Missing example with Spring Security maximum sessions feature

[arnaldop]

There is no example to illustrate session management with maximum sessions.

The java code is:

            .sessionManagement()
                .maximumSessions(1)
                .maxSessionsPreventsLogin(false)
                .expiredUrl("/login?expired")

but logout does not invalidate the login.

There are some forums that mention org.springframework.security.web.session.HttpSessionEventPublisher, but it's supposed to be added to web.xml, which Spring Boot doesn't use.

I can't piece it together into code that successfully logs the user out and allows for a new login.

[dsyer]

Did you try asking this question on StackOverflow? There are more eyeballs over there (and I'm not convinced this deserves a new sample on its own).

[arnaldop]

Yes, I have tried, and all of the answers point to solutions that seem like they should solve it, but nothing actually does. I have tried asking the question a few different ways to see if the lack of answers is due to how I'm asking the questions. Unfortunately, after a few comments with some additional info from me, the threads go dead.

There seems to be nothing on the web that conclusively and succinctly shows how to limit sessions (and prevent new logins, preferably) using Spring Security via Spring Boot.

Ideally I'd like to have it working with .maxSessionsPreventsLogin(false) and .maxSessionsPreventsLogin(true).

There has got to be an XML-less way of doing this, but it's not fully explained anywhere online. This is part of the reason I'm writing writing the Enhanced Pet Clinic.

[philwebb]

/cc @rwinch

[shainegordon]

I agree, I too cannot figure this out.

my base application is a maven spring boot 1.2.1.RELEASE app from http://start.spring.io/ with Spring Security enabled.

I have spent many hours trying to figure out how to actually get

.sessionManagement()
                .maximumSessions(1)
                .maxSessionsPreventsLogin(true);

to have any effect

[rwinch]

There are a few things going on here

• As mentioned previously, Spring Security requires a HttpSessionListener (HttpSessionEventPublisher) to be registered. It would be nice if Spring Boot documented how to register a HttpSessionListener. I created Document ServletListenerRegistrationBean #2518 to address this.
• Spring Security has a bug that means the SessionDestroyedEvent will not be received by the SessionRegistryImpl. The workaround is to explicitly provide the SessionRegistryImpl

A complete example can be found below:

@EnableWebMvcSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                    .antMatchers("/expired").permitAll()
                    .anyRequest().authenticated()
                    .and()
                .formLogin()
                    .and()
                .sessionManagement()
                    .maximumSessions(1)
                    .expiredUrl("/expired")
                    .maxSessionsPreventsLogin(true)
                    .sessionRegistry(sessionRegistry());
    }

    // Work around https://jira.spring.io/browse/SEC-2855
    @Bean
    public SessionRegistry sessionRegistry() {
        SessionRegistry sessionRegistry = new SessionRegistryImpl();
        return sessionRegistry;
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                    .withUser("user").password("password").roles("USER");
    }

    // Register HttpSessionEventPublisher
    @Bean
    public static ServletListenerRegistrationBean httpSessionEventPublisher() {
        return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
    }
}

[shainegordon]

thank you @rwinch
adding the sessionRegistry() indeed fixed the issue

[cristiandley]

Im getting

The method and() is undefined for the type HttpSecurity

I actually grow a Stack Post and i also asked like 10 days ago on some forums but no response at all.

This is my code on line 89 is my warning :(

Im doing something bad for sure. Any idea ?

[arnaldop]

I copied your code into my codebase to quickly see what's happening.
It seems that addFilterAfter() returns HttpSecurity, while the other
methods return a class that extends HttpSecurityBuilder.

Since method calls to http are additive, you can make the call
to addFilterAfter be the last one in the chain, and then start a new chain
of calls to http methods, starting with sessionManagement().

But it does seem that addFilterAfter is not returning the same type as
other methods in the chain. It's not clear to my what that is.

Hope this helps.

On Mon, Jun 8, 2015 at 11:37 AM, Cristian Leyes notifications@github.com
wrote:

Im getting

The method and() is undefined for the type HttpSecurity

I actually grow a Stack Post
http://stackoverflow.com/questions/30713415/the-method-and-is-undefined-for-the-type-httpsecurity
and i also asked like 10 days ago on some forums but no response at all.

