SEC-2137: Allow disabling session fixation and enable concurrency control

config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java

@@ -15,7 +15,11 @@
  */
 package org.springframework.security.config.annotation.web.configurers;
 
+import java.util.Arrays;
+import java.util.List;
+
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -23,7 +27,10 @@ import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.session.SessionRegistry;
 import org.springframework.security.core.session.SessionRegistryImpl;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
-import org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy;
+import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy;
+import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy;
+import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
+import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
@@ -70,7 +77,8 @@ import org.springframework.util.Assert;
  * @see ConcurrentSessionFilter
  */
 public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<H> {
-    private SessionAuthenticationStrategy sessionAuthenticationStrategy = new SessionFixationProtectionStrategy();
+    private SessionAuthenticationStrategy sessionFixationAuthenticationStrategy = new SessionFixationProtectionStrategy();
+    private SessionAuthenticationStrategy sessionAuthenticationStrategy;
     private SessionRegistry sessionRegistry = new SessionRegistryImpl();
     private Integer maximumSessions;
     private String expiredUrl;
@@ -149,17 +157,25 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
     /**
      * Allows explicitly specifying the {@link SessionAuthenticationStrategy}.
      * The default is to use {@link SessionFixationProtectionStrategy}. If
-     * restricting the maximum number of sessions is configured,
-     * {@link ConcurrentSessionControlStrategy} will be used.
+     * restricting the maximum number of sessions is configured, then
+     * {@link CompositeSessionAuthenticationStrategy} delegating to
+     * {@link ConcurrentSessionControlAuthenticationStrategy},
+     * {@link SessionFixationProtectionStrategy} (optional), and
+     * {@link RegisterSessionAuthenticationStrategy} will be used.
      *
      * @param sessionAuthenticationStrategy
-     * @return the {@link SessionManagementConfigurer} for further customizations
+     * @return the {@link SessionManagementConfigurer} for further
+     *         customizations
      */
     public SessionManagementConfigurer<H> sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy) {
-        this.sessionAuthenticationStrategy = sessionAuthenticationStrategy;
+        this.sessionFixationAuthenticationStrategy = sessionAuthenticationStrategy;
         return this;
     }
 
+    public SessionFixationConfigurer sessionFixation() {
+        return new SessionFixationConfigurer();
+    }
+
     /**
      * Controls the maximum number of sessions for a user. The default is to allow any number of users.
      * @param maximumSessions the maximum number of sessions for a user
@@ -167,10 +183,57 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
      */
     public ConcurrencyControlConfigurer maximumSessions(int maximumSessions) {
         this.maximumSessions = maximumSessions;
-        this.sessionAuthenticationStrategy = null;
         return new ConcurrencyControlConfigurer();
     }
 
+    /**
+     * Allows configuring SessionFixation protection
+     *
+     * @author Rob Winch
+     */
+    public final class SessionFixationConfigurer {
+        /**
+         * Specifies that a new session should be created, but the session
+         * attributes from the original {@link HttpSession} should not be
+         * retained.
+         *
+         * @return the {@link SessionManagementConfigurer} for further customizations
+         */
+        public SessionManagementConfigurer<H> newSession() {
+            SessionFixationProtectionStrategy sessionFixationProtectionStrategy = new SessionFixationProtectionStrategy();
+            sessionFixationProtectionStrategy.setMigrateSessionAttributes(false);
+            SessionManagementConfigurer.this.sessionFixationAuthenticationStrategy = sessionFixationProtectionStrategy;
+            return SessionManagementConfigurer.this;
+        }
+
+        /**
+         * Specifies that a new session should be created and the session
+         * attributes from the original {@link HttpSession} should be
+         * retained.
+         *
+         * @return the {@link SessionManagementConfigurer} for further customizations
+         */
+        public SessionManagementConfigurer<H> migrateSession() {
+            SessionManagementConfigurer.this.sessionFixationAuthenticationStrategy = new SessionFixationProtectionStrategy();
+            return SessionManagementConfigurer.this;
+        }
+
+        /**
+         * Specifies that no session fixation protection should be enabled. This
+         * may be useful when utilizing other mechanisms for protecting against
+         * session fixation. For example, if application container session
+         * fixation protection is already in use. Otherwise, this option is not
+         * recommended.
+         *
+         * @return the {@link SessionManagementConfigurer} for further
+         *         customizations
+         */
+        public SessionManagementConfigurer<H> none() {
+            SessionManagementConfigurer.this.sessionFixationAuthenticationStrategy = new NullAuthenticatedSessionStrategy();
+            return SessionManagementConfigurer.this;
+        }
+    }
+
     /**
      * Allows configuring controlling of multiple sessions.
      *
@@ -314,10 +377,18 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
             return sessionAuthenticationStrategy;
         }
         if(isConcurrentSessionControlEnabled()) {
-            ConcurrentSessionControlStrategy concurrentSessionControlStrategy = new ConcurrentSessionControlStrategy(sessionRegistry);
+            ConcurrentSessionControlAuthenticationStrategy concurrentSessionControlStrategy = new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry);
             concurrentSessionControlStrategy.setMaximumSessions(maximumSessions);
             concurrentSessionControlStrategy.setExceptionIfMaximumExceeded(maxSessionsPreventsLogin);
-            sessionAuthenticationStrategy = concurrentSessionControlStrategy;
+            concurrentSessionControlStrategy = postProcess(concurrentSessionControlStrategy);
+
+            RegisterSessionAuthenticationStrategy registerSessionStrategy = new RegisterSessionAuthenticationStrategy(sessionRegistry);
+            registerSessionStrategy = postProcess(registerSessionStrategy);
+
+            List<SessionAuthenticationStrategy> delegateStrategies = Arrays.asList(concurrentSessionControlStrategy, sessionFixationAuthenticationStrategy, registerSessionStrategy);
+            sessionAuthenticationStrategy = postProcess(new CompositeSessionAuthenticationStrategy(delegateStrategies));
+        } else {
+            sessionAuthenticationStrategy = sessionFixationAuthenticationStrategy;
         }
         return sessionAuthenticationStrategy;
     }

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2012 the original author or authors.
+ * Copyright 2002-2013 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,14 +18,17 @@ package org.springframework.security.config.http;
 import static org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.*;
 import static org.springframework.security.config.http.SecurityFilters.*;
 
