3

I have a design/system requirement to notify a user, User-A, that there was another active session (by User-B) prior to User-A's login. How do you accomplish this using Spring Security?

The scenario is this:

  1. John Doe logs in to the system using username johndoe
  2. Jane logs in to the system using johndoe
  3. The system should display a notification (that includes the other user's IP address) to both users that there was another session created using his or her username .

Example:

After Jane's login in Step-2, John Doe, upon making a new request (like clicking a link), will receive the ff. notification:

You have been automatically logged-out of the system.
Your login credential was used with IP Address (x.x.x.x).
If you believe your account was compromised, please report...

At the same time, upon Jane's login, she will be notified as well that there was another active session prior to her login.

Your login credential was used with IP Address (x.x.x.x).
If you believe your account was compromised, please report...

I tried looking into custom session management filters, custom concurrent session filters, and custom concurrent control strategy, but I can't wrap my head around the subject. I can't seem to identify w/c item I should customize.

I've also read the Session Management chapter of Spring Security's documentation, but am stuck on how to implement the requirement above.

Jonathan
  • 2,244
  • 1
  • 23
  • 29

1 Answers1

3

If I get your Question, You need only one user should be logged in with xyz credentials at one time and if other user(A) tries to log in when one user(B) is already logged in the you don't want other user A to get log in and prompt it that someone is logged in with same credentials.

you can achieve this by max-sessions="1"

<security:http auto-config="true" use-expressions="true" access-denied-page="/accessDenied.jsp">

    <security:form-login login-page="/index.jsp"
        default-target-url="/jsp/home.jsp"
        authentication-failure-handler-ref="authenticationFailureHandler"/>


    <security:session-management>
        <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
    </security:session-management>

</security:http>

Somewhere I am getting confused in understanding your actual need, If you need both session should remain active then increase max-sessions="max_session_you_need" and just register session creation listener and there you can check regarding active sessions with the session request just came, if it matches with one of active session then some user is already logged in and do whatever you wants to do...

Jayesh
  • 6,047
  • 13
  • 49
  • 81
  • Hello Jayesh, thanks for the answer. What I actually need is to inform the users the IP addresses that uses the same username. The most recent session will be valid, but the least recent will be invalidated. Both users need to be notified of the other user's IP address. – Jonathan Aug 07 '13 at 04:49
  • Can this be accomplished by a custom concurrent control strategy or a custom HttpSessionEventPublisher? – Jonathan Aug 07 '13 at 04:52
  • 1
    I got your point, I think go through this link, http://forum.springsource.org/showthread.php?110673-Spring-security-concurrent-session-and-HttpSessionListener-problem which helps you to implement listener, now in sessionCreated function you can check all the active session with session request just came then you just broadcast one msg to both the user with IP address that xyz user with XYZ IP has already logged in. At client end just read one session object that has this message. also you can broadcast both IP address and at client end read the current IP address and display only unmatch one. – Jayesh Aug 07 '13 at 05:06
  • Thanks for the direction Jayesh. Will keep you posted and accept your answer once I get it to work. :) – Jonathan Aug 07 '13 at 05:39