Not able to prevent multiple concurrent login from the same user in spring security with spring boot

** Here I have edited my code as to see that i’m currently using in memory authentication for this purpose

Here is my Security configuration file, What I want to achieve is for one user to not have concurrent sessions. With this code I can login with same user on multiple tabs. Eventhough the user has an active session Can anyone help me with this.I’m a newbie at Spring security Thanks in Advance**

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {


    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser(username).password(password).roles("OPERATIONAL");
        auth.inMemoryAuthentication().withUser(sysUsername).password(sysPassword).roles("OPERATIONAL");
    }
    
    @Override
    public void configure(WebSecurity web) throws Exception {

        web.ignoring().antMatchers("/initialPage").and().ignoring().antMatchers("/WEB-INF/**").and().ignoring()
                .antMatchers("/sp/processRequest").antMatchers("/WEB-INF/**").and().ignoring()
                .antMatchers("/sp/rest/getChannelCodeOnMID").antMatchers("/createRazorpayOrder").and().ignoring()
                .antMatchers("/createRazorpayOrder").antMatchers("/sp/rest/getNonPreferredEntities").and().ignoring()
                .antMatchers("/sp/rest/getNonPreferredEntities").antMatchers("/sp/rest/getChargesDetailsOnChannel")
                .and().ignoring().antMatchers("/sp/rest/getChargesDetailsOnChannel").antMatchers("/paymentResponse")
                .and().ignoring().antMatchers("/paymentResponse").antMatchers("/RedirectpaymentResponse").and()
                .ignoring().antMatchers("/RedirectpaymentResponse").and().ignoring().antMatchers("/testMerchantPage")
                .and().ignoring().antMatchers("/sp/rest/generateChecksum").and().ignoring().antMatchers("/pushResponse")
                .and().ignoring().antMatchers("/sp/rest/getServiceDetails")
                .and().ignoring().antMatchers("/errorPage")
                .and().ignoring().antMatchers("/getResponse")
                .and().ignoring().antMatchers("/css/**")
                .and().ignoring().antMatchers("/js/**")
                .and().ignoring().antMatchers("/img/qrcode/**")
                .and().ignoring().antMatchers("/sp/rest/getCancelRequest")
                .and().ignoring().antMatchers("/sp/rest/checkTxnStatusOnOrderId")
                .and().ignoring().antMatchers("/pushResponse")
                .and().ignoring().antMatchers("/paymentStatusApi");
        
    }

    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        
        http.csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("**/login")).and().authorizeRequests().antMatchers("**/api/v1/getPricingDtls").permitAll()
        .antMatchers("/merchantCreationOrView").hasRole("OPERATIONAL").and().authorizeRequests()
        .antMatchers("/merchantCreation").hasRole("OPERATIONAL")
        .antMatchers("/merchantView").hasRole("OPERATIONAL")
        .antMatchers("/merchantRenderedView").hasRole("OPERATIONAL")
        .antMatchers("/viewMerchantDetails").hasRole("OPERATIONAL")
        .antMatchers("/saveMerchantDetails").hasRole("OPERATIONAL")
        .antMatchers("/download").hasRole("OPERATIONAL")
        .antMatchers("/downloadSettlement").hasRole("OPERATIONAL")
        .and().formLogin().loginPage("/login").
        defaultSuccessUrl("/merchantCreationOrView",true).failureUrl("/login?error").permitAll()
        .and()
          .sessionManagement()
          .sessionCreationPolicy(SessionCreationPolicy.NEVER)
          .maximumSessions(1)
          .maxSessionsPreventsLogin(true).
          sessionRegistry(sessionRegistry())
          ;
    }

    @Bean
    SessionRegistry sessionRegistry() {         
        return new SessionRegistryImpl();
    }
    @Bean
    public static ServletListenerRegistrationBean httpSessionEventPublisher() { //(5)
        return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
    }
    
    
    
    @Bean
    public CustomBasicAuthenticationEntryPoint getBasicAuthenticationEntryPoint() {
        
        return new CustomBasicAuthenticationEntryPoint();
    }
    

    

