a url like that: http://localhost/categories;jsessionid=Bsls4aQFXA5…

Read More