+import java.lang.reflect.Method;
 import java.util.ArrayList;
 import java.util.List;
 
 import javax.servlet.ServletRequest;
+import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.beans.BeanMetadataElement;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.BeanReference;
+import org.springframework.beans.factory.config.BeanReferenceFactoryBean;
 import org.springframework.beans.factory.config.RuntimeBeanReference;
 import org.springframework.beans.factory.parsing.BeanComponentDefinition;
 import org.springframework.beans.factory.parsing.CompositeComponentDefinition;
@@ -51,7 +54,10 @@ import org.springframework.security.web.access.expression.WebExpressionVoter;
 import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
-import org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy;
+import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy;
+import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy;
+import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy;
+import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.NullSecurityContextRepository;
@@ -66,6 +72,7 @@ import org.springframework.security.web.session.ConcurrentSessionFilter;
 import org.springframework.security.web.session.SessionManagementFilter;
 import org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy;
 import org.springframework.util.ClassUtils;
+import org.springframework.util.ReflectionUtils;
 import org.springframework.util.StringUtils;
 import org.springframework.util.xml.DomUtils;
 import org.w3c.dom.Element;
@@ -83,6 +90,7 @@ class HttpConfigurationBuilder {
     private static final String ATT_SESSION_FIXATION_PROTECTION = "session-fixation-protection";
     private static final String OPT_SESSION_FIXATION_NO_PROTECTION = "none";
     private static final String OPT_SESSION_FIXATION_MIGRATE_SESSION = "migrateSession";
+    private static final String OPT_CHANGE_SESSION_ID = "changeSessionId";
 
     private static final String ATT_INVALID_SESSION_URL = "invalid-session-url";
     private static final String ATT_SESSION_AUTH_STRATEGY_REF = "session-authentication-strategy-ref";
@@ -247,6 +255,7 @@ class HttpConfigurationBuilder {
         String sessionAuthStratRef = null;
         String errorUrl = null;
 
+        boolean sessionControlEnabled = false;
         if (sessionMgmtElt != null) {
             if (sessionPolicy == SessionCreationPolicy.STATELESS) {
                 pc.getReaderContext().error(Elements.SESSION_MANAGEMENT + "  cannot be used" +
@@ -258,8 +267,9 @@ class HttpConfigurationBuilder {
             sessionAuthStratRef = sessionMgmtElt.getAttribute(ATT_SESSION_AUTH_STRATEGY_REF);
             errorUrl = sessionMgmtElt.getAttribute(ATT_SESSION_AUTH_ERROR_URL);
             sessionCtrlElt = DomUtils.getChildElementByTagName(sessionMgmtElt, Elements.CONCURRENT_SESSIONS);
+            sessionControlEnabled =  sessionCtrlElt != null;
 
-            if (sessionCtrlElt != null) {
+            if (sessionControlEnabled) {
                 if (StringUtils.hasText(sessionAuthStratRef)) {
                     pc.getReaderContext().error(ATT_SESSION_AUTH_STRATEGY_REF + " attribute cannot be used" +
                             " in combination with <" + Elements.CONCURRENT_SESSIONS + ">", pc.extractSource(sessionCtrlElt));
@@ -269,7 +279,8 @@ class HttpConfigurationBuilder {
         }
 
         if (!StringUtils.hasText(sessionFixationAttribute)) {
-            sessionFixationAttribute = OPT_SESSION_FIXATION_MIGRATE_SESSION;
+             Method changeSessionIdMethod = ReflectionUtils.findMethod(HttpServletRequest.class, "changeSessionId");
+            sessionFixationAttribute = changeSessionIdMethod == null ? OPT_SESSION_FIXATION_MIGRATE_SESSION : OPT_CHANGE_SESSION_ID;
         } else if (StringUtils.hasText(sessionAuthStratRef)) {
             pc.getReaderContext().error(ATT_SESSION_FIXATION_PROTECTION + " attribute cannot be used" +
                     " in combination with " + ATT_SESSION_AUTH_STRATEGY_REF, pc.extractSource(sessionMgmtElt));
@@ -282,28 +293,50 @@ class HttpConfigurationBuilder {
 
         boolean sessionFixationProtectionRequired = !sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION);
 
-        BeanDefinitionBuilder sessionStrategy;
+        ManagedList<BeanMetadataElement> delegateSessionStrategies = new ManagedList<BeanMetadataElement>();
+        BeanDefinitionBuilder concurrentSessionStrategy;
+        BeanDefinitionBuilder sessionFixationStrategy = null;
+        BeanDefinitionBuilder registerSessionStrategy;
 
-        if (sessionCtrlElt != null) {
+        if (sessionControlEnabled) {
             assert sessionRegistryRef != null;
-            sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(ConcurrentSessionControlStrategy.class);
-            sessionStrategy.addConstructorArgValue(sessionRegistryRef);
+            concurrentSessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(ConcurrentSessionControlAuthenticationStrategy.class);
+            concurrentSessionStrategy.addConstructorArgValue(sessionRegistryRef);
 
             String maxSessions = sessionCtrlElt.getAttribute("max-sessions");
 
             if (StringUtils.hasText(maxSessions)) {
-                sessionStrategy.addPropertyValue("maximumSessions", maxSessions);
+                concurrentSessionStrategy.addPropertyValue("maximumSessions", maxSessions);
             }
 
             String exceptionIfMaximumExceeded = sessionCtrlElt.getAttribute("error-if-maximum-exceeded");
 
             if (StringUtils.hasText(exceptionIfMaximumExceeded)) {
-                sessionStrategy.addPropertyValue("exceptionIfMaximumExceeded", exceptionIfMaximumExceeded);
+                concurrentSessionStrategy.addPropertyValue("exceptionIfMaximumExceeded", exceptionIfMaximumExceeded);
             }
-        } else if (sessionFixationProtectionRequired || StringUtils.hasText(invalidSessionUrl)
-                || StringUtils.hasText(sessionAuthStratRef)) {
-            sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(SessionFixationProtectionStrategy.class);
-        } else {
+            delegateSessionStrategies.add(concurrentSessionStrategy.getBeanDefinition());
+        }
+        boolean useChangeSessionId = OPT_CHANGE_SESSION_ID.equals(sessionFixationAttribute);
+        if (sessionFixationProtectionRequired || StringUtils.hasText(invalidSessionUrl)) {
+            if(useChangeSessionId) {
+                sessionFixationStrategy = BeanDefinitionBuilder.rootBeanDefinition(ChangeSessionIdAuthenticationStrategy.class);
+            } else {
+                sessionFixationStrategy = BeanDefinitionBuilder.rootBeanDefinition(SessionFixationProtectionStrategy.class);
+            }
+            delegateSessionStrategies.add(sessionFixationStrategy.getBeanDefinition());
+        }
+
+        if(StringUtils.hasText(sessionAuthStratRef)) {
+            delegateSessionStrategies.add(new RuntimeBeanReference(sessionAuthStratRef));
+        }
+
+        if(sessionControlEnabled) {
+            registerSessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(RegisterSessionAuthenticationStrategy.class);
+            registerSessionStrategy.addConstructorArgValue(sessionRegistryRef);
+            delegateSessionStrategies.add(registerSessionStrategy.getBeanDefinition());
+        }
+
+        if(delegateSessionStrategies.isEmpty()) {
             sfpf = null;
             return;
         }
@@ -316,15 +349,21 @@ class HttpConfigurationBuilder {
         sessionMgmtFilter.addPropertyValue("authenticationFailureHandler", failureHandler);
         sessionMgmtFilter.addConstructorArgValue(contextRepoRef);
 
