I followed the below example to integrated the spring security in wicket.
https://github.com/thombergs/wicket-spring-security-example.
I changed spring-security.xml file to configure the concurrency control as follows.
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:jdbc="http://www.springframework.org/schema/jdbc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http use-expressions="true" create-session="never" auto-config="true">
<!-- <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter"
/> -->
<!-- <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" /> -->
<intercept-url pattern="/" access="permitAll"
requires-channel="https" />
<intercept-url pattern="/home" access="permitAll"
requires-channel="https" />
<intercept-url pattern="/login" access="permitAll"
requires-channel="https" />
<intercept-url pattern="/**/*.png" access="permitAll"
requires-channel="https" />
<intercept-url pattern="/**/*.css" access="permitAll"
requires-channel="https" />
<intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')"
requires-channel="https" />
<intercept-url pattern="/secure/**" access="isAuthenticated()"
requires-channel="https" />
<!-- <intercept-url pattern="/**" access="permitAll" requires-channel="https"
/> -->
<!-- the login page is a wicket page mounted in WicketApplication.init() -->
<form-login login-page="/login" default-target-url='/home'
always-use-default-target='true' />
<session-management>
<concurrency-control max-sessions="1"
session-registry-alias="authenticationManager" expired-url="/login"
error-if-maximum-exceeded="true" session-registry-ref="sessionRegistry" />
</session-management>
<!-- <session-management session-authentication-error-url="/login"> <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" /> </session-management> -->
<!-- <session-management invalid-session-url="/login" /> -->
</http>
<!-- <beans:bean id="myAuthFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas" /> <beans:property name="authenticationManager" ref="authenticationManager" /> </beans:bean> -->
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="rod" password="koala" authorities="supervisor, teller, user" />
<user name="dianne" password="emu" authorities="teller, user" />
<user name="scott" password="wombat" authorities="user" />
<user name="peter" password="opal" authorities="user" />
</user-service>
</authentication-provider>
</authentication-manager>
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/login" />
</beans:bean>
<!-- <beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <beans:property name="maximumSessions" value="1" /> </beans:bean> -->
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" autowire="default" />
<!-- This filter is responsible for storing the SecurityContextHolder between
requests. Also see SecureWebSession.authenticate(). -->
<beans:bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />
</beans:beans>
web.xml file :
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>wicket-spring-security-example</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:spring-security.xml
</param-value>
</context-param>
<listener>
<listener- class>org.springframework.web.context.ContextLoaderListener</listener- class>
</listener>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>wicket.wicket-spring-security-example</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
<init-param>
<param-name>applicationClassName</param-name>
<param-value>org.wickedsource.WicketApplication</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>wicket.wicket-spring-security-example</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<session-config>
<session-timeout>1</session-timeout>
</session-config>
</web-app>
My Questions :
1) Concurrency control is not working with the above configuration. I am able to login multiple browsers.
2) Single sign-in per user(I mean, the user 'x' is logged in, if the same user('x') logged in again. Here I want invalidate the previously logged in session). How can I achieve this.
1) It probably doesn't work since the Session Management in the example is handled by Wicket and not by Spring Security, so you must find a way to enable this in Wicket.
2) The Wicket Session class has the method replaceSession() that you can use to create a new session on login. Try this.
Related
Im trying to get refresh token from oauth service but im get an error
here my code
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.2.xsd ">
<!-- This is default url to get a token from OAuth -->
<http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<custom-filter ref="clientCredentialsTokenEndpointFilter"
after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<!-- This is where we tells spring security what URL should be protected
and what roles have access to them -->
<http pattern="/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/**" access="ROLE_ADMIN" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="test" />
</bean>
<bean id="clientAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="test/client" />
<property name="typeName" value="Basic" />
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<authentication-manager id="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<!-- Authentication manager -->
<authentication-manager alias="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider>
<user-service id="userDetailsService">
<user name="admin" password="password" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
<bean id="clientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
</bean>
<!-- This defined token store, we have used inmemory tokenstore for now
but this can be changed to a user defined one -->
<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
<!-- This is where we defined token based configurations, token validity
and other things -->
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="accessTokenValiditySeconds" value="10" />
<property name="clientDetailsService" ref="clientDetails" />
</bean>
<bean id="userApprovalHandler"
class="org.springframework.security.oauth2.provider.approval.TokenServicesUserApprovalHandler">
<property name="tokenServices" ref="tokenServices" />
</bean>
<oauth:authorization-server
client-details-service-ref="clientDetails" token-services-ref="tokenServices"
user-approval-handler-ref="userApprovalHandler">
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password />
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter"
resource-id="test" token-services-ref="tokenServices" />
<oauth:client-details-service id="clientDetails">
<oauth:client client-id="my-trusted-client"
authorized-grant-types="password,authorization_code,refresh_token,implicit,redirect"
authorities="ROLE_ADMIN" redirect-uri="/web" scope="read,write,trust"
access-token-validity="30" refresh-token-validity="600" />
</oauth:client-details-service>
<sec:global-method-security
pre-post-annotations="enabled" proxy-target-class="true">
<!--you could also wire in the expression handler up at the layer of the
http filters. See https://jira.springsource.org/browse/SEC-1452 -->
<sec:expression-handler ref="oauthExpressionHandler" />
</sec:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
</beans>
and this an URL im trying
http://localhost:9090/SpringSecurity/oauth/token?grant_type=password&client_id=my-trusted-client&username=admin&password=password
if trying run this url in Postman im getting this error
{
"error": "unauthorized",
"error_description": "No client with requested id: "
}
Spring security relies on the Spring MVC framework to deal with requests and responses. Therefor the MVC framework needs to be included and properly setup for Spring security OAuth to work.
