8. Spring Security Integration
Spring Session provides integration with Spring Security.
Spring Session provides integration with Spring Security’s Remember-Me Authentication . The support will:
- Change the session expiration length
- Ensure the session cookie expires at
Integer.MAX_VALUE. The cookie expiration is set to the largest possible value because the cookie is only set when the session is created. If it were set to the same value as the session expiration, then the session would get renewed when the user used it but the cookie expiration would not be updated causing the expiration to be fixed.
To configure Spring Session with Spring Security in Java Configuration use the following as a guide:
@Override protected void configure(HttpSecurity http) throws Exception { http // ... additional configuration ... .rememberMe() .rememberMeServices(rememberMeServices()); } @Bean public SpringSessionRememberMeServices rememberMeServices() { SpringSessionRememberMeServices rememberMeServices = new SpringSessionRememberMeServices(); // optionally customize rememberMeServices.setAlwaysRemember(true); return rememberMeServices; }
An XML based configuration would look something like this:
<security:http> <!-- ... --> <security:form-login /> <security:remember-me services-ref="rememberMeServices"/> </security:http> <bean id="rememberMeServices" class="org.springframework.session.security.web.authentication.SpringSessionRememberMeServices" p:alwaysRemember="true"/>
Spring Session provides integration with Spring Security to support its concurrent session control. This allows limiting the number of active sessions that a single user can have concurrently, but unlike the default Spring Security support this will also work in a clustered environment. This is done by providing a custom implementation of Spring Security’s SessionRegistry interface.
When using Spring Security’s Java config DSL, you can configure the custom SessionRegistry through the SessionManagementConfigurer like this:
@Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired private FindByIndexNameSessionRepository<Session> sessionRepository; @Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http // other config goes here... .sessionManagement() .maximumSessions(2) .sessionRegistry(sessionRegistry()); // @formatter:on } @Bean SpringSessionBackedSessionRegistry sessionRegistry() { return new SpringSessionBackedSessionRegistry<>(this.sessionRepository); } }
This assumes that you’ve also configured Spring Session to provide a FindByIndexNameSessionRepository that returns Session instances.
When using XML configuration, it would look something like this:
<security:http> <!-- other config goes here... --> <security:session-management> <security:concurrency-control max-sessions="2" session-registry-ref="sessionRegistry"/> </security:session-management> </security:http> <bean id="sessionRegistry" class="org.springframework.session.security.SpringSessionBackedSessionRegistry"> <constructor-arg ref="sessionRepository"/> </bean>
This assumes that your Spring Session SessionRegistry bean is called sessionRegistry, which is the name used by all SpringHttpSessionConfiguration subclasses.
Spring Session’s implementation of Spring Security’s SessionRegistry interface does not support the getAllPrincipals method, as this information cannot be retrieved using Spring Session. This method is never called by Spring Security, so this only affects applications that access the SessionRegistry themselves.