-        if (!StringUtils.hasText(sessionAuthStratRef)) {
-            BeanDefinition strategyBean = sessionStrategy.getBeanDefinition();
+        if (!StringUtils.hasText(sessionAuthStratRef) && sessionFixationStrategy != null && !useChangeSessionId ) {
 
             if (sessionFixationProtectionRequired) {
-                sessionStrategy.addPropertyValue("migrateSessionAttributes",
+                sessionFixationStrategy.addPropertyValue("migrateSessionAttributes",
                         Boolean.valueOf(sessionFixationAttribute.equals(OPT_SESSION_FIXATION_MIGRATE_SESSION)));
             }
+        }
+
+        if(!delegateSessionStrategies.isEmpty()) {
+            BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(CompositeSessionAuthenticationStrategy.class);
+            BeanDefinition strategyBean = sessionStrategy.getBeanDefinition();
+            sessionStrategy.addConstructorArgValue(delegateSessionStrategies);
             sessionAuthStratRef = pc.getReaderContext().generateBeanName(strategyBean);
             pc.registerBeanComponent(new BeanComponentDefinition(strategyBean, sessionAuthStratRef));
+
         }
 
         if (StringUtils.hasText(invalidSessionUrl)) {

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceSessionManagementTests.groovy

@@ -58,12 +58,13 @@ class NamespaceSessionManagementTests extends BaseSpringSpec {
             CustomSessionManagementConfig.SR = Mock(SessionRegistry)
         when:
             loadConfig(CustomSessionManagementConfig)
+            def concurrentStrategy = findFilter(SessionManagementFilter).sessionAuthenticationStrategy.delegateStrategies[0]
         then:
             findFilter(SessionManagementFilter).invalidSessionStrategy.destinationUrl == "/invalid-session"
             findFilter(SessionManagementFilter).failureHandler.defaultFailureUrl == "/session-auth-error"
-            findFilter(SessionManagementFilter).sessionAuthenticationStrategy.maximumSessions == 1
-            findFilter(SessionManagementFilter).sessionAuthenticationStrategy.exceptionIfMaximumExceeded
-            findFilter(SessionManagementFilter).sessionAuthenticationStrategy.sessionRegistry == CustomSessionManagementConfig.SR
+            concurrentStrategy.maximumSessions == 1
+            concurrentStrategy.exceptionIfMaximumExceeded
+            concurrentStrategy.sessionRegistry == CustomSessionManagementConfig.SR
             findFilter(ConcurrentSessionFilter).expiredUrl == "/expired-session"
     }
 
@@ -154,7 +155,8 @@ class NamespaceSessionManagementTests extends BaseSpringSpec {
         protected void configure(HttpSecurity http) throws Exception {
             http
                 .sessionManagement()
-                    .sessionAuthenticationStrategy(new SessionFixationProtectionStrategy(migrateSessionAttributes : false))
+                    .sessionFixation()
+                        .newSession()
         }
     }
 }

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.groovy

@@ -15,16 +15,24 @@
  */
 package org.springframework.security.config.annotation.web.configurers
 
+import javax.servlet.http.HttpServletResponse
+
 import org.springframework.context.annotation.Configuration
+import org.springframework.mock.web.MockFilterChain
+import org.springframework.mock.web.MockHttpServletRequest
+import org.springframework.mock.web.MockHttpServletResponse
 import org.springframework.security.config.annotation.AnyObjectPostProcessor
 import org.springframework.security.config.annotation.BaseSpringSpec
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
+import org.springframework.security.config.annotation.web.builders.HttpSecurity
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
+import org.springframework.security.config.http.SessionCreationPolicy
 import org.springframework.security.web.access.ExceptionTranslationFilter
-import org.springframework.security.web.context.NullSecurityContextRepository;
+import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy
+import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy
+import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy
+import org.springframework.security.web.context.NullSecurityContextRepository
 import org.springframework.security.web.context.SecurityContextPersistenceFilter
 import org.springframework.security.web.context.SecurityContextRepository
 import org.springframework.security.web.savedrequest.RequestCache
@@ -110,6 +118,82 @@ class SessionManagementConfigurerTests extends BaseSpringSpec {
 
     }
 
+    def 'SEC-2137: disable session fixation and enable concurrency control'() {
+        setup: "context where session fixation is disabled and concurrency control is enabled"
+            loadConfig(DisableSessionFixationEnableConcurrencyControlConfig)
+            String originalSessionId = request.session.id
+            String credentials = "user:password"
+            request.addHeader("Authorization", "Basic " + credentials.bytes.encodeBase64())
+        when: "authenticate"
+            springSecurityFilterChain.doFilter(request, response, new MockFilterChain())
+        then: "session invalidate is not called"
+            request.session.id == originalSessionId
+    }
+
+    @EnableWebSecurity
+    @Configuration
+    static class DisableSessionFixationEnableConcurrencyControlConfig extends WebSecurityConfigurerAdapter {
+        @Override
+        public void configure(HttpSecurity http) {
+            http
+                .httpBasic()
+                    .and()
+                .sessionManagement()
+                    .sessionFixation().none()
+                    .maximumSessions(1)
+        }
+        @Override
+        public void registerAuthentication(AuthenticationManagerBuilder auth) {
+            auth
+                .inMemoryAuthentication()
+                    .withUser("user").password("password").roles("USER")
+        }
+    }
+
+    def 'session fixation and enable concurrency control'() {
+        setup: "context where session fixation is disabled and concurrency control is enabled"
+            loadConfig(ConcurrencyControlConfig)
+        when: "authenticate successfully"
+            request.servletPath = "/login"
+            request.method = "POST"
+            request.setParameter("username", "user");
+            request.setParameter("password","password")
+            springSecurityFilterChain.doFilter(request, response, chain)
+        then: "authentication is sucessful"
+            response.status == HttpServletResponse.SC_MOVED_TEMPORARILY
+            response.redirectedUrl == "/"
+        when: "authenticate with the same user"
+            super.setup()
+            request.servletPath = "/login"
+            request.method = "POST"
+            request.setParameter("username", "user");
+            request.setParameter("password","password")
+            springSecurityFilterChain.doFilter(request, response, chain)
+        then:
+            response.status == HttpServletResponse.SC_MOVED_TEMPORARILY
+            response.redirectedUrl == '/login?error'
+    }
+
+    @EnableWebSecurity
+    @Configuration
+    static class ConcurrencyControlConfig extends WebSecurityConfigurerAdapter {
+        @Override
+        public void configure(HttpSecurity http) {
+            http
+                .formLogin()
+                    .and()
+                .sessionManagement()
+                    .maximumSessions(1)
+                        .maxSessionsPreventsLogin(true)
+        }
+        @Override
+        public void registerAuthentication(AuthenticationManagerBuilder auth) {
+            auth
+                .inMemoryAuthentication()
+                    .withUser("user").password("password").roles("USER")
+        }
+    }
+
     def "sessionManagement ObjectPostProcessor"() {
         setup:
             AnyObjectPostProcessor opp = Mock()
@@ -122,9 +206,15 @@ class SessionManagementConfigurerTests extends BaseSpringSpec {
                     .and()
                 .build()
 