<mvc:annotation-driven />
in my mvc-dispatcher-servlet.xml
<
beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<mvc:resources mapping="/resources/**" location="/resources/"/>
<mvc:annotation-driven />
<context:annotation-config />
<context:component-scan base-package="com.mkyong.*" />
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix">
<value>/WEB-INF/pages/</value>
</property>
<property name="suffix">
<value>.jsp</value>
</property>
</bean>
</beans>
I have a very strange problem. I try to use Spring Security (4.1.0) for user authentication on a WildFly Server. I tried WildFly 9 and 10.
My authentication data is stored after the login and Spring can use it, when it calls getAuthentication() of SecurityContext, but if I call
SecurityContextHolder.getContext().getAuthentication() it returns null. I already recognized, that I get a different SecurityContextImpl (different object ID).
I tried already to use the three different modes of SecurityContextHolder, but it made no difference.
My security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.2.xsd">
<b:bean id="passwordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<b:bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<b:property name="allowIfAllAbstainDecisions" value="false" />
<b:constructor-arg>
<b:list>
<b:bean class="tool.security.RightVoter" />
</b:list>
</b:constructor-arg>
</b:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="loginAuthenticationProvider" />
</authentication-manager>
<b:bean id="authenticationProcessingFilter"
class="tool.security.AuthenticationProcessingFilter">
<b:constructor-arg value="/processLogin" /> <!-- defaultFilterProcessesUrl -->
<b:property name="authenticationManager" ref="authenticationManager" />
<!-- <b:property name="filterProcessesUrl" value="/processLogin" /> -->
<b:property name="authenticationSuccessHandler">
<b:bean
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<b:property name="alwaysUseDefaultTargetUrl" value="true" />
<b:property name="defaultTargetUrl" value="/initLogin" />
</b:bean>
</b:property>
<b:property name="authenticationFailureHandler">
<b:bean class="tool.security.LoginFailureHandler">
<b:property name="redirectUrl" value="/login" />
</b:bean>
</b:property>
</b:bean>
<b:bean id="loginExistsFilter" class="tool.security.LoginExistsFilter">
<b:property name="loginUrl" value="/login" />
</b:bean>
<b:bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<b:constructor-arg value="/login" /> <!-- loginFormUrl -->
</b:bean>
<b:bean id="loginAuthenticationProvider"
class="tool.security.LoginAuthenticationProvider">
<b:property name="loginService" ref="loginService" />
</b:bean>
<b:bean id="loginService" class="tool.security.LoginServiceImpl">
<b:property name="userDao" ref="userDao" />
<b:property name="userTF" ref="userTF" />
<b:property name="passwordEncoder" ref="passwordEncoder" />
</b:bean>
<b:bean id="userDao" class="tool.user.impl.MongoUserDao"></b:bean>
<b:bean id="userTF" class="tool.user.UserTFImpl"></b:bean>
<http security="none" pattern="/css/**" />
<http security="none" pattern="/js/**" />
<http security="none" pattern="/login" />
<http security="none" pattern="/loginRedirect" />
<http security="none" pattern="/invalidbrowser" />
<http entry-point-ref="authenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager">
<session-management invalid-session-url="/login?timeout=1"
session-fixation-protection="newSession">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="true" />
</session-management>
<custom-filter ref="authenticationProcessingFilter"
position="FORM_LOGIN_FILTER" />
<custom-filter ref="loginExistsFilter" before="FILTER_SECURITY_INTERCEPTOR" />
<csrf disabled="true" />
</http>
<global-method-security
access-decision-manager-ref="accessDecisionManager"
secured-annotations="enabled" />
I solved the problem by a movement of my call to SecurityContextHolder.getContext().getAuthentication(), it was first located in an included maven project, now it is in the same project and I have access to the same SecurityContextImpl instance.
This is my security configuration file, Any Idea how to do implement this? since from last 3 days i am working on this but did not get the solution. Your help is appreciate.