This is my code:

package org.dgi.helpdesk;
import java.io.IOException;import java.security.Principal;import java.util.HashMap;import java.util.Map;import java.util.UUID;
import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.ServletException;import javax.servlet.http.Cookie;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;import org.springframework.boot.SpringApplication;import org.springframework.boot.autoconfigure.SpringBootApplication;import org.springframework.boot.autoconfigure.security.SecurityProperties;import org.springframework.boot.context.embedded.ServletListenerRegistrationBean;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.core.annotation.Order;import org.springframework.data.jpa.repository.config.EnableJpaRepositories;import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;import org.springframework.security.core.session.SessionRegistry;import org.springframework.security.core.session.SessionRegistryImpl;import org.springframework.security.web.csrf.CsrfFilter;import org.springframework.security.web.csrf.CsrfToken;import org.springframework.security.web.csrf.CsrfTokenRepository;import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;import org.springframework.security.web.session.HttpSessionEventPublisher;import org.springframework.security.web.util.AntPathRequestMatcher;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.bind.annotation.RestController;import org.springframework.web.filter.OncePerRequestFilter;import org.springframework.web.util.WebUtils;

@EnableJpaRepositories
@SpringBootApplication
@RestControllerpublic class Application{

@RequestMapping("/user")
public Principal user(Principal user) {
    return user;
}

public static void main(String[] args) {
    SpringApplication.run(Application.class, args);
}

/**     * CONFIGURACION DEL ADAPTADOR DE SEGURIDAD     * PERMITIRLE A SPRING QUE PUBLIQUE CIERTAS DIRECCIONES     */
@EnableWebMvcSecurity
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.httpBasic().disable();

        http.authorizeRequests().anyRequest().authenticated();

        http.authorizeRequests()
            .antMatchers("/login", "/error" , "/error.html")
            .permitAll()
            .anyRequest()
            .fullyAuthenticated()
            /*.permitAll().anyRequest().authenticated()*/

        .and()
            .logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            .logoutSuccessUrl("/")
            .permitAll()

        .and()
            .csrf().csrfTokenRepository(csrfTokenRepository())

        .and()
            .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)

        .and()
            .sessionManagement()
            .maximumSessions(1)
            .expiredUrl("/expired")
            .maxSessionsPreventsLogin(true)
            .sessionRegistry(sessionRegistry());


    }


    /**         * REEMPLAZAR CRF DE ANGULAR EN FILTRO POR ESTE MODULO         * XSRF-TOKEN         * A DIFERENCIA DEL PUBLICADO A MANO ESTE SE COMUNICA DIRECTO CON ANGULAR Y NO CON DOM         */
    private Filter csrfHeaderFilter() {
        return new OncePerRequestFilter() {
            @Override
            protected void doFilterInternal(HttpServletRequest request,
                HttpServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {
                CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
                    .getName());
                if (csrf != null) {
                    Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
                    String token = csrf.getToken();
                    if (cookie == null || token != null
                        && !token.equals(cookie.getValue())) {
                        cookie = new Cookie("XSRF-TOKEN", token);
                    cookie.setPath("/");
                    response.addCookie(cookie);
                }
            }
            filterChain.doFilter(request, response);
        }
    };
}

    /**         * CRF REPOSITORY         */
    private CsrfTokenRepository csrfTokenRepository() {
        HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
        repository.setHeaderName("X-XSRF-TOKEN");
        return repository;
    }

    /**         *  SESSION         */
    // Work around https://jira.spring.io/browse/SEC-2855
    @Bean
    public SessionRegistry sessionRegistry() {
        SessionRegistry sessionRegistry = new SessionRegistryImpl();
        return sessionRegistry;
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                    .withUser("user").password("password").roles("USER");
    }

    // Register HttpSessionEventPublisher
    @Bean
    public static ServletListenerRegistrationBean httpSessionEventPublisher() {
        return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
    }

}

}

—
Reply to this email directly or view it on GitHub
#1537 (comment)
.

[cristiandley]

Thanks Arnaldop

I keep having the same issue... if i click "logout", angular actually redirects to my "/" but quickly returns to "/home" :(

Seems that the session still valid because i cant reach POST http://localhost:8080/logout 403 (Forbidden)

This is my code now:

http
                .authorizeRequests()
                .antMatchers("/**")
                .permitAll().anyRequest().authenticated()
            .and()
                .logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/")
                .permitAll()
            .and()
                .csrf().csrfTokenRepository(csrfTokenRepository())
            .and()
                .sessionManagement()
                .maximumSessions(1)
                .expiredUrl("/expired")
                .maxSessionsPreventsLogin(true)
                .sessionRegistry(sessionRegistry());

[arnaldop]

Do you have this?

// Register HttpSessionEventPublisher
@Bean
public static
ServletListenerRegistrationBean
httpSessionEventPublisher() {
return new
ServletListenerRegistrationBean(new
HttpSessionEventPublisher());
}


On Mon, Jun 8, 2015 at 12:17 PM, Cristian Leyes notifications@github.com
wrote:

I keep having the same issue... if i click "logout", angular actually
redirects to my "/" but quickly returns to "/home" :(

Seems that the session still valid

This is my code now:

http
.authorizeRequests()
.antMatchers("/**")
.permitAll().anyRequest().authenticated()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/")
.permitAll()
.and()
.csrf().csrfTokenRepository(csrfTokenRepository())
.and()
.sessionManagement()
.maximumSessions(1)
.expiredUrl("/expired")
.maxSessionsPreventsLogin(true)
.sessionRegistry(sessionRegistry());

—
Reply to this email directly or view it on GitHub
#1537 (comment)
.