tags:

views:

515

answers:

3
+1  Q: 

Spring Security Max Login Session

Hi. I have a problem with my j2ee application using spring security. I set max-sessions in concurrent-session-control to 1. Now it works fine when I try to Login the second time it will stop me. But when I logout the other one and try to login again I still get this same message.

Your login attempt was not successful, try again. Reason: Maximum sessions of 1 for this principal exceeded

I have this in my http security

 <security:logout logout-url="/logout.do"
  invalidate-session="true" logout-success-url="/logoutSuccess.do" />
 <security:concurrent-session-control
  max-sessions="1" exception-if-maximum-exceeded="true" expired-url="/loginform.do" />
A: 

Hi, please check that the error page is not cached (press F5) and look in the logs to see if the logout is working fine.

rodrigoap  2010-01-04 15:39:15
I pressed F5 and the message is still there. What does it mean
cedric  2010-01-05 08:09:08
A: 
  1. Make sure your Spring Security Filters run before your Struts Filter.
  2. Set a break point at Spring Security's LogoutFilter.doFilterHttp method. Make sure that part runs properly.
lsiu  2010-01-07 01:29:32
A: 

It's been quite a while since you posted this, but if anyone else is having this problem I believe this behavior will occur if you don't add org.springframework.security.web.session.HttpSessionEventPublisher as a listener in your web.xml.

See here:

Adding the listener to web.xml causes an ApplicationEvent to be published to the Spring ApplicationContext every time a HttpSession commences or terminates. This is critical, as it allows the SessionRegistryImpl to be notified when a session ends. Without it, a user will never be able to log back in again once they have exceeded their session allowance, even if they log out of another session or it times out.
ajduff574  2010-09-08 19:48:48

related questions

Acegi/Spring Security Grails plug-in not seeing changes to a User instance
different DelegatingFilterProxy and FilterToBeanProxy
How to immediately enable the authority after update user authority in spring security?
springdoclet usage?
Grails Security Problem and Search Engine optimization
Spring Security: Advice needed on how to handle GrantedAuthority
Why is my (Spring Security) servlet filter getting called twice?
Grails Acegi Plugin springsecurity.GrailsDaoImpl - User [admin] has no GrantedAuthority
Spring Security: What is the UserDetailsManager interface used for? And more!
Combining namespace based configuration with different authentication methods in spring-security
Spring Security: Custom Authentication Provider for 'one time password' and 'securit questions'
Spring Security: How to get the initial target url
Permissions checking in server-side API
Cannot locate 'org.springframework.security.annotation.Jsr250MethodDefinitionSource'
How to grant access for all authenticated users?
Spring embedded ldap server in unit tests
What are some good sample applications using Spring and Hibernate?
Problem migrating Spring Web App from tomcat 5.5 to tomcat 6.0
How to throw an informative exception from AccessDecisionManager that uses voters
How can I determine what roles are required to access a URL with Spring Security?
Creating a custom authentication with Acegi/Spring Security
Unit testing with Spring Security
Securing Remote Access over JMXMP with Spring Security
When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
Spring security: adding "On unsuccessful login event listener"