Description
Expected Behavior
For Reactive Applications, the maximumSessions value can be configured using the SessionLimit abstraction (refer to this documentation) which also allows us to return the value based on the current authentication e.g.
@Bean
SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
http
// ...
.sessionManagement((sessions) -> sessions
.concurrentSessions((concurrency) -> concurrency
.maximumSessions(maxSessions()))
);
return http.build();
}
private SessionLimit maxSessions() {
return (authentication) -> {
if (authentication.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_UNLIMITED_SESSIONS"))) {
return Mono.empty(); // allow unlimited sessions for users with ROLE_UNLIMITED_SESSIONS
}
if (authentication.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_ADMIN"))) {
return Mono.just(2); // allow two sessions for admins
}
return Mono.just(1); // allow one session for every other user
};
}The SessionLimit abstraction was introduced by this Pull Request.
Current Behavior
For Servlet Applications, we do not have this mechanism (refer to this page). The maximumSessions is an Integer (this sample illustrate this).
Context
I have a Servlet Application running in production and cannot migrate it to a Reactive Application. I would like a similar SessionLimit abstraction for the Servlet Application. I have not found an elegant way to do it by checking the spring-security code.
I have the tenant identifier in the User Details and want to use it to retrieve the maximum session value per tenant using a service layer. This feature will be handy for the community.
I already cloned the spring-security repo and implemented a solution to support the SessionLimit abstraction for the Servlet Application.
Before creating a Pull Request, I would like your input on this.
I just closed this one because I think it is more related to this repo.