You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Richard Adams <ri...@researchspace.com> on 2013/06/18 18:33:40 UTC
preventing concurrent user logins from different browsers/devices
Hello,
We have a new security requirement for our webapp to only allow a
user a single login session at a time.
If the user logs in through another browser or device, the original
session should be closed.
I've spent some time hunting for a recommended solution using Apache
Shiro 1.2, but most seem home-grown solutions using an application-
wide
HashMap of User-Session mappings, checking for existing sessions on
each login. Is this really the best solution or is this too simplistic?
In Spring Security, for example, there is an attribute called
'maxConcurrentUsers' or something like that where this can be
configured.
It would be great if someone expert in Shiro could give a
recommended solution for this seemingly common use-case, at least as
far as integration with
Shiro goes.
Many thanks,
Richard
Richard Adams
richard@researchspace.com
Re: preventing concurrent user logins from different browsers/devices
Posted by Nagaraju Kurma <na...@enhancesys.com>.
really yar i am wondering about this, there is no direct way to specify
maximum sessions for the user like 'maxConcurrentUsers' in spring and
there is no direct way to specify the wrong login attempts user locking
like 'maxLoginAttempts' even we didnt get in the tutorials also.
i am keep on facing the problem in the utilization of shiroFilter
(org.apache.shiro.spring.web.ShiroFilterFactoryBean)
becoz as we know the filters that are configured inside of
this org.apache.shiro.spring.web.ShiroFilterFactoryBean using the property
'filters' will share the same loginUrl, successUrl,
unaotorizedUrl............etc.
but out builtin authc (FormAuthenticationFilter) is utilizing only the
loginUrl property but remaining properties.....
even i checked the samples given by apache shiro and i changed the
paths of loginUrl,
successUrl, unaotorizedUrl of shiroFilter, only the loginUrl is getting
effected but not remaining properties.
my configuration is like this.
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/main/user/performs/login" /> <!---
working----->
<property name="successUrl"
value="redirect:/main/welcome1?cat=customermanagement.searchcustomer" />
<!-- NO->
<property name="unauthorizedUrl" value="/main/user/performs/error" /> <!--
NO->
<property name="filters">
<util:map>
<entry key="logout">
<bean class="org.apache.shiro.web.filter.authc.LogoutFilter">
<property name="redirectUrl" value="/main/user/performs/login"></property>
</bean>
</entry>
<entry key="authc">
<bean
class="org.apache.shiro.web.filter.authc.FormAuthenticationFilter"></bean>
</entry>
</util:map>
</property>
<property name="filterChainDefinitions">
<value>
/main/user/performs/logout = logout
/** = authc
</value>
</property>
</bean>
only the loginUrl propery is working but not
successUrl,unotherizedUrl............ pls help me if anybody makes me to
work this perfectly i am really appreciate and wove u..
thanking u :)
On Tue, Jun 18, 2013 at 10:03 PM, Richard Adams
<ri...@researchspace.com>wrote:
> Hello,
>
> We have a new security requirement for our webapp to only allow a user a
> single login session at a time.
> If the user logs in through another browser or device, the original
> session should be closed.
>
> I've spent some time hunting for a recommended solution using Apache
> Shiro 1.2, but most seem home-grown solutions using an application-wide
> HashMap of User-Session mappings, checking for existing sessions on each
> login. Is this really the best solution or is this too simplistic?
>
>
> In Spring Security, for example, there is an attribute called
> 'maxConcurrentUsers' or something like that where this can be configured.
>
> It would be great if someone expert in Shiro could give a recommended
> solution for this seemingly common use-case, at least as far as
> integration with
> Shiro goes.
>
> Many thanks,
> Richard
>
>
> Richard Adams
> richard@researchspace.com
>
>
>
>
>
--
Regards,****
Nagaraju.