|
|
@@ -26,7 +26,7 @@
|
|
|
|
|
|
<subtitle>Reference Documentation</subtitle>
|
|
|
|
|
|
- <releaseinfo>0.8.1</releaseinfo>
|
|
|
+ <releaseinfo>0.8.2</releaseinfo>
|
|
|
|
|
|
<authorgroup>
|
|
|
<author>
|
|
|
@@ -1475,6 +1475,69 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
|
|
|
bean context configuration shown above.</para>
|
|
|
</sect2>
|
|
|
|
|
|
+ <sect2 id="security-authentication-concurrent-login">
|
|
|
+ <title>Concurrent Session Support</title>
|
|
|
+
|
|
|
+ <para>Acegi Security is able to stop the same principal authenticating
|
|
|
+ to the same web application multiple times concurrently. Put
|
|
|
+ differently, you can stop user "Batman" from logging into a web
|
|
|
+ application twice at the same time. </para>
|
|
|
+
|
|
|
+ <para>To use concurrent session support, you'll need to add the
|
|
|
+ following to web.xml:</para>
|
|
|
+
|
|
|
+ <para><programlisting><listener>
|
|
|
+ <listener-class>net.sf.acegisecurity.ui.session.HttpSessionEventPublisher</listener-class>
|
|
|
+</listener></programlisting></para>
|
|
|
+
|
|
|
+ <para>The above code causes an <literal>ApplicationEvent</literal> to
|
|
|
+ be published to the Spring <literal>ApplicationContext</literal> every
|
|
|
+ time a <literal>HttpSession</literal> commences or terminates. This is
|
|
|
+ critical, as it allows the
|
|
|
+ <literal>ConcurrentSessionControllerImpl</literal> to be notified when
|
|
|
+ a session ends. Next up you'll need to wire the
|
|
|
+ <literal>ConcurrentSessionControllerImpl</literal> into your existing
|
|
|
+ <literal>ProviderManager</literal>:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
|
|
|
+ <property name="providers">
|
|
|
+ <!-- your providers go here -->
|
|
|
+ </property>
|
|
|
+ <property name="sessionController"><ref bean="concurrentSessionController"/></property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="concurrentSessionController" class="net.sf.acegisecurity.providers.ConcurrentSessionControllerImpl">
|
|
|
+ <property name="maxSessions"><value>1</value></property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>Ensure you do not in-line the
|
|
|
+ <literal>ConcurrentSessionControllerImpl</literal> when declaring it
|
|
|
+ in your XML. This is important, as it appears that in-lined bean
|
|
|
+ declarations do not receive ApplicationEvents.</para>
|
|
|
+
|
|
|
+ <para>The <literal>ConcurrentSessionControllerImpl</literal> relies
|
|
|
+ heavily on the
|
|
|
+ <literal>Authentication.getPrincipal().equals()</literal> method. If
|
|
|
+ you are using a custom <literal>Authentication</literal> object,
|
|
|
+ please keep this in mind. In order for the
|
|
|
+ <literal>ConcurrentSessionControllerImpl</literal> to release a given
|
|
|
+ <literal>HttpSession</literal>, and thus let the user log in to a new
|
|
|
+ <literal>HttpSession</literal>, the existing
|
|
|
+ <literal>HttpSession</literal> must be invalidated. For example, if
|
|
|
+ "Batman" logs into the web application, checks for crimes being
|
|
|
+ commited, and the just closes his browser with out "logging out", he
|
|
|
+ will not be able to log back in until his
|
|
|
+ <literal>HttpSession</literal> is timed out by the server (and a
|
|
|
+ corresponding <literal>ApplicationEvent</literal> is published via
|
|
|
+ <literal>HttpSessionEventPublisher</literal> to the
|
|
|
+ <literal>ConcurrentSessionControllerImpl</literal>). You would have to
|
|
|
+ look at your container's documentation to determine the default
|
|
|
+ timeout period. You can also configure the session timeout in your
|
|
|
+ <literal>web.xml</literal>:<programlisting><session-config>
|
|
|
+ <session-timeout>30</session-timeout>
|
|
|
+</session-config></programlisting></para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
<sect2 id="security-authentication-provider-jaas">
|
|
|
<title>JAAS Authentication</title>
|
|
|
|
|
|
@@ -2134,7 +2197,7 @@ public boolean supports(Class clazz);</programlisting></para>
|
|
|
attribute that an <literal>AccessDecisionVoter</literal> will vote to
|
|
|
grant access for. This latter (recommended) approach is usually
|
|
|
achieved through a <literal>ROLE_USER</literal> or
|
|
|
- <literal>ROLE_AUTHENTICATED</literal> configuration attribute. </para>
|
|
|
+ <literal>ROLE_AUTHENTICATED</literal> configuration attribute.</para>
|
|
|
</sect2>
|
|
|
|
|
|
<sect2 id="afterinvocation-acl-aware">
|
Ben Alex