Add Max Sessions by Authentication

Closes gh-16206

Author: ClaudenirFreitas

config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java

@@ -59,7 +59,7 @@
 import org.springframework.security.web.session.ForceEagerSessionCreationFilter;
 import org.springframework.security.web.session.InvalidSessionStrategy;
 import org.springframework.security.web.session.SessionInformationExpiredStrategy;
-import org.springframework.security.web.session.SessionLimitStrategy;
+import org.springframework.security.web.session.SessionLimit;
 import org.springframework.security.web.session.SessionManagementFilter;
 import org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy;
 import org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy;
@@ -124,7 +124,7 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 
 	private SessionRegistry sessionRegistry;
 
-	private SessionLimitStrategy sessionLimit;
+	private SessionLimit sessionLimit;
 
 	private String expiredUrl;
 
@@ -330,7 +330,7 @@ public SessionManagementConfigurer<H> sessionFixation(
 	 * @return the {@link SessionManagementConfigurer} for further customizations
 	 */
 	public ConcurrencyControlConfigurer maximumSessions(int maximumSessions) {
-		this.sessionLimit = SessionLimitStrategy.of(maximumSessions);
+		this.sessionLimit = SessionLimit.of(maximumSessions);
 		this.propertiesThatRequireImplicitAuthentication.add("maximumSessions = " + maximumSessions);
 		return new ConcurrencyControlConfigurer();
 	}
@@ -707,18 +707,19 @@ private ConcurrencyControlConfigurer() {
 		 * @return the {@link ConcurrencyControlConfigurer} for further customizations
 		 */
 		public ConcurrencyControlConfigurer maximumSessions(int maximumSessions) {
-			SessionManagementConfigurer.this.sessionLimit = SessionLimitStrategy.of(maximumSessions);
+			SessionManagementConfigurer.this.sessionLimit = SessionLimit.of(maximumSessions);
 			return this;
 		}
 
 		/**
 		 * Determines the behaviour when a session limit is detected.
-		 * @param sessionLimitStrategy the {@link SessionLimitStrategy} to check the
-		 * maximum number of sessions for a user
+		 * @param sessionLimit the {@link SessionLimit} to check the maximum number of
+		 * sessions for a user
 		 * @return the {@link ConcurrencyControlConfigurer} for further customizations
+		 * @since 6.5
 		 */
-		public ConcurrencyControlConfigurer maximumSessions(SessionLimitStrategy sessionLimitStrategy) {
-			SessionManagementConfigurer.this.sessionLimit = sessionLimitStrategy;
+		public ConcurrencyControlConfigurer maximumSessions(SessionLimit sessionLimit) {
+			SessionManagementConfigurer.this.sessionLimit = sessionLimit;
 			return this;
 		}
 

config/src/main/resources/org/springframework/security/config/spring-security-6.5.rnc

@@ -935,7 +935,7 @@ concurrency-control.attlist &=
 	## The maximum number of sessions a single authenticated user can have open at the same time. Defaults to "1". A negative value denotes unlimited sessions.
 	attribute max-sessions {xsd:token}?
 concurrency-control.attlist &=
-	## Allows injection of the SessionLimitStrategy instance used by the ConcurrentSessionControlAuthenticationStrategy
+	## Allows injection of the SessionLimit instance used by the ConcurrentSessionControlAuthenticationStrategy
 	attribute max-sessions-ref {xsd:token}?
 concurrency-control.attlist &=
 	## The URL a user will be redirected to if they attempt to use a session which has been "expired" because they have logged in again.

config/src/main/resources/org/springframework/security/config/spring-security-6.5.xsd

@@ -2690,7 +2690,7 @@
       </xs:attribute>
       <xs:attribute name="max-sessions-ref" type="xs:token">
          <xs:annotation>
-            <xs:documentation>Allows injection of the SessionLimitStrategy instance used by the
+            <xs:documentation>Allows injection of the SessionLimit instance used by the
                 ConcurrentSessionControlAuthenticationStrategy
                 </xs:documentation>
          </xs:annotation>

config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java

@@ -64,7 +64,7 @@
 import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.security.web.session.ConcurrentSessionFilter;
 import org.springframework.security.web.session.HttpSessionDestroyedEvent;
-import org.springframework.security.web.session.SessionLimitStrategy;
+import org.springframework.security.web.session.SessionLimit;
 import org.springframework.security.web.session.SessionManagementFilter;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
@@ -251,8 +251,8 @@ public void loginWhenUserLoggedInAndMaxSessionsOneInLambdaThenLoginPrevented() t
 	}
 
