Class SessionManagementConfigurer.ConcurrencyControlConfigurer
java.lang.Object
org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer.ConcurrencyControlConfigurer
- Enclosing class:
- SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
Allows configuring controlling of multiple sessions.
-
Method Summary
Modifier and TypeMethodDescriptionand()
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.expiredSessionStrategy
(SessionInformationExpiredStrategy expiredSessionStrategy) Determines the behaviour when an expired session is detected.expiredUrl
(String expiredUrl) The URL to redirect to if a user tries to access a resource and their session has been expired due to too many sessions for the current user.maximumSessions
(int maximumSessions) Controls the maximum number of sessions for a user.maxSessionsPreventsLogin
(boolean maxSessionsPreventsLogin) If true, prevents a user from authenticating when themaximumSessions(int)
has been reached.sessionRegistry
(SessionRegistry sessionRegistry) Controls theSessionRegistry
implementation used.
-
Method Details
-
maximumSessions
public SessionManagementConfigurer<H>.ConcurrencyControlConfigurer maximumSessions(int maximumSessions) Controls the maximum number of sessions for a user. The default is to allow any number of users.- Parameters:
maximumSessions
- the maximum number of sessions for a user- Returns:
- the
SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>.ConcurrencyControlConfigurer
for further customizations
-
expiredUrl
The URL to redirect to if a user tries to access a resource and their session has been expired due to too many sessions for the current user. The default is to write a simple error message to the response.- Parameters:
expiredUrl
- the URL to redirect to- Returns:
- the
SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>.ConcurrencyControlConfigurer
for further customizations
-
expiredSessionStrategy
public SessionManagementConfigurer<H>.ConcurrencyControlConfigurer expiredSessionStrategy(SessionInformationExpiredStrategy expiredSessionStrategy) Determines the behaviour when an expired session is detected.- Parameters:
expiredSessionStrategy
- theSessionInformationExpiredStrategy
to use when an expired session is detected.- Returns:
- the
SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>.ConcurrencyControlConfigurer
for further customizations
-
maxSessionsPreventsLogin
public SessionManagementConfigurer<H>.ConcurrencyControlConfigurer maxSessionsPreventsLogin(boolean maxSessionsPreventsLogin) If true, prevents a user from authenticating when themaximumSessions(int)
has been reached. Otherwise (default), the user who authenticates is allowed access and an existing user's session is expired. The user's who's session is forcibly expired is sent toexpiredUrl(String)
. The advantage of this approach is if a user accidentally does not log out, there is no need for an administrator to intervene or wait till their session expires.- Parameters:
maxSessionsPreventsLogin
- true to have an error at time of authentication, else false (default)- Returns:
- the
SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>.ConcurrencyControlConfigurer
for further customizations
-
sessionRegistry
public SessionManagementConfigurer<H>.ConcurrencyControlConfigurer sessionRegistry(SessionRegistry sessionRegistry) Controls theSessionRegistry
implementation used. The default isSessionRegistryImpl
which is an in memory implementation.- Parameters:
sessionRegistry
- theSessionRegistry
to use- Returns:
- the
SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>.ConcurrencyControlConfigurer
for further customizations
-
and
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UseSessionManagementConfigurer.sessionConcurrency(Customizer)
insteadUsed to chain back to theSessionManagementConfigurer
- Returns:
- the
SessionManagementConfigurer
for further customizations
-