** Here I have edited my code as to see that i’m currently using in memory authentication for this purpose
Here is my Security configuration file, What I want to achieve is for one user to not have concurrent sessions. With this code I can login with same user on multiple tabs. Eventhough the user has an active session Can anyone help me with this.I’m a newbie at Spring security Thanks in Advance**
@Configuration @EnableGlobalMethodSecurity(prePostEnabled = true) public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser(username).password(password).roles("OPERATIONAL"); auth.inMemoryAuthentication().withUser(sysUsername).password(sysPassword).roles("OPERATIONAL"); } @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/initialPage").and().ignoring().antMatchers("/WEB-INF/**").and().ignoring() .antMatchers("/sp/processRequest").antMatchers("/WEB-INF/**").and().ignoring() .antMatchers("/sp/rest/getChannelCodeOnMID").antMatchers("/createRazorpayOrder").and().ignoring() .antMatchers("/createRazorpayOrder").antMatchers("/sp/rest/getNonPreferredEntities").and().ignoring() .antMatchers("/sp/rest/getNonPreferredEntities").antMatchers("/sp/rest/getChargesDetailsOnChannel") .and().ignoring().antMatchers("/sp/rest/getChargesDetailsOnChannel").antMatchers("/paymentResponse") .and().ignoring().antMatchers("/paymentResponse").antMatchers("/RedirectpaymentResponse").and() .ignoring().antMatchers("/RedirectpaymentResponse").and().ignoring().antMatchers("/testMerchantPage") .and().ignoring().antMatchers("/sp/rest/generateChecksum").and().ignoring().antMatchers("/pushResponse") .and().ignoring().antMatchers("/sp/rest/getServiceDetails") .and().ignoring().antMatchers("/errorPage") .and().ignoring().antMatchers("/getResponse") .and().ignoring().antMatchers("/css/**") .and().ignoring().antMatchers("/js/**") .and().ignoring().antMatchers("/img/qrcode/**") .and().ignoring().antMatchers("/sp/rest/getCancelRequest") .and().ignoring().antMatchers("/sp/rest/checkTxnStatusOnOrderId") .and().ignoring().antMatchers("/pushResponse") .and().ignoring().antMatchers("/paymentStatusApi"); } @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("**/login")).and().authorizeRequests().antMatchers("**/api/v1/getPricingDtls").permitAll() .antMatchers("/merchantCreationOrView").hasRole("OPERATIONAL").and().authorizeRequests() .antMatchers("/merchantCreation").hasRole("OPERATIONAL") .antMatchers("/merchantView").hasRole("OPERATIONAL") .antMatchers("/merchantRenderedView").hasRole("OPERATIONAL") .antMatchers("/viewMerchantDetails").hasRole("OPERATIONAL") .antMatchers("/saveMerchantDetails").hasRole("OPERATIONAL") .antMatchers("/download").hasRole("OPERATIONAL") .antMatchers("/downloadSettlement").hasRole("OPERATIONAL") .and().formLogin().loginPage("/login"). defaultSuccessUrl("/merchantCreationOrView",true).failureUrl("/login?error").permitAll() .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.NEVER) .maximumSessions(1) .maxSessionsPreventsLogin(true). sessionRegistry(sessionRegistry()) ; } @Bean SessionRegistry sessionRegistry() { return new SessionRegistryImpl(); } @Bean public static ServletListenerRegistrationBean httpSessionEventPublisher() { //(5) return new ServletListenerRegistrationBean(new HttpSessionEventPublisher()); } @Bean public CustomBasicAuthenticationEntryPoint getBasicAuthenticationEntryPoint() { return new CustomBasicAuthenticationEntryPoint(); } }
Advertisement
Answer
Simple check can help you reach similar question here.
Most likely you didn’t implement/override correct hashCode
and equals
methods in your logined User
class.
You have to do something like this, depend how logically you determine the so-called “same” user:
public class User implements UserDetails, Serializable { private static final long serialVersionUID = 1L; // ... @Override public boolean equals(Object obj) { if (obj instanceof User) { return username.equals( ((User) obj).getUsername() ); } return false; } @Override public int hashCode() { return username != null ? username.hashCode() : 0; } }