 	@Test
-	public void loginWhenAdminUserLoggedInAndSessionLimitStrategyIsConfiguredThenLoginSuccessfully() throws Exception {
-		this.spring.register(ConcurrencyControlWithSessionLimitStrategyConfig.class).autowire();
+	public void loginWhenAdminUserLoggedInAndSessionLimitIsConfiguredThenLoginSuccessfully() throws Exception {
+		this.spring.register(ConcurrencyControlWithSessionLimitConfig.class).autowire();
 		// @formatter:off
 		MockHttpServletRequestBuilder requestBuilder = post("/login")
 				.with(csrf())
@@ -277,8 +277,8 @@ public void loginWhenAdminUserLoggedInAndSessionLimitStrategyIsConfiguredThenLog
 	}
 
 	@Test
-	public void loginWhenAdminUserLoggedInAndSessionLimitStrategyIsConfiguredThenLoginPrevented() throws Exception {
-		this.spring.register(ConcurrencyControlWithSessionLimitStrategyConfig.class).autowire();
+	public void loginWhenAdminUserLoggedInAndSessionLimitIsConfiguredThenLoginPrevented() throws Exception {
+		this.spring.register(ConcurrencyControlWithSessionLimitConfig.class).autowire();
 		// @formatter:off
 		MockHttpServletRequestBuilder requestBuilder = post("/login")
 				.with(csrf())
@@ -306,8 +306,8 @@ public void loginWhenAdminUserLoggedInAndSessionLimitStrategyIsConfiguredThenLog
 	}
 
 	@Test
-	public void loginWhenUserLoggedInAndSessionLimitStrategyIsConfiguredThenLoginPrevented() throws Exception {
-		this.spring.register(ConcurrencyControlWithSessionLimitStrategyConfig.class).autowire();
+	public void loginWhenUserLoggedInAndSessionLimitIsConfiguredThenLoginPrevented() throws Exception {
+		this.spring.register(ConcurrencyControlWithSessionLimitConfig.class).autowire();
 		// @formatter:off
 		MockHttpServletRequestBuilder requestBuilder = post("/login")
 				.with(csrf())
@@ -704,16 +704,16 @@ UserDetailsService userDetailsService() {
 
 	@Configuration
 	@EnableWebSecurity
-	static class ConcurrencyControlWithSessionLimitStrategyConfig {
+	static class ConcurrencyControlWithSessionLimitConfig {
 
 		@Bean
-		SecurityFilterChain filterChain(HttpSecurity http, SessionLimitStrategy sessionLimitStrategy) throws Exception {
+		SecurityFilterChain filterChain(HttpSecurity http, SessionLimit sessionLimit) throws Exception {
 			// @formatter:off
 			http
 					.formLogin(withDefaults())
 					.sessionManagement((sessionManagement) -> sessionManagement
 									.sessionConcurrency((sessionConcurrency) -> sessionConcurrency
-													.maximumSessions(sessionLimitStrategy)
+													.maximumSessions(sessionLimit)
 													.maxSessionsPreventsLogin(true)
 									)
 					);
@@ -727,7 +727,7 @@ UserDetailsService userDetailsService() {
 		}
 
 		@Bean
-		SessionLimitStrategy sessionLimitStrategy() {
+		SessionLimit SessionLimit() {
 			return (authentication) -> {
 				if ("admin".equals(authentication.getName())) {
 					return 2;

config/src/test/java/org/springframework/security/config/http/HttpHeadersConfigTests.java

@@ -35,7 +35,7 @@
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.web.session.SessionLimitStrategy;
+import org.springframework.security.web.session.SessionLimit;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.ResultMatcher;
 import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
@@ -955,7 +955,7 @@ public String ok() {
 
 	}
 
-	public static class CustomSessionLimit implements SessionLimitStrategy {
+	public static class CustomSessionLimit implements SessionLimit {
 
 		@Override
 		public Integer apply(Authentication authentication) {

docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc

@@ -2170,7 +2170,7 @@ Specify `-1` as the value to support unlimited sessions.
 
