Spring Security Concurrent Session Control Example Tutorial – How to limit number of User Session in Java JEE Web Application
If you don’t know, Spring security can limit the number of sessions a user can have. If you are developing a web application especially a secure web application in Java JEE then you must have come up with the requirement similar to online banking portals have e.g. only one session per user at a time or no concurrent session per user. Even though you can also implement this functionality without using spring security but with Spring security, its just piece of cake with coffee :). You just need to add a couple of lines of XML in your spring security configuration file and you are done. In order to implement this functionality, you can use the <concurrency-control>tag. You can configure a maximum number of the session your application support and then Spring security will automatically detect if user breach that limits and direct them to invalid session url you have specified with this tag e.g. to a logout page.
Similar to this, Spring Security provides lots of Out of Box functionality a secure enterprise or web application needed for authentication, authorization, session management, password encoding, secure access, session timeout etc.
In our spring security example we have seen how to do LDAP Authentication in an Active directory using spring security and in this spring security example we will see how to limit the number of session user can have in Java web application or restricting concurrent user session.
Spring Security Example: Limit Number of User Session
As I said it’s simple and easy when you use spring security framework or library. In fact is all declarative and no code is required to enable the concurrent session to disable functionality.
You will need to include following xml snippet in your Spring Security Configuration file mostly named as
applicaContext-security.xml. Here is sample spring security Example of limiting user session in Java web application:
<session-management invalid-session-url="/logout.html">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>As you see you can specify how many concurrent session per user is allowed, a most secure system like online banking portals allows just one authenticated session per user.
You can even specify a URL where the user will be taken if they submit an invalid session identifier can be used to detect session timeout. The session-management element is used to capture session related stuff.
The Max-session specifies how many concurrent authenticated session is allowed and if error-if-maximum-exceeded set to true it will flag an error if a user tries to login into another session.
For example, if you try to login twice from your browser to this spring security application then you will receive an error saying “Maximum Sessions of 1 for this principal exceeded” as shown below:
Dependency
This code has a dependency on the spring-security framework. You need to download spring security jar like spring-security-web-3.1.0.jar and add into application classpath.
This simple example of spring security shows the power of spring security, a small piece of xml snippet can add very useful and handy security feature in your Java web application.
I strongly recommend using spring security for your new or existing Java web application created using Servlet JSP.
That’s all on how to limit the number of user session using spring security in Java web application. Let me know if you face any issue while implementing this security feature in your project.
| Published on Java Code Geeks with permission by Javin Paul, partner at our JCG program. See the original article here: Spring Security Concurrent Session Control Example Tutorial – How to limit number of User Session in Java JEE Web Application Opinions expressed by Java Code Geeks contributors are their own. |
No spring boot example? Isn’t 3.1.0 ancient for spring security?