Allow application developers to restrict the number of maximum login sessions for a user by using a property such as lemon.security.max-sessions: 5. A default, say 5, can be set.
Coding this feature will also allow us to go a step further and force logout a user when an admin alters his roles.
References:
http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#concurrent-sessions
spring-projects/spring-boot#1537
https://jira.spring.io/browse/SEC-3069
I think we need to add some code to LemonSecurityConfig, like this:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
...
.sessionManagement()
.maximumSessions(10)
.sessionRegistry(sessionRegistry());
...
}
/**
* Until https://jira.spring.io/browse/SEC-2855
* is closed, we need to have this custom sessionRegistry
*/
@Bean
public SessionRegistry sessionRegistry() {
SessionRegistry sessionRegistry = new SessionRegistryImpl();
return sessionRegistry;
}
/**
* Register HttpSessionEventPublisher. Note that it is declared
* static to instantiate it very early, before this configuration
* class is processed.
*
* See http://docs.spring.io/spring-boot/docs/current/reference/html/howto-embedded-servlet-containers.html
* for how to add a ServletContextListener.
*
* See http://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/context/annotation/Bean.html
* for how static instantiation works.
*/
@Bean
public static ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
return new ServletListenerRegistrationBean<HttpSessionEventPublisher>(new HttpSessionEventPublisher());
}But, for scaling up, won't we need to have our own SessionRegistry implementation, say JPA based, instead of SessionRegistryImpl, which is the in-memory based? I also noticed that SessionRegistryImpl only listens to SessionDestroyedEvent. Should not it be listening to SessionCreatedEvent as well? Need to study more.
Allow application developers to restrict the number of maximum login sessions for a user by using a property such as
lemon.security.max-sessions: 5. A default, say 5, can be set.Coding this feature will also allow us to go a step further and force logout a user when an admin alters his roles.
References:
http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#concurrent-sessions
spring-projects/spring-boot#1537
https://jira.spring.io/browse/SEC-3069
I think we need to add some code to
LemonSecurityConfig, like this:But, for scaling up, won't we need to have our own
SessionRegistryimplementation, say JPA based, instead ofSessionRegistryImpl, which is the in-memory based? I also noticed thatSessionRegistryImplonly listens toSessionDestroyedEvent. Should not it be listening toSessionCreatedEventas well? Need to study more.