-        then: "SessionManagementFilter is registered with LifecycleManager"
+        then: "SessionManagementFilter is registered with ObjectPostProcessor"
             1 * opp.postProcess(_ as SessionManagementFilter) >> {SessionManagementFilter o -> o}
-        and: "ConcurrentSessionFilter is registered with LifecycleManager"
+        and: "ConcurrentSessionFilter is registered with ObjectPostProcessor"
             1 * opp.postProcess(_ as ConcurrentSessionFilter) >> {ConcurrentSessionFilter o -> o}
+        and: "ConcurrentSessionControlAuthenticationStrategy is registered with ObjectPostProcessor"
+            1 * opp.postProcess(_ as ConcurrentSessionControlAuthenticationStrategy) >> {ConcurrentSessionControlAuthenticationStrategy o -> o}
+        and: "CompositeSessionAuthenticationStrategy is registered with ObjectPostProcessor"
+            1 * opp.postProcess(_ as CompositeSessionAuthenticationStrategy) >> {CompositeSessionAuthenticationStrategy o -> o}
+        and: "RegisterSessionAuthenticationStrategy is registered with ObjectPostProcessor"
+            1 * opp.postProcess(_ as RegisterSessionAuthenticationStrategy) >> {RegisterSessionAuthenticationStrategy o -> o}
     }
 }

config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2012 the original author or authors.
+ * Copyright 2002-2013 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,28 +15,40 @@
  */
 package org.springframework.security.config.http
 
+import static org.junit.Assert.assertSame
+import static org.mockito.Mockito.*
+
+import javax.servlet.http.HttpServletRequest
+import javax.servlet.http.HttpServletResponse
+
+import org.mockito.Mockito
 import org.springframework.mock.web.MockFilterChain
 import org.springframework.mock.web.MockHttpServletRequest
 import org.springframework.mock.web.MockHttpServletResponse
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
+import org.springframework.security.core.Authentication
+import org.springframework.security.core.authority.AuthorityUtils
 import org.springframework.security.core.context.SecurityContext
 import org.springframework.security.core.context.SecurityContextHolder
+import org.springframework.security.core.session.SessionRegistry
 import org.springframework.security.core.session.SessionRegistryImpl
+import org.springframework.security.core.userdetails.User
 import org.springframework.security.util.FieldUtils
+import org.springframework.security.web.FilterChainProxy
 import org.springframework.security.web.authentication.RememberMeServices
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
 import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler
 import org.springframework.security.web.authentication.logout.LogoutFilter
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
 import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter
-import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
+import org.springframework.security.web.authentication.session.SessionAuthenticationException
+import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
 import org.springframework.security.web.context.NullSecurityContextRepository
 import org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper
 import org.springframework.security.web.context.SecurityContextPersistenceFilter
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter
 import org.springframework.security.web.session.ConcurrentSessionFilter
 import org.springframework.security.web.session.SessionManagementFilter
-import static org.junit.Assert.assertSame
 
 /**
  * Tests session-related functionality for the <http> namespace element and <session-management>
@@ -93,6 +105,46 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests {
         filter.repo.allowSessionCreation
     }
 
+    def 'SEC-1208: Session is not created when rejecting user due to max sessions exceeded'() {
+        setup:
+            httpCreateSession('never') {
+                'session-management'() {
+                    'concurrency-control'('max-sessions':1,'error-if-maximum-exceeded':'true')
+                }
+            }
+            createAppContext()
+            SessionRegistry registry = appContext.getBean(SessionRegistry)
+            registry.registerNewSession("1", new User("user","password",AuthorityUtils.createAuthorityList("ROLE_USER")))
+            MockHttpServletRequest request = new MockHttpServletRequest()
+            MockHttpServletResponse response = new MockHttpServletResponse()
+            String credentials = "user:password"
+            request.addHeader("Authorization", "Basic " + credentials.bytes.encodeBase64())
+        when: "exceed max authentication attempts"
+            appContext.getBean(FilterChainProxy).doFilter(request, response, new MockFilterChain())
+        then: "no new session is created"
+            request.getSession(false) == null
+            response.status == HttpServletResponse.SC_UNAUTHORIZED
+    }
+
+    def 'SEC-2137: disable session fixation and enable concurrency control'() {
+        setup: "context where session fixation is disabled and concurrency control is enabled"
+            httpAutoConfig {
+                'session-management'('session-fixation-protection':'none') {
+                    'concurrency-control'('max-sessions':'1','error-if-maximum-exceeded':'true')
+                }
+            }
+            createAppContext()
+            MockHttpServletRequest request = new MockHttpServletRequest()
+            MockHttpServletResponse response = new MockHttpServletResponse()
+            String originalSessionId = request.session.id
+            String credentials = "user:password"
+            request.addHeader("Authorization", "Basic " + credentials.bytes.encodeBase64())
+        when: "authenticate"
+            appContext.getBean(FilterChainProxy).doFilter(request, response, new MockFilterChain())
+        then: "session invalidate is not called"
+            request.session.id == originalSessionId
+    }
+
     def httpCreateSession(String create, Closure c) {
         xml.http(['auto-config': 'true', 'create-session': create], c)
     }
@@ -219,15 +271,28 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests {
     }
 
     def externalSessionStrategyIsSupported() {
-        when:
-        httpAutoConfig {
-            'session-management'('session-authentication-strategy-ref':'ss')
-        }
-        bean('ss', SessionFixationProtectionStrategy.class.name)
-        createAppContext();
+        setup:
+            httpAutoConfig {
+                'session-management'('session-authentication-strategy-ref':'ss')
+            }
+            xml.'b:bean'(id: 'ss', 'class': Mockito.class.name, 'factory-method':'mock') {
+                'b:constructor-arg'(value : SessionAuthenticationStrategy.class.name)
+            }
+            createAppContext()
 
