When i am using webflux , how can i achieve a similar effect ,get all login user session , like as : http.sessionManagement() .maximumSessions(1).sessionRegistry(getSessionRegistry()).maxSessionsPreventsLogin(false)
Comment From: rwinch
We do not currently support max sessions in WebFlux. I converted this issue into a ticket for that support
Comment From: ankurpathak
Can I give it a try??
Comment From: rwinch
@ankurpathak Sure! The ticket is yours
Comment From: ankurpathak
@rwinch I would like to dicusss this ticket progressively: Here is a top lable flow I am thinking to use:
class AuthenticationWebFilter {
private ServerSessionAuthenticationStrategy sessionAuthenticationStrategy = NullAuthenticatedServerSessionStrategy.getInstance();
private Mono<Void> authenticate(ServerWebExchange exchange,
WebFilterChain chain, Authentication token) {
WebFilterExchange webFilterExchange = new WebFilterExchange(exchange, chain);
return this.authenticationManager.authenticate(token)
.switchIfEmpty(Mono.defer(() -> Mono.error(new IllegalStateException("No provider found for " + token.getClass()))))
.flatMap(authentication -> sessionAuthenticationStrategy.onAuthentication(authentication, webFilterExchange.getExchange()).then(Mono.just(authentication)))
.flatMap(authentication -> onAuthenticationSuccess(authentication, webFilterExchange))
.onErrorResume(AuthenticationException.class, e -> this.authenticationFailureHandler
.onAuthenticationFailure(webFilterExchange, e));
}
}
public interface ServerSessionAuthenticationStrategy {
Mono<Void> onAuthentication(Authentication authentication, ServerWebExchange exchange);
}
public class NoOpServerSessionAuthenticationStrategy implements ServerSessionAuthenticationStrategy {
Mono<Void> onAuthentication(Authentication authentication, ServerWebExchange exchange){
return Mono.empty();
}
}
public interface ConcurrentServerSessionAuthenticationStrategy implements ServerSessionAuthenticationStrategy{
Mono<Void> onAuthentication(Authentication authentication, ServerWebExchange exchange){
return Mono.error(new SessionAuthenticationException("Error"));
}
}
- AuthenticationWebFilter will have instanace of ServerSessionAuthenticationStrategy
- After authentication check session counts delegating it to ServerSessionAuthenticationStrategy
- Two implementation of ServerSessionAuthenticationStrategy NoOp and Concurrent 4 Support for adding ServerSessionAuthenticationStrategy in all AuthenticationWebFilter in ServerHttpSecurity
Comment From: ankurpathak
@rwinch What is equivalent of SessionRegistry in reactive world? I think we would need ReactiveSessionRegistry for this issue as using SessionRegistry may be non blocking for InMemoryImplementatio but may be blocking for SessionRegistry implemenation for Redis, Mongo, JDBC in Spring Session. What do you think?
Comment From: rwinch
We don't currently have an equivalent. Note: I'd try and reimagine the API a bit rather than copy it directly. See exactly what is needed by Spring Security and limit it to that.
Comment From: issilin
@rwinch Is this ticket alive? Can I try to solve this?
Comment From: mukeshkamboj
@rwinch Do we have any solution?
Comment From: ankurpathak
@mukeshkamboj @rwinch I am not working on this.
Comment From: issilin
@rwinch Still relevant? May I suggest a solution?
Comment From: Johannes-Rost
Is this ticket still considered relevant? The ability to control the number of parallel sessions is often requested in reviews as a security function.
Comment From: rishisc
Is there any workaround for it in webflux using ReactiveRedisSessionRepository
Comment From: Danushka96
Any progress of this issue?
Comment From: SuveenVundavalli
Hi, any progress or suggestions on this?
Comment From: yangdq1
Hi, any progress or suggestions on this issue ?
Comment From: maradanasai
Hi, any progress or suggestions on this?
Comment From: RajeevKumarMarrapu
Hi, any progress or suggestions on this?
Comment From: dgallego58
this seems to be a long way, since authorization server is focused in Oauth2 patterns with spring security team i don't see coming this feature soon
Comment From: JonnyDeates
Any Progress on this?
Comment From: marcusdacoregio
Hi everyone, that has been no progress yet on this. Please give a thumbs up to the root comment if you would like to see this feature in Spring Security, this helps us prioritize issues.
If anyone is interested in working on this feature, you are welcome.
Comment From: marcusdacoregio
For those waiting for this, the initial support is available in Spring Security 6.3.0-M1, please give it a try and, if possible, report any issues/enhancements. The docs are available at https://docs.spring.io/spring-security/reference/6.3/reactive/authentication/concurrent-sessions-control.html
Comment From: jsantana3c
the example seems to not be working on the 3.3.0-RC1 (I'm using OAuthLogin),
this is my config:
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange(authorizeRequests -> authorizeRequests
.anyExchange()
.authenticated()
)
.sessionManagement(sessions -> sessions
.concurrentSessions(concurrency -> concurrency
.maximumSessions(SessionLimit.of(1))
.maximumSessionsExceededHandler(new PreventLoginServerMaximumSessionsExceededHandler())
)
)
.csrf(ServerHttpSecurity.CsrfSpec::disable)
.oauth2Login(withDefaults())
.logout(logout -> logout
.logoutSuccessHandler(oidcLogoutSuccessHandler())
)
.oauth2Client(withDefaults());
return http.build();
}
@Bean
ReactiveSessionRegistry reactiveSessionRegistry() {
return new InMemoryReactiveSessionRegistry();
}
Comment From: marcusdacoregio
Hi @jsantana3c, can you provide a minimal, reproducible sample?
Comment From: jsantana3c
Here you go, I created both authorization server and gateway
https://github.com/joaquinjsb/security-oauth-example