diff --git a/doc/docbook/acegi.xml b/doc/docbook/acegi.xml index e3c25b5571..0f41d7ab2a 100644 --- a/doc/docbook/acegi.xml +++ b/doc/docbook/acegi.xml @@ -26,7 +26,7 @@ Reference Documentation - 0.8.1 + 0.8.2 @@ -1475,6 +1475,69 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { bean context configuration shown above. + + Concurrent Session Support + + Acegi Security is able to stop the same principal authenticating + to the same web application multiple times concurrently. Put + differently, you can stop user "Batman" from logging into a web + application twice at the same time. + + To use concurrent session support, you'll need to add the + following to web.xml: + + <listener> + <listener-class>net.sf.acegisecurity.ui.session.HttpSessionEventPublisher</listener-class> +</listener> + + The above code causes an ApplicationEvent to + be published to the Spring ApplicationContext every + time a HttpSession commences or terminates. This is + critical, as it allows the + ConcurrentSessionControllerImpl to be notified when + a session ends. Next up you'll need to wire the + ConcurrentSessionControllerImpl into your existing + ProviderManager: + + <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager"> + <property name="providers"> + <!-- your providers go here --> + </property> + <property name="sessionController"><ref bean="concurrentSessionController"/></property> +</bean> + +<bean id="concurrentSessionController" class="net.sf.acegisecurity.providers.ConcurrentSessionControllerImpl"> + <property name="maxSessions"><value>1</value></property> +</bean> + + Ensure you do not in-line the + ConcurrentSessionControllerImpl when declaring it + in your XML. This is important, as it appears that in-lined bean + declarations do not receive ApplicationEvents. + + The ConcurrentSessionControllerImpl relies + heavily on the + Authentication.getPrincipal().equals() method. If + you are using a custom Authentication object, + please keep this in mind. In order for the + ConcurrentSessionControllerImpl to release a given + HttpSession, and thus let the user log in to a new + HttpSession, the existing + HttpSession must be invalidated. For example, if + "Batman" logs into the web application, checks for crimes being + commited, and the just closes his browser with out "logging out", he + will not be able to log back in until his + HttpSession is timed out by the server (and a + corresponding ApplicationEvent is published via + HttpSessionEventPublisher to the + ConcurrentSessionControllerImpl). You would have to + look at your container's documentation to determine the default + timeout period. You can also configure the session timeout in your + web.xml:<session-config> + <session-timeout>30</session-timeout> +</session-config> + + JAAS Authentication @@ -2134,7 +2197,7 @@ public boolean supports(Class clazz); attribute that an AccessDecisionVoter will vote to grant access for. This latter (recommended) approach is usually achieved through a ROLE_USER or - ROLE_AUTHENTICATED configuration attribute. + ROLE_AUTHENTICATED configuration attribute.