-        then:
-        notThrown(Exception.class)
+            MockHttpServletRequest request = new MockHttpServletRequest();
+            request.getSession();
+            request.setRequestURI("/j_spring_security_check");
+            request.setMethod("POST");
+            request.setParameter("j_username", "user");
+            request.setParameter("j_password", "password");
+
+            SessionAuthenticationStrategy sessionAuthStrategy = appContext.getBean('ss',SessionAuthenticationStrategy)
+            FilterChainProxy springSecurityFilterChain = appContext.getBean(FilterChainProxy)
+        when:
+            springSecurityFilterChain.doFilter(request,new MockHttpServletResponse(), new MockFilterChain())
+        then: "CustomSessionAuthenticationStrategy has seen the request (although REQUEST is a wrapped request)"
+            verify(sessionAuthStrategy).onAuthentication(any(Authentication), any(HttpServletRequest), any(HttpServletResponse))
     }
 
     def externalSessionRegistryBeanIsConfiguredCorrectly() {
@@ -247,10 +312,8 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests {
         Object sessionRegistry = appContext.getBean("sr");
         Object sessionRegistryFromConcurrencyFilter = FieldUtils.getFieldValue(
                 getFilter(ConcurrentSessionFilter.class), "sessionRegistry");
-        Object sessionRegistryFromFormLoginFilter = FieldUtils.getFieldValue(
-                getFilter(UsernamePasswordAuthenticationFilter.class),"sessionStrategy.sessionRegistry");
-        Object sessionRegistryFromMgmtFilter = FieldUtils.getFieldValue(
-                getFilter(SessionManagementFilter.class),"sessionAuthenticationStrategy.sessionRegistry");
+        Object sessionRegistryFromFormLoginFilter = FieldUtils.getFieldValue(getFilter(UsernamePasswordAuthenticationFilter),"sessionStrategy").delegateStrategies[0].sessionRegistry
+        Object sessionRegistryFromMgmtFilter = FieldUtils.getFieldValue(getFilter(SessionManagementFilter),"sessionAuthenticationStrategy").delegateStrategies[0].sessionRegistry
 
         assertSame(sessionRegistry, sessionRegistryFromConcurrencyFilter);
         assertSame(sessionRegistry, sessionRegistryFromMgmtFilter);
@@ -297,7 +360,7 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests {
         createAppContext()
 
         expect:
-        !(getFilters("/someurl")[8] instanceof SessionManagementFilter)
+        !(getFilters("/someurl").find { it instanceof SessionManagementFilter})
     }
 
     def disablingSessionProtectionRetainsSessionManagementFilterInvalidSessionUrlSet() {

docs/manual/src/docbook/appendix-namespace.xml

@@ -1208,7 +1208,7 @@
             <para> Adds support for concurrent session control, allowing limits to be placed on the
                 number of active sessions a user can have. A
                 <classname>ConcurrentSessionFilter</classname> will be created, and a
-                <classname>ConcurrentSessionControlStrategy</classname> will be used with the
+                <classname>ConcurrentSessionControlAuthenticationStrategy</classname> will be used with the
                 <classname>SessionManagementFilter</classname>. If a <literal>form-login</literal>
                 element has been declared, the strategy object will also be injected into the
                 created authentication filter. An instance of
@@ -1242,7 +1242,7 @@
                 <section xml:id="nsa-concurrency-control-max-sessions">
                     <title><literal>max-sessions</literal></title>
                     <para>Maps to the <literal>maximumSessions</literal> property of
-                        <classname>ConcurrentSessionControlStrategy</classname>.</para>
+                        <classname>ConcurrentSessionControlAuthenticationStrategy</classname>.</para>
                 </section>
                 <section xml:id="nsa-concurrency-control-session-registry-alias">
                     <title><literal>session-registry-alias</literal></title>

docs/manual/src/docbook/session-mgmt.xml

@@ -80,7 +80,7 @@
             though. </para>
         <para>The implementation uses a specialized version of
             <interfacename>SessionAuthenticationStrategy</interfacename>, called
-            <classname>ConcurrentSessionControlStrategy</classname>. <note>
+            <classname>ConcurrentSessionControlAuthenticationStrategy</classname>. <note>
             <para>Previously the concurrent authentication check was made by the
                 <classname>ProviderManager</classname>, which could be injected with a
                 <literal>ConcurrentSessionController</literal>. The latter would check if the user
@@ -126,10 +126,21 @@
   <beans:property name="authenticationManager" ref="authenticationManager" />
 </beans:bean>
 
-<beans:bean id="sas" class=
- "org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
-  <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
-  <beans:property name="maximumSessions" value="1" />
+<beans:bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
+  <beans:constructor-arg>
+    <beans:list>
+      <beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
+        <beans:constructor-arg ref="sessionRegistry"/>
+        <beans:property name="maximumSessions" value="1" />
+        <beans:property name="exceptionIfMaximumExceeded" value="true" />
+      </beans:bean>
+      <beans:bean class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
+      </beans:bean>
+      <beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
+        <beans:constructor-arg ref="sessionRegistry"/>
+      </beans:bean>
+    </beans:list>
+  </beans:constructor-arg>
 </beans:bean>
 
 <beans:bean id="sessionRegistry"

itest/web/src/main/webapp/WEB-INF/http-security-custom-concurrency.xml

@@ -32,10 +32,21 @@
         <beans:property name="expiredUrl" value="/session-expired.htm" />
     </beans:bean>
 
-    <beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
-        <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
-        <beans:property name="maximumSessions" value="1" />
-        <beans:property name="exceptionIfMaximumExceeded" value="true" />
+    <beans:bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
+        <beans:constructor-arg>
+            <beans:list>
+                <beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
+                    <beans:constructor-arg ref="sessionRegistry"/>
+                    <beans:property name="maximumSessions" value="1" />
+                    <beans:property name="exceptionIfMaximumExceeded" value="true" />
+                </beans:bean>
+                <beans:bean class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
+                </beans:bean>
+                <beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
+                    <beans:constructor-arg ref="sessionRegistry"/>
+                </beans:bean>
+            </beans:list>
+        </beans:constructor-arg>
     </beans:bean>
 
     <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

web/src/main/java/org/springframework/security/web/authentication/session/CompositeSessionAuthenticationStrategy.java

