Bug description The bug is related to session management in the SecurityFilter chain. Setting max session in session management is ignored.
To Reproduce No test cases written yet but I when a user signs in using multiple browsers, constraint set for max session is ignored
Expected behavior The SecurityFilter chain should be able to manage sessions for each user and enforce the maximum constraint set for the number of sessions per user. If a user attempts to create a new session (login) after reaching the maximum constraint, older or oldest session should be invalid.
Sample https://github.com/emmanuelU17/restful-session-authentication
Comment From: jzheaux
Thank you, @emmanuelU17, and sorry that you are having trouble; let's see what we can figure out here.
Will you please reduce your sample to the minimum code necessary to reproduce the issue? This will help accelerate any needed fixes.
Initially, it looks like you have your own Spring MVC login endpoint, which means that Spring Security won't stand up its own login endpoint. This leaves you to call SessionAuthenticationStrategy mechanisms yourself, including the one that adds the session to the session registry. This is just a guess, which will become clearer as you are able to produce a minimal sample.
Comment From: iTchTheRightSpot
- Sorry @jzheaux it is still not clear to me. Because I have a my own MVC end point, I need to create my own SessionAuthenticationStrategy? I looked into the interface and got a brief gist of what it does. I wrote an integration test to reproduce the issue
/**
* This test simulates a user login in from two separate browsers. The expected behaviour should be
* requests made from browser 1 should return a 401 because Concurrent session management is set to a max of 1
* but this test case fails because Concurrent session management is not taken effect in the filter chain.
* */
@Test
void test_max_session_for_multiple_login_request() throws Exception {
var employeeDTO = new EmployeeDTO();
employeeDTO.setEmail(adminEmail);
employeeDTO.setPassword("password");
// Simulate login from browser 1
MvcResult firstLogin = this.mockMvc
.perform(post("/api/v1/auth/login")
.contentType(MediaType.APPLICATION_JSON)
.content(employeeDTO.convertToJSON().toString())
)
.andExpect(status().isOk())
.andReturn();
Cookie cookie1 = firstLogin.getResponse().getCookie("JSESSIONID");
assert cookie1 != null;
this.mockMvc
.perform(get("/api/v1/auth/authenticated")
.cookie(cookie1)
)
.andExpect(status().isOk())
.andExpect(content().string("Admin name is " + adminEmail));
// Simulate login from browser 2
this.mockMvc
.perform(post("/api/v1/auth/login")
.contentType(MediaType.APPLICATION_JSON)
.content(employeeDTO.convertToJSON().toString())
)
.andExpect(status().isOk());
this.mockMvc
.perform(get("/api/v1/auth/authenticated")
.cookie(cookie1)
)
.andExpect(status().isUnauthorized())
.andExpect(jsonPath("$.message")
.value("Full authentication is required to access this resource")
)
.andExpect(jsonPath("$.httpStatus").value("UNAUTHORIZED"));
}
Comment From: iTchTheRightSpot
Got the issue solved
Comment From: Ingcamilo890604
Got the issue solved
how did you solve it?
Comment From: iTchTheRightSpot
Got the issue solved
how did you solve it?
Look in AuthService in my repo. https://github.com/emmanuelU17/session-authentication