Comments (7)
seaswaraiyer
commented on June 16, 2024
If this is by design since gmail oauth2 uses an external authorization server, request you to update the spring security doc or point me to the material where it says that maximumSessions(1) cannot be supported in such cases. The authentication object in the spring security context does contain the login id which is the email id in case of gmail authentication. So I would think it is still possible to detect if the user logs in with the same gmail id on different browsers/different devices, but I could be missing something here.
from spring-session.
marcusdacoregio
commented on June 16, 2024
Hi, @seaswaraiyer. Have you configured the integration between Spring Security and Spring Session?
from spring-session.
seaswaraiyer
commented on June 16, 2024
Hi Marcus,
I have used the link below. There are 2 sample projects named Maximum sessions sample and Maximum session prevent login sample. Both of them work with a normal userid/password based login. I used the same logic with oauth authentication and it did not restrict the number of sessions.
I looked at the link that you shared and I have not used that. Do I need to since mine is an Oauth based project? If yes, request you to please ask the spring security team to mention that in the spring doc since it is not obvious. Thanks for your help in advance.
[Authentication Persistence and Session Management :: Spring Security](https://docs.spring.io/spring-security/reference/servlet/authentication/session-management.html#ns-concurrent-sessions)
On Monday, January 22, 2024 at 05:33:23 PM GMT+5:30, Marcus Hert Da Coregio ***@***.***> wrote:
Hi, @seaswaraiyer. Have you configured the integration between Spring Security and Spring Session?
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
from spring-session.
marcusdacoregio
commented on June 16, 2024
If you are using Spring Session you need to expose the SpringSessionBackedSessionRegistry as described in the docs I linked. It feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add more detail if you feel this is a genuine bug.
from spring-session.
seaswaraiyer
commented on June 16, 2024
Thanks Marcus. I posted this question on stack overflow but I didn't get much help.I hope you saw the link that I shared. The two projects in that link don't use the SpringSessionBackedSessionRegistry but the maxSessions feature still works in those projects. I'm guessing it's because those projects use a normal userid/password authentication and not oauth like me. Can you please confirm that my understanding is correct? If yes, I request you to please ask the spring security team to update the documentation link that I shared since this is not obvious.
On Tuesday, January 23, 2024 at 05:27:57 PM GMT+5:30, Marcus Hert Da Coregio ***@***.***> wrote:
If you are using Spring Session you need to expose the SpringSessionBackedSessionRegistry as described in the docs I linked. It feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add more detail if you feel this is a genuine bug.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
from spring-session.
marcusdacoregio
commented on June 16, 2024
The two projects in that link don't use the SpringSessionBackedSessionRegistry but the maxSessions feature still works in those projects
That is because they are using in-memory session storage, there is no Spring Session involved. If you are saving user's authentication to the session, and you are using Spring Session, you must define a SpringSessionBackedSessionRegistry bean in order for it to work. Please, refer to https://docs.spring.io/spring-session/reference/spring-security.html#spring-security-concurrent-sessions
from spring-session.
seaswaraiyer
commented on June 16, 2024
Thanks for the explanation, Marcus. I would still say that the documentation is not clear and needs to be updated, but I'm not going to debate on this. You keep pointing me to the spring session link(https://docs.spring.io/spring-session/..) and that has a section that talks about the integration between spring session and spring security. I was using the link for spring security(https://docs.spring.io/spring-security/...) that has a section for configuring concurrent session control and that does not have any section for the integration with spring session. Nowhere does it say oauth requires spring-session in that link. Since you are actively working on the spring session project, it may all be very obvious to you. In any case, thanks for your help this. I really appreciate it.
from spring-session.
Related Issues (20)
- Possibility to apply the `SessionRepositoryFilter` conditionally. HOT 2
- Update to Spring Security 6.3.0-RC1
- Support for NATS JetStream Key/Value store as an alternative for Redis HOT 2
- Spring Session JDBC JSON format storing is not working HOT 9
- Migrate to com.gradle.develocity plugin
- Migrate to com.gradle.develocity plugin
- Migrate to com.gradle.develocity plugin
- Update reference site link HOT 1
- Update to Spring Security 6.3.0
- Spring Session Redis Index Key not deleted when session expired HOT 1
- Does spring-session support spring-authorization-server? HOT 1
- Migration of active sessions from one datasource to another HOT 3
- Spring Session returning default Spring Security User object instead of custom UserDetails object HOT 3
- Does Jedis support GCP Redis Memstore Cluster (Discovery Endpoint) HOT 1
- Spring Session returning default Spring Security User object instead of custom UserDetails object
- Spring Session returning default Spring Security User object instead of custom UserDetails object
- Spring Session Hazelcast should send value objects in serialized form to Hazelcast cluster
- Spring-Session does not allow the use of read replicas
- Upgrade to Spring Framework 6.2.0-M4
- EnableRedissonHttpSession Deprecated HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-session.