@@ -0,0 +1,91 @@
+/*
+R * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.web.authentication.session;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.util.Assert;
+
+/**
+ * A {@link SessionAuthenticationStrategy} that accepts multiple
+ * {@link SessionAuthenticationStrategy} implementations to delegate to. Each
+ * {@link SessionAuthenticationStrategy} is invoked in turn. The invocations are
+ * short circuited if any exception, (i.e. SessionAuthenticationException) is
+ * thrown.
+ *
+ * <p>
+ * Typical usage would include having the following delegates (in this order)
+ * </p>
+ *
+ * <ul>
+ * <li> {@link ConcurrentSessionControlAuthenticationStrategy} - verifies that a
+ * user is allowed to authenticate (i.e. they have not already logged into the
+ * application.</li>
+ * <li> {@link SessionFixationProtectionStrategy} - If session fixation is
+ * desired, {@link SessionFixationProtectionStrategy} should be after
+ * {@link ConcurrentSessionControlAuthenticationStrategy} to prevent unnecessary
+ * {@link HttpSession} creation if the
+ * {@link ConcurrentSessionControlAuthenticationStrategy} rejects
+ * authentication.</li>
+ * <li> {@link RegisterSessionAuthenticationStrategy} - It is important this is
+ * after {@link SessionFixationProtectionStrategy} so that the correct session
+ * is registered.</li>
+ * </ul>
+ *
+ * @author Rob Winch
+ * @since 3.2
+ */
+public class CompositeSessionAuthenticationStrategy implements SessionAuthenticationStrategy {
+    private final Log logger = LogFactory.getLog(getClass());
+    private final List<SessionAuthenticationStrategy> delegateStrategies;
+
+    public CompositeSessionAuthenticationStrategy(List<SessionAuthenticationStrategy> delegateStrategies) {
+        Assert.notEmpty(delegateStrategies, "delegateStrategies cannot be null or empty");
+        for(SessionAuthenticationStrategy strategy : delegateStrategies) {
+            if(strategy == null) {
+                throw new IllegalArgumentException("delegateStrategies cannot contain null entires. Got " + delegateStrategies);
+            }
+        }
+        this.delegateStrategies = new ArrayList<SessionAuthenticationStrategy>(delegateStrategies);
+    }
+
+    /* (non-Javadoc)
+     * @see org.springframework.security.web.authentication.session.SessionAuthenticationStrategy#onAuthentication(org.springframework.security.core.Authentication, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+     */
+    public void onAuthentication(Authentication authentication,
+            HttpServletRequest request, HttpServletResponse response)
+            throws SessionAuthenticationException {
+        for(SessionAuthenticationStrategy delegate : delegateStrategies) {
+            if(logger.isDebugEnabled()) {
+                logger.debug("Delegating to " + delegate);
+            }
+            delegate.onAuthentication(authentication, request, response);
+        }
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getName() + " [delegateStrategies = " + delegateStrategies + "]";
+    }
+}

web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlAuthenticationStrategy.java

@@ -0,0 +1,183 @@
+package org.springframework.security.web.authentication.session;
+
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import org.springframework.context.MessageSource;
+import org.springframework.context.MessageSourceAware;
+import org.springframework.context.support.MessageSourceAccessor;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.SpringSecurityMessageSource;
+import org.springframework.security.core.session.SessionInformation;
+import org.springframework.security.core.session.SessionRegistry;
+import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.session.ConcurrentSessionFilter;
+import org.springframework.security.web.session.SessionManagementFilter;
+import org.springframework.util.Assert;
+
+/**
+ * Strategy which handles concurrent session-control.
+ *
+ * <p>
+ * When invoked following an authentication, it will check whether the user in
+ * question should be allowed to proceed, by comparing the number of sessions
+ * they already have active with the configured <tt>maximumSessions</tt> value.
+ * The {@link SessionRegistry} is used as the source of data on authenticated
+ * users and session data.
+ * </p>
+ * <p>
+ * If a user has reached the maximum number of permitted sessions, the behaviour
+ * depends on the <tt>exceptionIfMaxExceeded</tt> property. The default
+ * behaviour is to expired the least recently used session, which will be
+ * invalidated by the {@link ConcurrentSessionFilter} if accessed again. If
+ * <tt>exceptionIfMaxExceeded</tt> is set to <tt>true</tt>, however, the user
+ * will be prevented from starting a new authenticated session.
+ * </p>
+ * <p>
+ * This strategy can be injected into both the {@link SessionManagementFilter}
+ * and instances of {@link AbstractAuthenticationProcessingFilter} (typically
+ * {@link UsernamePasswordAuthenticationFilter}), but is typically combined with
+ * {@link RegisterSessionAuthenticationStrategy} using
+ * {@link CompositeSessionAuthenticationStrategy}.
+ * </p>
+ *
+ * @see CompositeSessionAuthenticationStrategy
+ *
+ * @author Luke Taylor
+ * @author Rob Winch
+ * @since 3.2
+ */
+public class ConcurrentSessionControlAuthenticationStrategy implements MessageSourceAware, SessionAuthenticationStrategy {
+    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
+    private final SessionRegistry sessionRegistry;
+    private boolean exceptionIfMaximumExceeded = false;
+    private int maximumSessions = 1;
+
+    /**
+     * @param sessionRegistry the session registry which should be updated when the authenticated session is changed.
+     */
+    public ConcurrentSessionControlAuthenticationStrategy(SessionRegistry sessionRegistry) {
+        Assert.notNull(sessionRegistry, "The sessionRegistry cannot be null");
+        this.sessionRegistry = sessionRegistry;
+    }
+
+    /**
+     * In addition to the steps from the superclass, the sessionRegistry will be updated with the new session information.
+     */
+    public void onAuthentication(Authentication authentication, HttpServletRequest request,
+            HttpServletResponse response) {
+
+        final List<SessionInformation> sessions = sessionRegistry.getAllSessions(authentication.getPrincipal(), false);
+
+        int sessionCount = sessions.size();
+        int allowedSessions = getMaximumSessionsForThisUser(authentication);
+
+        if (sessionCount < allowedSessions) {
+            // They haven't got too many login sessions running at present
+            return;
+        }
+
+        if (allowedSessions == -1) {
+            // We permit unlimited logins
+            return;
+        }
+
+        if (sessionCount == allowedSessions) {
+            HttpSession session = request.getSession(false);
+
+            if (session != null) {
+                // Only permit it though if this request is associated with one of the already registered sessions
+                for (SessionInformation si : sessions) {
+                    if (si.getSessionId().equals(session.getId())) {
+                        return;
+                    }
+                }
+            }
+            // If the session is null, a new one will be created by the parent class, exceeding the allowed number
+        }
+
+        allowableSessionsExceeded(sessions, allowedSessions, sessionRegistry);
+    }
+
+    /**
+     * Method intended for use by subclasses to override the maximum number of sessions that are permitted for
+     * a particular authentication. The default implementation simply returns the <code>maximumSessions</code> value
+     * for the bean.
+     *
+     * @param authentication to determine the maximum sessions for
+     *
+     * @return either -1 meaning unlimited, or a positive integer to limit (never zero)
+     */
+    protected int getMaximumSessionsForThisUser(Authentication authentication) {
+        return maximumSessions;
+    }
+
+    /**
+     * Allows subclasses to customise behaviour when too many sessions are detected.
+     *
+     * @param sessions either <code>null</code> or all unexpired sessions associated with the principal
+     * @param allowableSessions the number of concurrent sessions the user is allowed to have
+     * @param registry an instance of the <code>SessionRegistry</code> for subclass use
+     *
+     */
+    protected void allowableSessionsExceeded(List<SessionInformation> sessions, int allowableSessions,
+            SessionRegistry registry) throws SessionAuthenticationException {
+        if (exceptionIfMaximumExceeded || (sessions == null)) {
+            throw new SessionAuthenticationException(messages.getMessage("ConcurrentSessionControlAuthenticationStrategy.exceededAllowed",
+                    new Object[] {Integer.valueOf(allowableSessions)},
+                    "Maximum sessions of {0} for this principal exceeded"));
+        }
+
+        // Determine least recently used session, and mark it for invalidation
+        SessionInformation leastRecentlyUsed = null;
+
+        for (SessionInformation session : sessions) {
+            if ((leastRecentlyUsed == null)
+                    || session.getLastRequest().before(leastRecentlyUsed.getLastRequest())) {
+                leastRecentlyUsed = session;
+            }
+        }
+
+        leastRecentlyUsed.expireNow();
+    }
+
+    /**
+     * Sets the <tt>exceptionIfMaximumExceeded</tt> property, which determines
+     * whether the user should be prevented from opening more sessions than
+     * allowed. If set to <tt>true</tt>, a
+     * <tt>SessionAuthenticationException</tt> will be raised which means the
+     * user authenticating will be prevented from authenticating. if set to
+     * <tt>false</tt>, the user that has already authenticated will be forcibly
+     * logged out.
+     *
+     * @param exceptionIfMaximumExceeded
+     *            defaults to <tt>false</tt>.
+     */
+    public void setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded) {
+        this.exceptionIfMaximumExceeded = exceptionIfMaximumExceeded;
+    }
+
+    /**
+     * Sets the <tt>maxSessions</tt> property. The default value is 1. Use -1 for unlimited sessions.
+     *
+     * @param maximumSessions the maximimum number of permitted sessions a user can have open simultaneously.
+     */
+    public void setMaximumSessions(int maximumSessions) {
+        Assert.isTrue(maximumSessions != 0,
+            "MaximumLogins must be either -1 to allow unlimited logins, or a positive integer to specify a maximum");
+        this.maximumSessions = maximumSessions;
+    }
+
+    /**
+     * Sets the {@link MessageSource} used for reporting errors back to the user
+     * when the user has exceeded the maximum number of authentications.
+     */
+    public void setMessageSource(MessageSource messageSource) {
+        Assert.notNull(messageSource, "messageSource cannot be null");
+        this.messages = new MessageSourceAccessor(messageSource);
+    }
+}

