• Home
• org.springframework.security
• spring-security-web
• 6.3.0
• source code
• ConcurrentSessionControlServerAuthenticationSuccessHandler.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.springframework.security.web.server.authentication.ConcurrentSessionControlServerAuthenticationSuccessHandler Maven / Gradle / Ivy

/*
 * Copyright 2002-2024 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.springframework.security.web.server.authentication;

import java.util.List;

import reactor.core.publisher.Mono;
import reactor.util.function.Tuples;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.session.ReactiveSessionInformation;
import org.springframework.security.core.session.ReactiveSessionRegistry;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.util.Assert;
import org.springframework.web.server.WebSession;

/**
 * Controls the number of sessions a user can have concurrently authenticated in an
 * application. It also allows for customizing behaviour when an authentication attempt is
 * made while the user already has the maximum number of sessions open. By default, it
 * allows a maximum of 1 session per user, if the maximum is exceeded, the user's least
 * recently used session(s) will be expired.
 *
 * @author Marcus da Coregio
 * @since 6.3
 * @see ServerMaximumSessionsExceededHandler
 * @see RegisterSessionServerAuthenticationSuccessHandler
 */
public final class ConcurrentSessionControlServerAuthenticationSuccessHandler
		implements ServerAuthenticationSuccessHandler {

	private final ReactiveSessionRegistry sessionRegistry;

	private final ServerMaximumSessionsExceededHandler maximumSessionsExceededHandler;

	private SessionLimit sessionLimit = SessionLimit.of(1);

	public ConcurrentSessionControlServerAuthenticationSuccessHandler(ReactiveSessionRegistry sessionRegistry,
			ServerMaximumSessionsExceededHandler maximumSessionsExceededHandler) {
		Assert.notNull(sessionRegistry, "sessionRegistry cannot be null");
		Assert.notNull(maximumSessionsExceededHandler, "maximumSessionsExceededHandler cannot be null");
		this.sessionRegistry = sessionRegistry;
		this.maximumSessionsExceededHandler = maximumSessionsExceededHandler;
	}

	@Override
	public Mono onAuthenticationSuccess(WebFilterExchange exchange, Authentication authentication) {
		return this.sessionLimit.apply(authentication)
			.flatMap((maxSessions) -> handleConcurrency(exchange, authentication, maxSessions));
	}

	private Mono handleConcurrency(WebFilterExchange exchange, Authentication authentication,
			Integer maximumSessions) {
		return this.sessionRegistry.getAllSessions(authentication.getPrincipal())
			.collectList()
			.flatMap((registeredSessions) -> exchange.getExchange()
				.getSession()
				.map((currentSession) -> Tuples.of(currentSession, registeredSessions)))
			.flatMap((sessionTuple) -> {
				WebSession currentSession = sessionTuple.getT1();
				List registeredSessions = sessionTuple.getT2();
				int registeredSessionsCount = registeredSessions.size();
				if (registeredSessionsCount < maximumSessions) {
					return Mono.empty();
				}
				if (registeredSessionsCount == maximumSessions) {
					for (ReactiveSessionInformation registeredSession : registeredSessions) {
						if (registeredSession.getSessionId().equals(currentSession.getId())) {
							return Mono.empty();
						}
					}
				}
				return this.maximumSessionsExceededHandler.handle(new MaximumSessionsContext(authentication,
						registeredSessions, maximumSessions, currentSession));
			});
	}

	/**
	 * Sets the strategy used to resolve the maximum number of sessions that are allowed
	 * for a specific {@link Authentication}. By default, it returns {@code 1} for any
	 * authentication.
	 * @param sessionLimit the {@link SessionLimit} to use
	 */
	public void setSessionLimit(SessionLimit sessionLimit) {
		Assert.notNull(sessionLimit, "sessionLimit cannot be null");
		this.sessionLimit = sessionLimit;
	}

}