diff --git a/doc/docbook/acegi.xml b/doc/docbook/acegi.xml
index e3c25b5571..0f41d7ab2a 100644
--- a/doc/docbook/acegi.xml
+++ b/doc/docbook/acegi.xml
@@ -26,7 +26,7 @@
Reference Documentation
- 0.8.1
+ 0.8.2
@@ -1475,6 +1475,69 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
bean context configuration shown above.
+
+ Concurrent Session Support
+
+ Acegi Security is able to stop the same principal authenticating
+ to the same web application multiple times concurrently. Put
+ differently, you can stop user "Batman" from logging into a web
+ application twice at the same time.
+
+ To use concurrent session support, you'll need to add the
+ following to web.xml:
+
+ <listener>
+ <listener-class>net.sf.acegisecurity.ui.session.HttpSessionEventPublisher</listener-class>
+</listener>
+
+ The above code causes an ApplicationEvent to
+ be published to the Spring ApplicationContext every
+ time a HttpSession commences or terminates. This is
+ critical, as it allows the
+ ConcurrentSessionControllerImpl to be notified when
+ a session ends. Next up you'll need to wire the
+ ConcurrentSessionControllerImpl into your existing
+ ProviderManager:
+
+ <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
+ <property name="providers">
+ <!-- your providers go here -->
+ </property>
+ <property name="sessionController"><ref bean="concurrentSessionController"/></property>
+</bean>
+
+<bean id="concurrentSessionController" class="net.sf.acegisecurity.providers.ConcurrentSessionControllerImpl">
+ <property name="maxSessions"><value>1</value></property>
+</bean>
+
+ Ensure you do not in-line the
+ ConcurrentSessionControllerImpl when declaring it
+ in your XML. This is important, as it appears that in-lined bean
+ declarations do not receive ApplicationEvents.
+
+ The ConcurrentSessionControllerImpl relies
+ heavily on the
+ Authentication.getPrincipal().equals() method. If
+ you are using a custom Authentication object,
+ please keep this in mind. In order for the
+ ConcurrentSessionControllerImpl to release a given
+ HttpSession, and thus let the user log in to a new
+ HttpSession, the existing
+ HttpSession must be invalidated. For example, if
+ "Batman" logs into the web application, checks for crimes being
+ commited, and the just closes his browser with out "logging out", he
+ will not be able to log back in until his
+ HttpSession is timed out by the server (and a
+ corresponding ApplicationEvent is published via
+ HttpSessionEventPublisher to the
+ ConcurrentSessionControllerImpl). You would have to
+ look at your container's documentation to determine the default
+ timeout period. You can also configure the session timeout in your
+ web.xml:<session-config>
+ <session-timeout>30</session-timeout>
+</session-config>
+
+
JAAS Authentication
@@ -2134,7 +2197,7 @@ public boolean supports(Class clazz);
attribute that an AccessDecisionVoter will vote to
grant access for. This latter (recommended) approach is usually
achieved through a ROLE_USER or
- ROLE_AUTHENTICATED configuration attribute.
+ ROLE_AUTHENTICATED configuration attribute.