'Spring security is not working properly to prevent multiple logins for same user at a time
I am using spring MVC. here, I have to restrict the same user to login to the application multiple times at same time.
Note : Here user is login to the application with mobile number and OTP
Here, I've used Spring Security and I've given all the necessary implementations to restrict the same user to login to multiple times. But, I couldn't achieve this. and I Didn't get any exceptions.
Here, My requirement is simple, if one user logged in with his mobile number and OTP and the same user is again trying to login with different browser then spring security should allow the user to login to the latest browser and should expire the previous log in.
please, check the below code and give me suggestions, code looks fine, but I couldnt' understand what the problem is.
1.SecurityConfig.class
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private LoginDao userService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/home.htm").hasAuthority("USER")
.antMatchers("/admin.htm").hasAuthority("ADMIN")
.and()
.formLogin()
.loginPage("/")
.permitAll()
.and()
.logout()
.invalidateHttpSession(true)
.logoutRequestMatcher(new AntPathRequestMatcher("/logout.htm"))
.logoutSuccessUrl("/logout.htm")
.permitAll()
.and()
.userDetailsService(this.userService)
.sessionManagement()
.maximumSessions(1)
//.expiredUrl("/newlogin?invalid-session=true")
.maxSessionsPreventsLogin(false);
}
@Bean
public HttpSessionEventPublisher httpSessionEventPublisher()
{
return new HttpSessionEventPublisher();
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider auth = new DaoAuthenticationProvider();
auth.setUserDetailsService(userService);
return auth;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider());
}
}
2.in Dao Class
@Value("#{'${admin.mobiles}'.split(',\\s*')}")
List<String> admin_Mobiles;
@Override
public UserDetails loadUserByUsername(String mobile) throws UsernameNotFoundException {
Login user = logindao.getUser(mobile);
//Collection<String> collection= new ArrayList<>();
if (admin_Mobiles.contains(mobile)){
//collection.add("ADMIN");
//user.setRoles(collection);
user.setRoles(Arrays.asList(new String("ADMIN")));
}
if (!admin_Mobiles.contains(mobile)){
//collection.add("USER");
user.setRoles(Arrays.asList(new String("USER")));
}
if (user == null) {
throw new UsernameNotFoundException("Invalid username or password.");
}
return new org.springframework.security.core.userdetails.User(user.getMobile(), user.getOtp(),
mapRolesToAuthorities(user.getRoles()));
}
private Collection < ? extends GrantedAuthority > mapRolesToAuthorities(Collection < String > roles) {
return roles.stream()
.map(role -> new SimpleGrantedAuthority(role))
.collect(Collectors.toList());
}
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|