I have a customized RegisterSessionAuthenticationStrategy and Im using CompositeSessionAuthenticationStrategy with exceptionIfMaximumExceeded = false.
I have the following scenario:
- login on browser #1
- login on browser #2
I want that the first session will be destroyed but they both stay active. whan I reach the SessionRegistry.registerNewSession session #1 is set has expired but I never get a SessionDestroyedEvent for it.
security.xml
<security:session-management
session-authentication-strategy-ref="sas" />
</security:http>
<bean id="sas"
class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
<constructor-arg>
<list>
<bean
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
<constructor-arg ref="clusteredSessionRegistryImpl" />
<property name="maximumSessions" value="1" />
<property name="exceptionIfMaximumExceeded" value="false" />
</bean>
<bean
class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
<constructor-arg ref="clusteredSessionRegistryImpl" />
</bean>
</list>
</constructor-arg>
</bean>
Aucun commentaire:
Enregistrer un commentaire