 [[nsa-concurrency-control-max-sessions-ref]]
 * **max-sessions-ref**
-Allows injection of the SessionLimitStrategy instance used by the ConcurrentSessionControlAuthenticationStrategy
+Allows injection of the SessionLimit instance used by the ConcurrentSessionControlAuthenticationStrategy
 
 [[nsa-concurrency-control-session-registry-alias]]
 * **session-registry-alias**

web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlAuthenticationStrategy.java

@@ -33,7 +33,7 @@
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.session.ConcurrentSessionFilter;
-import org.springframework.security.web.session.SessionLimitStrategy;
+import org.springframework.security.web.session.SessionLimit;
 import org.springframework.security.web.session.SessionManagementFilter;
 import org.springframework.util.Assert;
 
@@ -77,7 +77,7 @@ public class ConcurrentSessionControlAuthenticationStrategy
 
 	private boolean exceptionIfMaximumExceeded = false;
 
-	private SessionLimitStrategy sessionLimitStrategy = SessionLimitStrategy.of(1);
+	private SessionLimit sessionLimit = SessionLimit.of(1);
 
 	/**
 	 * @param sessionRegistry the session registry which should be updated when the
@@ -131,7 +131,7 @@ public void onAuthentication(Authentication authentication, HttpServletRequest r
 	 * @return either -1 meaning unlimited, or a positive integer to limit (never zero)
 	 */
 	protected int getMaximumSessionsForThisUser(Authentication authentication) {
-		return this.sessionLimitStrategy.apply(authentication);
+		return this.sessionLimit.apply(authentication);
 	}
 
 	/**
@@ -173,24 +173,24 @@ public void setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded) {
 	}
 
 	/**
-	 * Sets the <tt>sessionLimitStrategy</tt> property. The default value is 1. Use -1 for
+	 * Sets the <tt>sessionLimit</tt> property. The default value is 1. Use -1 for
 	 * unlimited sessions.
 	 * @param maximumSessions the maximum number of permitted sessions a user can have
 	 * open simultaneously.
 	 */
 	public void setMaximumSessions(int maximumSessions) {
-		this.sessionLimitStrategy = SessionLimitStrategy.of(maximumSessions);
+		this.sessionLimit = SessionLimit.of(maximumSessions);
 	}
 
 	/**
-	 * Sets the <tt>sessionLimitStrategy</tt> property. The default value is 1. Use -1 for
+	 * Sets the <tt>sessionLimit</tt> property. The default value is 1. Use -1 for
 	 * unlimited sessions.
-	 * @param sessionLimitStrategy the session limit strategy
+	 * @param sessionLimit the session limit strategy
 	 * @since 6.5
 	 */
-	public void setMaximumSessions(SessionLimitStrategy sessionLimitStrategy) {
-		Assert.notNull(sessionLimitStrategy, "sessionLimitStrategy cannot be null");
-		this.sessionLimitStrategy = sessionLimitStrategy;
+	public void setMaximumSessions(SessionLimit sessionLimit) {
+		Assert.notNull(sessionLimit, "sessionLimit cannot be null");
+		this.sessionLimit = sessionLimit;
 	}
 
 	/**

web/src/main/java/org/springframework/security/web/session/SessionLimitStrategy.java renamed to web/src/main/java/org/springframework/security/web/session/SessionLimit.java

@@ -28,20 +28,19 @@
  * @author Claudenir Freitas
  * @since 6.5
  */
-public interface SessionLimitStrategy extends Function<Authentication, Integer> {
+public interface SessionLimit extends Function<Authentication, Integer> {
 
 	/**
 	 * Represents unlimited sessions.
 	 */
-	SessionLimitStrategy UNLIMITED = (authentication) -> -1;
+	SessionLimit UNLIMITED = (authentication) -> -1;
 
