How do you restrict a user to login from multiple browsers /tabs in spring security?
I recently went to an interview and they asked me this question. I wasn't prepared for this, i just simply bought up database into it because that's what i do when i can't find solution even though i known it's bad programming. I told them to make a extra column as "status" in user's table so as user logs in from one browser the status should be changed and if again he tries to login from other browser we should check the user is already logged in or not to avoid multiple login from different browser. He doesn't seemed impressed (i wasn't expecting either). He asked me how to do it using spring security? I actually have no idea. Can someone please give me answer and optimized solution with example. Please i need it.
java spring security servlets java-ee
asked Nov 27 '18 at 13:34
On the TopOn the Top
2816
add a comment |
I recently went to an interview and they asked me this question. I wasn't prepared for this, i just simply bought up database into it because that's what i do when i can't find solution even though i known it's bad programming. I told them to make a extra column as "status" in user's table so as user logs in from one browser the status should be changed and if again he tries to login from other browser we should check the user is already logged in or not to avoid multiple login from different browser. He doesn't seemed impressed (i wasn't expecting either). He asked me how to do it using spring security? I actually have no idea. Can someone please give me answer and optimized solution with example. Please i need it.
java spring security servlets java-ee
asked Nov 27 '18 at 13:34
On the TopOn the Top
2816
add a comment |
I recently went to an interview and they asked me this question. I wasn't prepared for this, i just simply bought up database into it because that's what i do when i can't find solution even though i known it's bad programming. I told them to make a extra column as "status" in user's table so as user logs in from one browser the status should be changed and if again he tries to login from other browser we should check the user is already logged in or not to avoid multiple login from different browser. He doesn't seemed impressed (i wasn't expecting either). He asked me how to do it using spring security? I actually have no idea. Can someone please give me answer and optimized solution with example. Please i need it.
java spring security servlets java-ee
asked Nov 27 '18 at 13:34
On the TopOn the Top
2816
I recently went to an interview and they asked me this question. I wasn't prepared for this, i just simply bought up database into it because that's what i do when i can't find solution even though i known it's bad programming. I told them to make a extra column as "status" in user's table so as user logs in from one browser the status should be changed and if again he tries to login from other browser we should check the user is already logged in or not to avoid multiple login from different browser. He doesn't seemed impressed (i wasn't expecting either). He asked me how to do it using spring security? I actually have no idea. Can someone please give me answer and optimized solution with example. Please i need it.
java spring security servlets java-ee
java spring security servlets java-ee
asked Nov 27 '18 at 13:34
On the TopOn the Top
2816
asked Nov 27 '18 at 13:34
On the TopOn the Top
2816
asked Nov 27 '18 at 13:34
On the TopOn the Top
2816
asked Nov 27 '18 at 13:34
On the TopOn the Top
2816
asked Nov 27 '18 at 13:34
On the TopOn the Top
2816
2816
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The solution is supported out of the box using spring security.
From the Spring documentation:
Concurrent Session Control
If you wish to place constraints on a single user's ability to log in to your application, Spring Security supports this out of the box with the following simple additions. First you need to add the following listener to your web.xml file to keep Spring Security updated about session lifecycle events:
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
Then add the following lines to your application context:
<http>
...
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
</http>
This will prevent a user from logging in multiple times - a second login will cause the first to be invalidated. Often you would prefer to prevent a second login, in which case you can use
<http>
...
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
</http>
The second login will then be rejected. By “rejected”, we mean that the user will be sent to the authentication-failure-url if form-based login is being used. If the second authentication takes place through another non-interactive mechanism, such as “remember-me”, an “unauthorized” (402) error will be sent to the client. If instead you want to use an error page, you can add the attribute session-authentication-error-url to the session-management element.
If you are using a customized authentication filter for form-based login, then you have to configure concurrent session control support explicitly. More details can be found in the Session Management chapter.
answered Nov 27 '18 at 13:52
STaefiSTaefi
3,45011735
Thanks bro...tysm 😊
– On the Top
Nov 27 '18 at 15:56
@OntheTop: Glad that helped! :-)
– STaefi
Nov 28 '18 at 13:02
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53500934%2fhow-do-you-restrict-a-user-to-login-from-multiple-browsers-tabs-in-spring-secur%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The solution is supported out of the box using spring security.
From the Spring documentation:
Concurrent Session Control
If you wish to place constraints on a single user's ability to log in to your application, Spring Security supports this out of the box with the following simple additions. First you need to add the following listener to your web.xml file to keep Spring Security updated about session lifecycle events:
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
Then add the following lines to your application context:
<http>
...
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
</http>
This will prevent a user from logging in multiple times - a second login will cause the first to be invalidated. Often you would prefer to prevent a second login, in which case you can use
<http>
...
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
</http>
The second login will then be rejected. By “rejected”, we mean that the user will be sent to the authentication-failure-url if form-based login is being used. If the second authentication takes place through another non-interactive mechanism, such as “remember-me”, an “unauthorized” (402) error will be sent to the client. If instead you want to use an error page, you can add the attribute session-authentication-error-url to the session-management element.
