I have developed a web application using spring security. For login it gets access from LDAP. Now I want to manage the session using spring security itself, I can see by using authentication.getName()
I am getting the username
and I can also get the sessionID
.
Now I want to make sure if the same user is trying to login from the same system using some other browser he should get a message saying that he is already login in his account.
Can anyone give an idea how to achieve this ????
<security:session-management
invalid-session-url="/login.jsp?error=sessionExpired"
session-authentication-error-url="/login.jsp?error=alreadyLogin">
<security:concurrency-control
max-sessions="1"
expired-url="/login.jsp?error=sessionExpiredDuplicateLogin"
error-if-maximum-exceeded="false" />
</security:session-management>
When I use this and try to login using some other browser it gives me the following error:
HTTP Status 500 - Request processing failed; nested exception is java.lang.IllegalStateException: Cannot call sendError() after the response has been committed
enter code here
I may be missing something, but I have tried the next configuration and it works as expected:
<!-- more configuration stuff -->
<sec:form-login login-page="/login.jsp"
default-target-url="/defaultTarget.jsp"
authentication-failure-url="/login.jsp?error=true"
login-processing-url="/login" always-use-default-target="true" />
<sec:session-management>
<sec:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</sec:session-management>
When I try to log in with the same user from another browser, it takes me to /login.jsp and shows the error message: Maximum sessions of 1 for this principal exceeded
EDIT: you also need to place this in your web.xml
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>