 	/**
-	 * Creates a {@link SessionLimitStrategy} that always returns the given value for any
-	 * user
+	 * Creates a {@link SessionLimit} that always returns the given value for any user
 	 * @param maxSessions the maximum number of sessions allowed
-	 * @return a {@link SessionLimitStrategy} instance that returns the given value.
+	 * @return a {@link SessionLimit} instance that returns the given value.
 	 */
-	static SessionLimitStrategy of(int maxSessions) {
+	static SessionLimit of(int maxSessions) {
 		Assert.isTrue(maxSessions != 0,
 				"MaximumLogins must be either -1 to allow unlimited logins, or a positive integer to specify a maximum");
 		return (authentication) -> maxSessions;

web/src/test/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlAuthenticationStrategyTests.java

@@ -34,7 +34,7 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.session.SessionInformation;
 import org.springframework.security.core.session.SessionRegistry;
-import org.springframework.security.web.session.SessionLimitStrategy;
+import org.springframework.security.web.session.SessionLimit;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -151,69 +151,69 @@ public void onAuthenticationWhenMaxSessionsExceededByTwoThenTwoSessionsExpired()
 	public void setMaximumSessionsWithNullValue() {
 		assertThatExceptionOfType(IllegalArgumentException.class)
 			.isThrownBy(() -> this.strategy.setMaximumSessions(null))
-			.withMessage("sessionLimitStrategy cannot be null");
+			.withMessage("sessionLimit cannot be null");
 	}
 
 	@Test
-	public void noRegisteredSessionUsingSessionLimitStrategy() {
+	public void noRegisteredSessionUsingSessionLimit() {
 		given(this.sessionRegistry.getAllSessions(any(), anyBoolean())).willReturn(Collections.emptyList());
-		this.strategy.setMaximumSessions(SessionLimitStrategy.of(1));
+		this.strategy.setMaximumSessions(SessionLimit.of(1));
 		this.strategy.setExceptionIfMaximumExceeded(true);
 		this.strategy.onAuthentication(this.authentication, this.request, this.response);
 		// no exception
 	}
 
 	@Test
-	public void maxSessionsSameSessionIdUsingSessionLimitStrategy() {
+	public void maxSessionsSameSessionIdUsingSessionLimit() {
 		MockHttpSession session = new MockHttpSession(new MockServletContext(), this.sessionInformation.getSessionId());
 		this.request.setSession(session);
 		given(this.sessionRegistry.getAllSessions(any(), anyBoolean()))
 			.willReturn(Collections.singletonList(this.sessionInformation));
-		this.strategy.setMaximumSessions(SessionLimitStrategy.of(1));
+		this.strategy.setMaximumSessions(SessionLimit.of(1));
 		this.strategy.setExceptionIfMaximumExceeded(true);
 		this.strategy.onAuthentication(this.authentication, this.request, this.response);
 		// no exception
 	}
 
 	@Test
-	public void maxSessionsWithExceptionUsingSessionLimitStrategy() {
+	public void maxSessionsWithExceptionUsingSessionLimit() {
 		given(this.sessionRegistry.getAllSessions(any(), anyBoolean()))
 			.willReturn(Collections.singletonList(this.sessionInformation));
-		this.strategy.setMaximumSessions(SessionLimitStrategy.of(1));
+		this.strategy.setMaximumSessions(SessionLimit.of(1));
 		this.strategy.setExceptionIfMaximumExceeded(true);
 		assertThatExceptionOfType(SessionAuthenticationException.class)
 			.isThrownBy(() -> this.strategy.onAuthentication(this.authentication, this.request, this.response));
 	}
 
 	@Test
-	public void maxSessionsExpireExistingUserUsingSessionLimitStrategy() {
+	public void maxSessionsExpireExistingUserUsingSessionLimit() {
 		given(this.sessionRegistry.getAllSessions(any(), anyBoolean()))
 			.willReturn(Collections.singletonList(this.sessionInformation));
-		this.strategy.setMaximumSessions(SessionLimitStrategy.of(1));
+		this.strategy.setMaximumSessions(SessionLimit.of(1));
 		this.strategy.onAuthentication(this.authentication, this.request, this.response);
 		assertThat(this.sessionInformation.isExpired()).isTrue();
 	}
 
