Similar to Servlet’s Concurrent Sessions Control, Spring Security also provides support to limit the number of concurrent sessions a user can have in a Reactive application.
When you set up Concurrent Sessions Control in Spring Security, it monitors authentications carried out through Form Login, OAuth 2.0 Login, and HTTP Basic authentication by hooking into the way those authentication mechanisms handle authentication success.
More specifically, the session management DSL will add the {security-api-url}org/springframework/security/web/server/authentication/ConcurrentSessionControlServerAuthenticationSuccessHandler.html[ConcurrentSessionControlServerAuthenticationSuccessHandler] and the {security-api-url}org/springframework/security/web/server/authentication/RegisterSessionServerAuthenticationSuccessHandler.html[RegisterSessionServerAuthenticationSuccessHandler] to the list of ServerAuthenticationSuccessHandler
used by the authentication filter.
The following sections contains examples of how to configure Concurrent Sessions Control.
By default, Spring Security will allow any number of concurrent sessions for a user.
To limit the number of concurrent sessions, you can use the maximumSessions
DSL method:
- Java
-
@Bean SecurityWebFilterChain filterChain(ServerHttpSecurity http) { http // ... .sessionManagement((sessions) -> sessions .concurrentSessions((concurrency) -> concurrency .maximumSessions(SessionLimit.of(1)) ) ); return http.build(); } @Bean ReactiveSessionRegistry reactiveSessionRegistry() { return new InMemoryReactiveSessionRegistry(); }
- Kotlin
-
@Bean open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain { return http { // ... sessionManagement { sessionConcurrency { maximumSessions = SessionLimit.of(1) } } } } @Bean open fun reactiveSessionRegistry(): ReactiveSessionRegistry { return InMemoryReactiveSessionRegistry() }
The above configuration allows one session for any user.
Similarly, you can also allow unlimited sessions by using the SessionLimit#UNLIMITED
constant:
- Java
-
@Bean SecurityWebFilterChain filterChain(ServerHttpSecurity http) { http // ... .sessionManagement((sessions) -> sessions .concurrentSessions((concurrency) -> concurrency .maximumSessions(SessionLimit.UNLIMITED)) ); return http.build(); } @Bean ReactiveSessionRegistry reactiveSessionRegistry() { return new InMemoryReactiveSessionRegistry(); }
- Kotlin
-
@Bean open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain { return http { // ... sessionManagement { sessionConcurrency { maximumSessions = SessionLimit.UNLIMITED } } } } @Bean open fun reactiveSessionRegistry(webSessionManager: WebSessionManager): ReactiveSessionRegistry { return InMemoryReactiveSessionRegistry() }
Since the maximumSessions
method accepts a SessionLimit
interface, which in turn extends Function<Authentication, Mono<Integer>>
, you can have a more complex logic to determine the maximum number of sessions based on the user’s authentication:
Authentication
- Java
-
@Bean SecurityWebFilterChain filterChain(ServerHttpSecurity http) { http // ... .sessionManagement((sessions) -> sessions .concurrentSessions((concurrency) -> concurrency .maximumSessions(maxSessions())) ); return http.build(); } private SessionLimit maxSessions() { return (authentication) -> { if (authentication.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_UNLIMITED_SESSIONS"))) { return Mono.empty(); // allow unlimited sessions for users with ROLE_UNLIMITED_SESSIONS } if (authentication.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_ADMIN"))) { return Mono.just(2); // allow two sessions for admins } return Mono.just(1); // allow one session for every other user }; } @Bean ReactiveSessionRegistry reactiveSessionRegistry() { return new InMemoryReactiveSessionRegistry(); }
- Kotlin
-
@Bean open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain { return http { // ... sessionManagement { sessionConcurrency { maximumSessions = maxSessions() } } } } fun maxSessions(): SessionLimit { return { authentication -> if (authentication.authorities.contains(SimpleGrantedAuthority("ROLE_UNLIMITED_SESSIONS"))) Mono.empty if (authentication.authorities.contains(SimpleGrantedAuthority("ROLE_ADMIN"))) Mono.just(2) Mono.just(1) } } @Bean open fun reactiveSessionRegistry(): ReactiveSessionRegistry { return InMemoryReactiveSessionRegistry() }
When the maximum number of sessions is exceeded, by default, the least recently used session(s) will be expired. If you want to change that behavior, you can customize the strategy used when the maximum number of sessions is exceeded.
By default, when the maximum number of sessions is exceeded, the least recently used session(s) will be expired by using the {security-api-url}org/springframework/security/web/server/authentication/session/InvalidateLeastUsedMaximumSessionsExceededHandler.html[InvalidateLeastUsedMaximumSessionsExceededHandler]. Spring Security also provides another implementation that prevents the user from creating new sessions by using the {security-api-url}org/springframework/security/web/server/authentication/session/PreventLoginMaximumSessionsExceededHandler.html[PreventLoginMaximumSessionsExceededHandler]. If you want to use your own strategy, you can provide a different implementation of {security-api-url}org/springframework/security/web/server/authentication/session/ServerMaximumSessionsExceededHandler.html[ServerMaximumSessionsExceededHandler].
