Spring Security Plugin and concurrent sessions? <<Solved>>

Hi,

I'm trying to implement the ability so that a user can only have 1 active session and other sessions are invalidated when they login using the Spring Security plugin.

I can't find anything in the plugin docs that relates to this but have found this post here by Burt which details the principle for the acegi plugin.

I'm trying to implement the approach with the Spring Security plugin but the classes have changed in Spring Security 3.0.

Does anyone know if this is the best way to do it? And if so, what is the Spring Security 3 version of org.springframework.security.concurrent.ConcurrentSessionControllerImpl if there is one?

Many thanks,

Jim.

Well, progress I think. After looking through some of Burts posts on here it appears that concurrent sessions aren't supported out of the box due to Spring flakiness, which is fair enough but I'd still like to get it working.

This is what I think I need to modify to get the concurrent user authentication working ->

I have updated resources.groovy so it looks like this:

import org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy
import org.springframework.security.web.session.ConcurrentSessionFilter
import org.springframework.security.core.session.SessionRegistryImpl
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;

beans = {
       
    sessionRegistry(SessionRegistryImpl)

        sessionAuthenticationStrategy(ConcurrentSessionControlStrategy, sessionRegistry) {
                maximumSessions = 1
        }
       
        concurrentSessionFilter(ConcurrentSessionFilter){
                sessionRegistry = sessionRegistry
                expiredUrl = '/login/concurrentSession'
        }
}

and modified BootStrap.groovy to include:

    def concurrentSessionController
    def securityContextPersistenceFilter
       
    def init = { servletContext ->
               
                securityContextPersistenceFilter.forceEagerSessionCreation = true
                SpringSecurityUtils.clientRegisterFilter('concurrentSessionFilter', SecurityFilterPosition.CONCURRENT_SESSION_FILTER)

    ...


This all compiles fine but still doesn't restrict the sessions. Are there any Spring security wizards out there who can see anything obviously wrong?

Many thanks,

Jim.

Woo! It works!!!

Some final points:

- Need to make sure that Remember me cookies aren't enabled otherwise you just get logged back in again and you won't ever see the results of the session expiry (Doh!).

-In addition to the above include the following in BootStrap.groovy:
   import org.codehaus.groovy.grails.plugins.springsecurity.SecurityFilterPosition
   import org.codehaus.groovy.grails.plugins.springsecurity.SpringSecurityUtils

-According to info I've read you may need to override equals() and hashcode() in your principal object, which in my case is the User domain class.

Hope this helps someone else!

Jim.