James Jefferies and ShedCode Ltd

The world of James and ShedCode

Concurrent HTTP Session Management With Spring Security

| Comments

Spring Security (formerly Acegi) is a useful framework for adding security to webapps. Directories, pages and the like can all be controlled with various user roles and methods can be annotated too, ensuring a belt and braces approach.

The setting to switch it on in the configuration is just this (within the other security config):

<security:concurrent-session-control max-sessions="1" expired-url="/already-logged-in.faces"/>

and as you can see, you can set a url for spring to redirect to if you already have a session somewhere else. The gotcha though seems to be that unless you configure  a listener, it may not know when the session has expired (i.e. if you don’t log out).

so, in the good old web.xml, add this little puppy to listen out for expired sessions…


hopefully, job is a good ‘un