If you are using a customized authentication filter for form-based login, then you have to configure concurrent session control support explicitly. More details can be found in the Session Management chapter.
answered Nov 27 '18 at 13:52
STaefiSTaefi
3,45011735
Thanks bro...tysm 😊
– On the Top
Nov 27 '18 at 15:56
@OntheTop: Glad that helped! :-)
– STaefi
Nov 28 '18 at 13:02
add a comment |
The solution is supported out of the box using spring security.
From the Spring documentation:
Concurrent Session Control
If you wish to place constraints on a single user's ability to log in to your application, Spring Security supports this out of the box with the following simple additions. First you need to add the following listener to your web.xml file to keep Spring Security updated about session lifecycle events:
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
Then add the following lines to your application context:
<http>
...
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
</http>
This will prevent a user from logging in multiple times - a second login will cause the first to be invalidated. Often you would prefer to prevent a second login, in which case you can use
<http>
...
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
</http>
The second login will then be rejected. By “rejected”, we mean that the user will be sent to the authentication-failure-url if form-based login is being used. If the second authentication takes place through another non-interactive mechanism, such as “remember-me”, an “unauthorized” (402) error will be sent to the client. If instead you want to use an error page, you can add the attribute session-authentication-error-url to the session-management element.
If you are using a customized authentication filter for form-based login, then you have to configure concurrent session control support explicitly. More details can be found in the Session Management chapter.
answered Nov 27 '18 at 13:52
STaefiSTaefi
3,45011735
Thanks bro...tysm 😊
– On the Top
Nov 27 '18 at 15:56
@OntheTop: Glad that helped! :-)
– STaefi
Nov 28 '18 at 13:02
add a comment |
The solution is supported out of the box using spring security.
From the Spring documentation:
Concurrent Session Control
If you wish to place constraints on a single user's ability to log in to your application, Spring Security supports this out of the box with the following simple additions. First you need to add the following listener to your web.xml file to keep Spring Security updated about session lifecycle events:
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
Then add the following lines to your application context:
<http>
...
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
</http>
This will prevent a user from logging in multiple times - a second login will cause the first to be invalidated. Often you would prefer to prevent a second login, in which case you can use
<http>
...
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
</http>
The second login will then be rejected. By “rejected”, we mean that the user will be sent to the authentication-failure-url if form-based login is being used. If the second authentication takes place through another non-interactive mechanism, such as “remember-me”, an “unauthorized” (402) error will be sent to the client. If instead you want to use an error page, you can add the attribute session-authentication-error-url to the session-management element.
If you are using a customized authentication filter for form-based login, then you have to configure concurrent session control support explicitly. More details can be found in the Session Management chapter.
answered Nov 27 '18 at 13:52
STaefiSTaefi
3,45011735
The solution is supported out of the box using spring security.
From the Spring documentation:
Concurrent Session Control
If you wish to place constraints on a single user's ability to log in to your application, Spring Security supports this out of the box with the following simple additions. First you need to add the following listener to your web.xml file to keep Spring Security updated about session lifecycle events:
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
Then add the following lines to your application context:
<http>
...
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
</http>
This will prevent a user from logging in multiple times - a second login will cause the first to be invalidated. Often you would prefer to prevent a second login, in which case you can use
<http>
...
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
</http>
The second login will then be rejected. By “rejected”, we mean that the user will be sent to the authentication-failure-url if form-based login is being used. If the second authentication takes place through another non-interactive mechanism, such as “remember-me”, an “unauthorized” (402) error will be sent to the client. If instead you want to use an error page, you can add the attribute session-authentication-error-url to the session-management element.
If you are using a customized authentication filter for form-based login, then you have to configure concurrent session control support explicitly. More details can be found in the Session Management chapter.
answered Nov 27 '18 at 13:52
STaefiSTaefi
3,45011735
answered Nov 27 '18 at 13:52
STaefiSTaefi
3,45011735
answered Nov 27 '18 at 13:52
STaefiSTaefi
3,45011735
answered Nov 27 '18 at 13:52
STaefiSTaefi
3,45011735
3,45011735
Thanks bro...tysm 😊
– On the Top
Nov 27 '18 at 15:56
@OntheTop: Glad that helped! :-)
– STaefi
Nov 28 '18 at 13:02
add a comment |
Thanks bro...tysm 😊
– On the Top
Nov 27 '18 at 15:56
@OntheTop: Glad that helped! :-)
– STaefi
Nov 28 '18 at 13:02
Thanks bro...tysm 😊
– On the Top
Nov 27 '18 at 15:56
Thanks bro...tysm 😊
– On the Top
Nov 27 '18 at 15:56
@OntheTop: Glad that helped! :-)
– STaefi
Nov 28 '18 at 13:02
@OntheTop: Glad that helped! :-)
– STaefi
Nov 28 '18 at 13:02
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53500934%2fhow-do-you-restrict-a-user-to-login-from-multiple-browsers-tabs-in-spring-secur%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
