Spring concurrent session control not working, user can login multiple times

Question

I use Spring 3.2 and Spring-security 3.1 along with jsf + primefaces and hibernate4 on Tomcat7

I wanted to add a concurrency control to limit users\' session to one, and

Answer 1

I don't see any logs stating that the Spring Security FilterChainProxy is being invoked. Did you just leave these logs out or are you authenticating the user yourself? Typically the registration of the session is performed by UsernamePasswordAuthenticationFilter or some other subclass of AbstractAuthenticationProcessingFilter. If you are authenticating the user yourself, then you need to ensure to invoke ConcurrentSessionControlStrategy#onAuthentication.

It appears you are using a custom UserDetailsService which probably means that you are returning a custom UserDetails. It is critical to implement UserDetails#hashCode and UserDetails#equals properly in order for SessionRegistryImpl to work since it is backed by a ConcurrentMap.

If you have a clustered deployment, the SessionRegistryImpl will not work since the cluster does not share memory with other nodes in the environment. In this instance, you would need to provide your own SessionRegistry implementation.

PS: It appears you are only protecting /pages/** which is not generally recommended. Instead it is recommended that you explicitly grant access to pages and by default restrict access.