I have a requirement where I need to develop a Login flow for an Enterprise application that is a Spring MVC application integrated with Spring Security.
The requirement is I should be restricting the user to one session: Example: I have users two groups A and B.
CASE A: (WHEN THERE ARE NO SESSIONS)
Users from group 'A' have a specific role, but when they log in and when they don't have a previous session, they should be given two options to select from as their existing role (or) another role (SPECIAL ROLE) that I should be updating in the application on the fly.
Users from group 'B' just log in and get to the dashboard without any choices.
CASE B: (WHEN THERE IS ALREADY AN ACTIVE SESSION)
Both the users from the two groups should get an options form to choose from if they want to log out the previous session and log in here (OR) just go back to the user login page. When they select log out and log in here other session would be terminated (invalidated).
If they choose to go back to login page previous session is not affected.
CASE C: (WHEN THERE IS ALREADY AN ACTIVE SESSION FOR A USER FROM GROUP 'A' WHO CHOSE THE SPECIAL ROLE)
- When any user from Group 'A' is logging in should get a choice to log out the other user session and log in here with the SPECIAL ROLE or just log in as with his actual role.
I am trying to develop this requirement with Spring security but when I configure session management the framework just logs out the other user and invalidates the old session. I should be giving custom implementation to ConcurrentSessionFilter or may be at some other filter level (I am confused) where I can show the choices to the user and do the things. AND also when I use custom Concurrent Strategy classes the sessionRegistry.getAllPrincipals() is giving me an empty list but when I configure the Spring security sessionManagement().sessionRegistry(new SessionRegistryImpl()); I am able to get the populated principals.
I also tried custom success handler and tried to redirect based on his roles it works fine but it doesn't complete my requirement and I am sure that I should be doing some custom implementation to a specific Spring Security filter chain to implement it but I am just getting lost after days of reading and lack of resources on session management using Spring Security.
I am stuck here, any help would be appreciated. This is the first time I am working with Spring Security and implementing session management.
Thanks in Advance :)
using Spring Security, MVC, Core 4 Java config
