Let's integrate session management in our Ch08_Security_Getting_Started application using different cases, which are discussed as follows.
In order to add session management to our application to handle only one session per user, let's update Ch08_Security_Getting_Started application step by step:
- Update the spring-security.xml file as shown here:
<security:http>
<!-authentication configuration-->
<security:session-management
invalid-session-url="/index.jsp">
<security:concurrency-control
max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>
</security:http>
- Now, run the application and try to access the CLICK HERE TO READ THE DATA link. Add the credentials, for example, user1 and user2. You will be logged in successfully. Yes, we did the same thing earlier . What did we achieve?
- To find out what we achieved, let's open the new browser window and access the same link again. In the login page, add the same username and password. What happened? Usually, you were getting the page with CLICK THE LINKS TO READ THE data !!!!. However, this time, you got the same page. Why?
- Correct!! We allowed only a single session per user from the session management configuration. However, the client is still blank about what the reason is. It means that we still need to do some more work. To show the appropriate message to the user, add the following code in the login.jsp page:
<font color="red">
<h4 align="center">
${SPRING_SECURITY_LAST_EXCEPTION.message}
</h4>
</font>
- Now, enter the same credentials once again. And, the output with the message specifying only one session is allowed, is shown in the following screenshot:
