1

This is my Security config

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/assets/**", "/register/**", "/","/login**")
            .permitAll().antMatchers("/profile/**").hasAuthority("ROLE_1").anyRequest().authenticated()
            .antMatchers("/actuator/**").hasAuthority("ROLE_2").anyRequest().authenticated()
            .and().formLogin().loginPage("/login").permitAll()
            .and().sessionManagement().maximumSessions(1).maxSessionsPreventsLogin(true).expiredUrl("/login?expired")
            .and().and().logout().deleteCookies("JSESSIONID").invalidateHttpSession(true)           
            .and().csrf().disable();
    // .failureUrl("/fail");
}

This is to add HttpSessionEventPublisher into app context

@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
    return new HttpSessionEventPublisher();
}

Please let me know what I am missing. I am still able to login from two browsers using same credentials.

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
Pradeep Reddy
  • 43
  • 1
  • 8
  • 1
    Did you check this: https://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-concurrent-sessions maybe the problem is `error-if-maximum-exceeded="true"` – Muhammed Ozdogan Aug 19 '18 at 11:07
  • Yes.I saw that. I thought this does the same - maxSessionsPreventsLogin(true) – Pradeep Reddy Aug 19 '18 at 13:21

1 Answers1

1

I found the solution. It is to override equals and hashCode methods of my User class which implements UserDetails based on below solutions. Comparison of UserDetails objects for authenticated principals is how session concurrency is controlled / measured

http://forum.spring.io/forum/spring-projects/security/99166-maximum-sessions-1-does-not-work

Spring Security maxSession doesn't work

Pradeep Reddy
  • 43
  • 1
  • 8