How to Limit the Number of Concurrent Active User Sessions Using Spring Security
If you are developing a web application, particularly a secure web application in Java JEE, then you must have come up with the requirement similar to online banking portals have only one session per user at a time or no concurrent session per user.
Thankfully, Spring Security can limit the number of concurrent user sessions without writing a single piece of code for you. All you need to do is add some configuration in the XML file or just add the equivalent of that in Java.
Even though you can also implement this functionality without using Spring Security, but with Spring Security, it's just a piece of cake with coffee!
You just need to add a couple of lines of XML in your Spring Security configuration file and you are done. In order to implement this functionality, you can use the <concurrency-control> tag.
You can configure a maximum number of the session your application support, and then, Spring Security will automatically detect if user breach that limits and direct them to invalid session URL you have specified with this tag, e.g. to a logout page.
Similar to this, Spring Security provides lots of out-of-the-box functionality that a secure enterprise or web application needs for authentication, authorization, session management, password encoding, secure access, session timeout, etc.
In our last Spring Security example, we have seen how to do LDAP Authentication in an active directory using Spring Security, and in this Spring Security example, we will see how to limit the number of sessions a user can have in their Java web application or restrict concurrent user session.
How to Limit the Number of Concurrent User Sessions in Java
As I said, it’s simple and easy when you use the Spring Security framework or library. In fact, it is all declarative and no code is required to enable the concurrent session to disable functionality.
You will need to include following XML snippet in your Spring Security Configuration file, mostly named as applicaContext-security.xml
. Here is an example of Spring Security limiting the user session in Java:
<session-management>
<concurrency-control/>
</session-management>
As you see, you can specify how many concurrent session per user is allowed, a more secure system, like online banking portals, allows just one authenticated session per user.
You can even specify a URL where the user will be taken. If they submit an invalid session identifier, it can be used to detect session timeout. The session-management element is used to capture session related stuff.
The Max-session
specifies how many concurrent authenticated session is allowed, and if the error-if-maximum-exceeded is set to true, it will flag an error if a user tries to log into another session.
For example, if you try to log in twice from your browser to this Spring Security application, then you will receive an error saying "Maximum Sessions of 1 for this principal exceeded," as shown below:
You can even specify a URL where the user will be taken if they submit an invalid session identifier, which can be used to detect session timeout. The session-management element is used to capture the session related stuff.
Dependencies (JAR)
This code has a dependency on the Spring Security framework. You need to download the Spring Security jar, like spring-security-web-3.1.0.jar, and add it to the application classpath.
This simpleexampleshows the power of Spring Security, a small piece of XML can be very useful and a handy securityfeaturein your Java applications.
I strongly recommend using Spring Security for your new or existing Java applications created using Servlet JSP.
That’s all on how to limit the number of user session using Spring Security in Java. Let me know if you face any issue while implementing this security feature in your project.
Conclusion
Good luck on your Spring Security journey! It’s certainly not going to be easy, but by following these courses, you are one step ahead in mastering Spring Boot.
If you are looking for some free resources, you can check out this list of free Spring courses.
Other Spring Security tutorials and resources:
Spring Framework 5: Beginner to Guru
Learn Spring Security 4 Basic hands-on
Difference between @RestController and @Controller in Spring MVC?
Difference between @RequestParam and @PathVaraible in Spring?
3 Online Courses to learn Spring Security better
Difference between @Service, @Component, and @Controller in Spring?
5 Courses to learn Spring Core, Spring MVC, and Spring Boot
Spring Security Certification Class by Eugen Paraschiv