- Java
-
@Bean SecurityWebFilterChain filterChain(ServerHttpSecurity http) { http // ... .sessionManagement((sessions) -> sessions .concurrentSessions((concurrency) -> concurrency .maximumSessions(SessionLimit.of(1)) .maximumSessionsExceededHandler(new PreventLoginMaximumSessionsExceededHandler()) ) ); return http.build(); } @Bean ReactiveSessionRegistry reactiveSessionRegistry() { return new InMemoryReactiveSessionRegistry(); }
- Kotlin
-
@Bean open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain { return http { // ... sessionManagement { sessionConcurrency { maximumSessions = SessionLimit.of(1) maximumSessionsExceededHandler = PreventLoginMaximumSessionsExceededHandler() } } } } @Bean open fun reactiveSessionRegistry(): ReactiveSessionRegistry { return InMemoryReactiveSessionRegistry() }
In order to keep track of the user’s sessions, Spring Security uses a {security-api-url}org/springframework/security/core/session/ReactiveSessionRegistry.html[ReactiveSessionRegistry], and, every time a user logs in, their session information is saved.
Spring Security ships with {security-api-url}org/springframework/security/core/session/InMemoryReactiveSessionRegistry.html[InMemoryReactiveSessionRegistry] implementation of ReactiveSessionRegistry
.
To specify a ReactiveSessionRegistry
implementation you can either declare it as a bean:
- Java
-
@Bean SecurityWebFilterChain filterChain(ServerHttpSecurity http) { http // ... .sessionManagement((sessions) -> sessions .concurrentSessions((concurrency) -> concurrency .maximumSessions(SessionLimit.of(1)) ) ); return http.build(); } @Bean ReactiveSessionRegistry reactiveSessionRegistry() { return new MyReactiveSessionRegistry(); }
- Kotlin
-
@Bean open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain { return http { // ... sessionManagement { sessionConcurrency { maximumSessions = SessionLimit.of(1) } } } } @Bean open fun reactiveSessionRegistry(): ReactiveSessionRegistry { return MyReactiveSessionRegistry() }
or you can use the sessionRegistry
DSL method:
- Java
-
@Bean SecurityWebFilterChain filterChain(ServerHttpSecurity http) { http // ... .sessionManagement((sessions) -> sessions .concurrentSessions((concurrency) -> concurrency .maximumSessions(SessionLimit.of(1)) .sessionRegistry(new MyReactiveSessionRegistry()) ) ); return http.build(); }
- Kotlin
-
@Bean open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain { return http { // ... sessionManagement { sessionConcurrency { maximumSessions = SessionLimit.of(1) sessionRegistry = MyReactiveSessionRegistry() } } } }
At times, it is handy to be able to invalidate all or some of a user’s sessions.
For example, when a user changes their password, you may want to invalidate all of their sessions so that they are forced to log in again.
To do that, you can use the ReactiveSessionRegistry
bean to retrieve all the user’s sessions, invalidate them, and them remove them from the WebSessionStore
:
- Java
-
public class SessionControl { private final ReactiveSessionRegistry reactiveSessionRegistry; private final WebSessionStore webSessionStore; public Mono<Void> invalidateSessions(String username) { return this.reactiveSessionRegistry.getAllSessions(username) .flatMap((session) -> session.invalidate().thenReturn(session)) .flatMap((session) -> this.webSessionStore.removeSession(session.getSessionId())) .then(); } }
By default, Concurrent Sessions Control will be configured automatically for Form Login, OAuth 2.0 Login, and HTTP Basic authentication as long as they do not specify an ServerAuthenticationSuccessHandler
themselves.
For example, the following configuration will disable Concurrent Sessions Control for Form Login:
- Java
-
@Bean SecurityWebFilterChain filterChain(ServerHttpSecurity http) { http // ... .formLogin((login) -> login .authenticationSuccessHandler(new RedirectServerAuthenticationSuccessHandler("/")) ) .sessionManagement((sessions) -> sessions .concurrentSessions((concurrency) -> concurrency .maximumSessions(SessionLimit.of(1)) ) ); return http.build(); }
- Kotlin
-
@Bean open fun springSecurity(http: ServerHttpSecurity): SecurityWebFilterChain { return http { // ... formLogin { authenticationSuccessHandler = RedirectServerAuthenticationSuccessHandler("/") } sessionManagement { sessionConcurrency { maximumSessions = SessionLimit.of(1) } } } }
You can also include additional ServerAuthenticationSuccessHandler
instances to the list of handlers used by the authentication filter without disabling Concurrent Sessions Control.
To do that you can use the authenticationSuccessHandler(Consumer<List<ServerAuthenticationSuccessHandler>>)
method:
- Java
-
@Bean SecurityWebFilterChain filterChain(ServerHttpSecurity http) { http // ... .formLogin((login) -> login .authenticationSuccessHandler((handlers) -> handlers.add(new MyAuthenticationSuccessHandler())) ) .sessionManagement((sessions) -> sessions .concurrentSessions((concurrency) -> concurrency .maximumSessions(SessionLimit.of(1)) ) ); return http.build(); }