web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java

@@ -37,7 +37,9 @@ import org.springframework.util.Assert;
  *
  * @author Luke Taylor
  * @since 3.0
+ * @deprecated Use {@link ConcurrentSessionControlAuthenticationStrategy} instead
  */
+@Deprecated
 public class ConcurrentSessionControlStrategy extends SessionFixationProtectionStrategy
         implements MessageSourceAware {
     protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();

web/src/main/java/org/springframework/security/web/authentication/session/RegisterSessionAuthenticationStrategy.java

@@ -0,0 +1,51 @@
+package org.springframework.security.web.authentication.session;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.session.SessionRegistry;
+import org.springframework.security.web.session.HttpSessionEventPublisher;
+import org.springframework.util.Assert;
+
+/**
+ * Strategy used to register a user with the {@link SessionRegistry} after
+ * successful {@link Authentication}.
+ *
+ * <p>
+ * {@link RegisterSessionAuthenticationStrategy} is typically used in
+ * combination with {@link CompositeSessionAuthenticationStrategy} and
+ * {@link ConcurrentSessionControlAuthenticationStrategy}, but can be used on
+ * its own if tracking of sessions is desired but no need to control
+ * concurrency.</P
+ *
+ * <p>
+ * NOTE: When using a {@link SessionRegistry} it is important that all sessions
+ * (including timed out sessions) are removed. This is typically done by adding
+ * {@link HttpSessionEventPublisher}.</p>
+ *
+ * @see CompositeSessionAuthenticationStrategy
+ *
+ * @author Luke Taylor
+ * @author Rob Winch
+ * @since 3.2
+ */
+public class RegisterSessionAuthenticationStrategy implements SessionAuthenticationStrategy {
+    private final SessionRegistry sessionRegistry;
+
+    /**
+     * @param sessionRegistry the session registry which should be updated when the authenticated session is changed.
+     */
+    public RegisterSessionAuthenticationStrategy(SessionRegistry sessionRegistry) {
+        Assert.notNull(sessionRegistry, "The sessionRegistry cannot be null");
+        this.sessionRegistry = sessionRegistry;
+    }
+
+    /**
+     * In addition to the steps from the superclass, the sessionRegistry will be updated with the new session information.
+     */
+    public void onAuthentication(Authentication authentication, HttpServletRequest request,
+            HttpServletResponse response) {
+        sessionRegistry.registerNewSession(request.getSession().getId(), authentication.getPrincipal());
+    }
+}

web/src/test/java/org/springframework/security/web/authentication/session/CompositeSessionAuthenticationStrategyTests.java