}

JavaScript
​x
 
@Configuration@EnableGlobalMethodSecurity(prePostEnabled = true)public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {​​    @Autowired    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {        auth.inMemoryAuthentication().withUser(username).password(password).roles("OPERATIONAL");        auth.inMemoryAuthentication().withUser(sysUsername).password(sysPassword).roles("OPERATIONAL");    }        @Override    public void configure(WebSecurity web) throws Exception {​        web.ignoring().antMatchers("/initialPage").and().ignoring().antMatchers("/WEB-INF/**").and().ignoring()                .antMatchers("/sp/processRequest").antMatchers("/WEB-INF/**").and().ignoring()                .antMatchers("/sp/rest/getChannelCodeOnMID").antMatchers("/createRazorpayOrder").and().ignoring()                .antMatchers("/createRazorpayOrder").antMatchers("/sp/rest/getNonPreferredEntities").and().ignoring()                .antMatchers("/sp/rest/getNonPreferredEntities").antMatchers("/sp/rest/getChargesDetailsOnChannel")                .and().ignoring().antMatchers("/sp/rest/getChargesDetailsOnChannel").antMatchers("/paymentResponse")                .and().ignoring().antMatchers("/paymentResponse").antMatchers("/RedirectpaymentResponse").and()                .ignoring().antMatchers("/RedirectpaymentResponse").and().ignoring().antMatchers("/testMerchantPage")                .and().ignoring().antMatchers("/sp/rest/generateChecksum").and().ignoring().antMatchers("/pushResponse")                .and().ignoring().antMatchers("/sp/rest/getServiceDetails")                .and().ignoring().antMatchers("/errorPage")                .and().ignoring().antMatchers("/getResponse")                .and().ignoring().antMatchers("/css/**")                .and().ignoring().antMatchers("/js/**")                .and().ignoring().antMatchers("/img/qrcode/**")                .and().ignoring().antMatchers("/sp/rest/getCancelRequest")                .and().ignoring().antMatchers("/sp/rest/checkTxnStatusOnOrderId")                .and().ignoring().antMatchers("/pushResponse")                .and().ignoring().antMatchers("/paymentStatusApi");            }​        @Override    protected void configure(HttpSecurity http) throws Exception {                http.csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("**/login")).and().authorizeRequests().antMatchers("**/api/v1/getPricingDtls").permitAll()        .antMatchers("/merchantCreationOrView").hasRole("OPERATIONAL").and().authorizeRequests()        .antMatchers("/merchantCreation").hasRole("OPERATIONAL")        .antMatchers("/merchantView").hasRole("OPERATIONAL")        .antMatchers("/merchantRenderedView").hasRole("OPERATIONAL")        .antMatchers("/viewMerchantDetails").hasRole("OPERATIONAL")        .antMatchers("/saveMerchantDetails").hasRole("OPERATIONAL")        .antMatchers("/download").hasRole("OPERATIONAL")        .antMatchers("/downloadSettlement").hasRole("OPERATIONAL")        .and().formLogin().loginPage("/login").        defaultSuccessUrl("/merchantCreationOrView",true).failureUrl("/login?error").permitAll()        .and()          .sessionManagement()          .sessionCreationPolicy(SessionCreationPolicy.NEVER)          .maximumSessions(1)          .maxSessionsPreventsLogin(true).          sessionRegistry(sessionRegistry())          ;    }​    @Bean    SessionRegistry sessionRegistry() {                 return new SessionRegistryImpl();    }    @Bean    public static ServletListenerRegistrationBean httpSessionEventPublisher() { //(5)        return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());    }                @Bean    public CustomBasicAuthenticationEntryPoint getBasicAuthenticationEntryPoint() {                return new CustomBasicAuthenticationEntryPoint();    }    ​    ​}​​​

Answer

Simple check can help you reach similar question here.

Most likely you didn’t implement/override correct hashCode and equals methods in your logined User class.

You have to do something like this, depend how logically you determine the so-called “same” user:

 public class User implements UserDetails, Serializable {
    private static final long serialVersionUID = 1L;

    // ...

    @Override
    public boolean equals(Object obj) {
        if (obj instanceof User) {
          return username.equals( ((User) obj).getUsername() );
        }
        return false;
    }

    @Override
    public int hashCode() {
        return username != null ? username.hashCode() : 0;
    }
}

JavaScript
 
 public class User implements UserDetails, Serializable {    private static final long serialVersionUID = 1L;​    // ...​    @Override    public boolean equals(Object obj) {        if (obj instanceof User) {          return username.equals( ((User) obj).getUsername() );        }        return false;    }​    @Override    public int hashCode() {        return username != null ? username.hashCode() : 0;    }}​

Advertisement

Answer