Update: Concurrent user sessions management in grails 2 using spring-security-core plugin

Posted on by

While the approach towards managing concurrent users sessions in grails 2 using Spring Security Plugin described in my previous post works well, I just noticed that the configuration breaks some of the custom config options from Spring Security Core plugin.

The reason for that is simple: We replaced the authenticationProcessingFilter that comes with Spring Security Core plugin with our custom implementation in order to set our concurrentSessionControlStrategy:

authenticationProcessingFilter(UsernamePasswordAuthenticationFilter) {
  sessionAuthenticationStrategy=concurrentSessionControlStrategy
  authenticationManager=ref("authenticationManager")
}

A more elegant way to achieve the same is to not redefine the complete bean in resources.groovy but instead to only set the sessionAuthenticationStrategy in Boostrap.groovy.
For your reference, here is how the updated resources.groovy looks like:

import org.springframework.security.core.session.SessionRegistryImpl
import org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy
import org.springframework.security.web.session.ConcurrentSessionFilter

beans = {
  sessionRegistry(SessionRegistryImpl)

  concurrencyFilter(ConcurrentSessionFilter) {
    sessionRegistry = sessionRegistry
    logoutHandlers = [ref("rememberMeServices"), ref("securityContextLogoutHandler")]
    expiredUrl='/login/concurrentSession'
  }
  concurrentSessionControlStrategy(ConcurrentSessionControlStrategy, sessionRegistry) {
    alwaysCreateSession = true
    exceptionIfMaximumExceeded = false
    maximumSessions = 1
  }
  /*
  authenticationProcessingFilter(UsernamePasswordAuthenticationFilter) {
    sessionAuthenticationStrategy=concurrentSessionControlStrategy
    authenticationManager=ref("authenticationManager")
  }
  */
}

And here is the updated Bootstrap.groovy:

class BootStrap {

  def authenticationManager
  def concurrentSessionController
  def securityContextPersistenceFilter
  def authenticationProcessingFilter
  def concurrentSessionControlStrategy

  def init = { servletContext ->
    SpringSecurityUtils.clientRegisterFilter('concurrencyFilter', SecurityFilterPosition.CONCURRENT_SESSION_FILTER)
    authenticationProcessingFilter.sessionAuthenticationStrategy = concurrentSessionControlStrategy
  }

  def destroy = {
  }
}

Now all spring security related config options from Config.groovy are left untouched and only out authentication processing strategy is updated.

I’ll put all this into a short demo app and then publish it on github as soon as I have time for it again…

Comments are closed.