@@ -0,0 +1,92 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.web.authentication.session;
+
+import static junit.framework.Assert.fail;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+
+import java.util.Arrays;
+import java.util.Collections;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.security.core.Authentication;
+
+/**
+ * @author Rob Winch
+ *
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class CompositeSessionAuthenticationStrategyTests {
+    @Mock
+    private SessionAuthenticationStrategy strategy1;
+    @Mock
+    private SessionAuthenticationStrategy strategy2;
+    @Mock
+    private Authentication authentication;
+    @Mock
+    private HttpServletRequest request;
+    @Mock
+    private HttpServletResponse response;
+
+
+    @Test(expected = IllegalArgumentException.class)
+    public void constructorNullDelegates() {
+        new CompositeSessionAuthenticationStrategy(null);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void constructorEmptyDelegates() {
+        new CompositeSessionAuthenticationStrategy(Collections.<SessionAuthenticationStrategy>emptyList());
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void constructorDelegatesContainNull() {
+        new CompositeSessionAuthenticationStrategy(Collections.<SessionAuthenticationStrategy>singletonList(null));
+    }
+
+    @Test
+    public void delegatesToAll() {
+        CompositeSessionAuthenticationStrategy strategy = new CompositeSessionAuthenticationStrategy(Arrays.asList(strategy1,strategy2));
+        strategy.onAuthentication(authentication, request, response);
+
+        verify(strategy1).onAuthentication(authentication, request, response);
+        verify(strategy2).onAuthentication(authentication, request, response);
+    }
+
+
+    @Test
+    public void delegateShortCircuits() {
+        doThrow(new SessionAuthenticationException("oops")).when(strategy1).onAuthentication(authentication, request, response);
+
+        CompositeSessionAuthenticationStrategy strategy = new CompositeSessionAuthenticationStrategy(Arrays.asList(strategy1,strategy2));
+
+        try {
+            strategy.onAuthentication(authentication, request, response);
+            fail("Expected Exception");
+        } catch (SessionAuthenticationException success) {}
+
+        verify(strategy1).onAuthentication(authentication, request, response);
+        verify(strategy2,times(0)).onAuthentication(authentication, request, response);
+    }
+}

web/src/test/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlAuthenticationStrategyTests.java

@@ -0,0 +1,132 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.authentication.session;
+
+import static org.fest.assertions.Assertions.assertThat;
+import static org.mockito.Matchers.any;
+import static org.mockito.Matchers.anyBoolean;
+import static org.mockito.Mockito.when;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Date;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.mock.web.MockServletContext;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.session.SessionInformation;
+import org.springframework.security.core.session.SessionRegistry;
+
+/**
+ *
+ * @author Rob Winch
+ *
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class ConcurrentSessionControlAuthenticationStrategyTests {
+    @Mock
+    private SessionRegistry sessionRegistry;
+
+    private Authentication authentication;
+    private MockHttpServletRequest request;
+    private MockHttpServletResponse response;
+    private SessionInformation sessionInformation;
+
+    private ConcurrentSessionControlAuthenticationStrategy strategy;
+
+    @Before
+    public void setup() throws Exception {
+        authentication = new TestingAuthenticationToken("user", "password", "ROLE_USER");
+        request = new MockHttpServletRequest();
+        response = new MockHttpServletResponse();
+        sessionInformation = new SessionInformation(authentication.getPrincipal(), "unique", new Date(1374766134216L));
+
+        strategy = new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void constructorNullRegistry() {
+        new ConcurrentSessionControlAuthenticationStrategy(null);
+    }
+
+    @Test
+    public void noRegisteredSession() {
+        when(sessionRegistry.getAllSessions(any(), anyBoolean())).thenReturn(Collections.<SessionInformation>emptyList());
+        strategy.setMaximumSessions(1);
+        strategy.setExceptionIfMaximumExceeded(true);
+
+        strategy.onAuthentication(authentication, request, response);
+
+        // no exception
+    }
+
+    @Test
+    public void maxSessionsSameSessionId() {
+        MockHttpSession session = new MockHttpSession(new MockServletContext(), sessionInformation.getSessionId());
+        request.setSession(session);
+        when(sessionRegistry.getAllSessions(any(), anyBoolean())).thenReturn(Collections.<SessionInformation>singletonList(sessionInformation));
+        strategy.setMaximumSessions(1);
+        strategy.setExceptionIfMaximumExceeded(true);
+
+        strategy.onAuthentication(authentication, request, response);
+
+        // no exception
+    }
+
+    @Test(expected = SessionAuthenticationException.class)
+    public void maxSessionsWithException() {
+        when(sessionRegistry.getAllSessions(any(), anyBoolean())).thenReturn(Collections.<SessionInformation>singletonList(sessionInformation));
+        strategy.setMaximumSessions(1);
+        strategy.setExceptionIfMaximumExceeded(true);
+
+        strategy.onAuthentication(authentication, request, response);
+    }
+
+    @Test
+    public void maxSessionsExpireExistingUser() {
+        when(sessionRegistry.getAllSessions(any(), anyBoolean())).thenReturn(Collections.<SessionInformation>singletonList(sessionInformation));
+        strategy.setMaximumSessions(1);
+
+        strategy.onAuthentication(authentication, request, response);
+
+        assertThat(sessionInformation.isExpired()).isTrue();
+    }
+
+    @Test
+    public void maxSessionsExpireLeastRecentExistingUser() {
+        SessionInformation moreRecentSessionInfo = new SessionInformation(authentication.getPrincipal(), "unique", new Date(1374766999999L));
+        when(sessionRegistry.getAllSessions(any(), anyBoolean())).thenReturn(Arrays.<SessionInformation>asList(moreRecentSessionInfo,sessionInformation));
+        strategy.setMaximumSessions(2);
+
+        strategy.onAuthentication(authentication, request, response);
+
+        assertThat(sessionInformation.isExpired()).isTrue();
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void setMessageSourceNull() {
+        strategy.setMessageSource(null);
+    }
+}

web/src/test/java/org/springframework/security/web/authentication/session/RegisterSessionAuthenticationStrategyTests.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.web.authentication.session;
+
+import static org.mockito.Mockito.verify;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.session.SessionRegistry;
+
+/**
+ * @author Rob Winch
+ *
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class RegisterSessionAuthenticationStrategyTests {
+
+    @Mock
+    private SessionRegistry registry;
+
+    private RegisterSessionAuthenticationStrategy authenticationStrategy;
+
+    private Authentication authentication;
+    private MockHttpServletRequest request;
+    private MockHttpServletResponse response;
+
+    @Before
+    public void setup() {
+        authenticationStrategy = new RegisterSessionAuthenticationStrategy(registry);
+        authentication = new TestingAuthenticationToken("user", "password","ROLE_USER");
+        request = new MockHttpServletRequest();
+        response = new MockHttpServletResponse();
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void constructorNullRegistry() {
+        new RegisterSessionAuthenticationStrategy(null);
+    }
+
+    @Test
+    public void onAuthenticationRegistersSession() {
+        authenticationStrategy.onAuthentication(authentication, request, response);
+
+        verify(registry).registerNewSession(request.getSession().getId(), authentication.getPrincipal());
+    }
+
+}