<http access-denied-page="/WEB-INF/pages/accessdenied.jsp"
auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
<logout invalidate-session="true" logout-success-url="/logout.html" delete-cookies="JSESSIONID" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/admin/**" method = "GET" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/welcome.html" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<custom-filter position="FORM_LOGIN_FILTER" ref="testFilter" />
</http>
<beans:bean id="testFilter"
class="com.test.dev..PreUsernamePasswordAuthenticationFilter">
<beans:property name="postOnly" value="false" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationFailureHandler" ref="failureHandler" />
<beans:property name="authenticationSuccessHandler" ref="successHandler" />
</beans:bean>
<beans:bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/welcome.html" />
<beans:property name="alwaysUseDefaultTargetUrl" value="true" />
</beans:bean>
<beans:bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/loginfailed.html" />
</beans:bean>
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.html" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService">
</authentication-provider>
</authentication-manager>
<security:global-method-security
secured-annotations="enabled" jsr250-annotations="enabled"
pre-post-annotations="enabled">
</security:global-method-security>
You add this filter in web.xml file and import your spring security.xml file into application-context.xml file.?????????????????
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
What i have to do to not require login on the main page?
this is a part of applicationContext-Security.xml
<http auto-config="true" use-expressions="true">
<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
<logout logout-url="/resources/j_spring_security_logout" />
<!-- Configure these elements to secure URIs in your application -->
<intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/member/**" access="isAuthenticated()" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/login/**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
did you try this?
<http pattern="/home" security='none' />
put it same level with your tag
Try something like this:
<http auto-config="true" use-expressions="true">
<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
<logout logout-url="/resources/j_spring_security_logout" />
<!-- Configure these elements to secure URIs in your application -->
<intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/member/**" access="isAuthenticated()" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/login/**" access="permitAll" />
<intercept-url pattern="/index" access="permitAll" /> <!-- new -->
<intercept-url pattern="/" access="permitAll" /> <!-- new -->
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
The intercep-url evaluates in order and use the first matching permission. So, if you add the "/index" and "/" pattern before "/**" this match will be applied.
I have a spring mvc webapp using spring security and one thing I would like to do every time a user logs in is log the number of concurrent users on the system.
To do this I have given my session registry an alias and then I autowire into a class and say...
List<Object> principals = sessionRegistry.getAllPrincipals();
MDC.put(MDCKeyConstants.CONCURRENT_USER_COUNT, principals.size());
but principals.size is coming to 0 . i.e. the principals list is empty. Am I missing something else that I need to configure?
Sorry for the long post but I'm putting my spring security config here to try and get some help with the issue.. thanks in advance...
<http use-expressions="true" auto-config="false" entry-point-ref="loginUrlAuthenticationEntryPoint">
<!-- custom filters -->
<custom-filter position="FORM_LOGIN_FILTER" ref="twoFactorAuthenticationFilter" />
<custom-filter after="SECURITY_CONTEXT_FILTER" ref="securityLoggingFilter"/>
<!-- session management -->
<session-management
invalid-session-url="/sessionExpired.htm"
session-authentication-error-url="/alreadyLoggedIn.htm">
<concurrency-control
max-sessions="1"
expired-url="/sessionExpiredDuplicateLogin.htm"
error-if-maximum-exceeded="false"
session-registry-alias="sessionRegistry"/>
</session-management>
<!-- error handlers -->
<access-denied-handler error-page="/accessDenied.htm"/>
<!-- logout -->
<logout logout-success-url="/logout.htm" invalidate-session="false" delete-cookies="JSESSIONID"/>
<!-- authorize pages -->
<intercept-url pattern="/home.htm" access="isAuthenticated()" />
<intercept-url pattern="/shortsAndOvers.htm" access="isAuthenticated()" />
<intercept-url pattern="/shortsAndOversDaily.htm" access="isAuthenticated()" />
<intercept-url pattern="/birtpage.htm" access="isAuthenticated()" />
<intercept-url pattern="/reports/show.htm" access="isAuthenticated()" />
</http>
<!-- =============================== -->
<!-- AUTHENTICATION BEANS -->
<!-- =============================== -->
<beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsDao" />
<beans:property name="passwordEncoder" ref="encoder" />
</beans:bean>
<beans:bean id="twoFactorAuthenticationFilter" class="com.mycompany.reporting.security.TwoFactorAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationFailureHandler" ref="failureHandler" />
<beans:property name="authenticationSuccessHandler" ref="successHandler" />
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<beans:property name="postOnly" value="true" />
</beans:bean>
<beans:bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.htm" />
</beans:bean>
<beans:bean id="successHandler" class="com.mycompany.reporting.security.CustomSavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/home.htm" />
</beans:bean>
<beans:bean id="failureHandler" class="com.mycompany.reporting.security.CustomSimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/loginfailed.htm" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="authenticationProvider"></authentication-provider>
</authentication-manager>
Try this. It has worked for me.
in <http></http>,
<session-management session-authentication-strategy-ref="sas" invalid-session-url="/invalid-session" />
And declare beans as follows:
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
And do not forget to add org.springframework.security.web.session.HttpSessionEventPublisher listener to your web configuration.