 	@Test
-	public void maxSessionsExpireLeastRecentExistingUserUsingSessionLimitStrategy() {
+	public void maxSessionsExpireLeastRecentExistingUserUsingSessionLimit() {
 		SessionInformation moreRecentSessionInfo = new SessionInformation(this.authentication.getPrincipal(), "unique",
 				new Date(1374766999999L));
 		given(this.sessionRegistry.getAllSessions(any(), anyBoolean()))
 			.willReturn(Arrays.asList(moreRecentSessionInfo, this.sessionInformation));
-		this.strategy.setMaximumSessions(SessionLimitStrategy.of(2));
+		this.strategy.setMaximumSessions(SessionLimit.of(2));
 		this.strategy.onAuthentication(this.authentication, this.request, this.response);
 		assertThat(this.sessionInformation.isExpired()).isTrue();
 	}
 
 	@Test
-	public void onAuthenticationWhenMaxSessionsExceededByTwoThenTwoSessionsExpiredUsingSessionLimitStrategy() {
+	public void onAuthenticationWhenMaxSessionsExceededByTwoThenTwoSessionsExpiredUsingSessionLimit() {
 		SessionInformation oldestSessionInfo = new SessionInformation(this.authentication.getPrincipal(), "unique1",
 				new Date(1374766134214L));
 		SessionInformation secondOldestSessionInfo = new SessionInformation(this.authentication.getPrincipal(),
 				"unique2", new Date(1374766134215L));
 		given(this.sessionRegistry.getAllSessions(any(), anyBoolean()))
 			.willReturn(Arrays.asList(oldestSessionInfo, secondOldestSessionInfo, this.sessionInformation));
-		this.strategy.setMaximumSessions(SessionLimitStrategy.of(2));
+		this.strategy.setMaximumSessions(SessionLimit.of(2));
 		this.strategy.onAuthentication(this.authentication, this.request, this.response);
 		assertThat(oldestSessionInfo.isExpired()).isTrue();
 		assertThat(secondOldestSessionInfo.isExpired()).isTrue();
@@ -222,7 +222,7 @@ public void onAuthenticationWhenMaxSessionsExceededByTwoThenTwoSessionsExpiredUs
 
 	@Test
 	public void onAuthenticationWhenSessionLimitIsUnlimited() {
-		this.strategy.setMaximumSessions(SessionLimitStrategy.UNLIMITED);
+		this.strategy.setMaximumSessions(SessionLimit.UNLIMITED);
 		this.strategy.onAuthentication(this.authentication, this.request, this.response);
 		verifyNoInteractions(this.sessionRegistry);
 	}

web/src/test/java/org/springframework/security/web/session/SessionLimitStrategyTests.java renamed to web/src/test/java/org/springframework/security/web/session/SessionLimitTests.java

@@ -30,28 +30,28 @@
  * @author Claudenir Freitas
  * @since 6.5
  */
-class SessionLimitStrategyTests {
+class SessionLimitTests {
 
 	private final Authentication authentication = Mockito.mock(Authentication.class);
 
 	@Test
 	void testUnlimitedInstance() {
-		SessionLimitStrategy sessionLimit = SessionLimitStrategy.UNLIMITED;
+		SessionLimit sessionLimit = SessionLimit.UNLIMITED;
 		int result = sessionLimit.apply(this.authentication);
 		assertThat(result).isEqualTo(-1);
 	}
 
 	@ParameterizedTest
 	@ValueSource(ints = { -1, 1, 2, 3 })
 	void testInstanceWithValidMaxSessions(int maxSessions) {
-		SessionLimitStrategy sessionLimit = SessionLimitStrategy.of(maxSessions);
+		SessionLimit sessionLimit = SessionLimit.of(maxSessions);
 		int result = sessionLimit.apply(this.authentication);
 		assertThat(result).isEqualTo(maxSessions);
 	}
 
 	@Test
 	void testInstanceWithInvalidMaxSessions() {
-		assertThatIllegalArgumentException().isThrownBy(() -> SessionLimitStrategy.of(0))
+		assertThatIllegalArgumentException().isThrownBy(() -> SessionLimit.of(0))
 			.withMessage(
 					"MaximumLogins must be either -1 to allow unlimited logins, or a positive integer to specify a maximum");
 	}