Class SessionManagementConfigurer.ConcurrencyControlConfigurer
java.lang.Object
org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer.ConcurrencyControlConfigurer
- Enclosing class:
- SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
Allows configuring controlling of multiple sessions.
-
Method Summary
Modifier and TypeMethodDescriptionand()Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.expiredSessionStrategy(SessionInformationExpiredStrategy expiredSessionStrategy) Determines the behaviour when an expired session is detected.expiredUrl(String expiredUrl) The URL to redirect to if a user tries to access a resource and their session has been expired due to too many sessions for the current user.maximumSessions(int maximumSessions) Controls the maximum number of sessions for a user.maxSessionsPreventsLogin(boolean maxSessionsPreventsLogin) If true, prevents a user from authenticating when themaximumSessions(int)has been reached.sessionRegistry(SessionRegistry sessionRegistry) Controls theSessionRegistryimplementation used.
-
Method Details
-
maximumSessions
public SessionManagementConfigurer<H>.ConcurrencyControlConfigurer maximumSessions(int maximumSessions) Controls the maximum number of sessions for a user. The default is to allow any number of users.- Parameters:
maximumSessions- the maximum number of sessions for a user- Returns:
- the
SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>.ConcurrencyControlConfigurerfor further customizations
-
expiredUrl
The URL to redirect to if a user tries to access a resource and their session has been expired due to too many sessions for the current user. The default is to write a simple error message to the response.- Parameters:
expiredUrl- the URL to redirect to- Returns:
- the
SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>.ConcurrencyControlConfigurerfor further customizations
-
expiredSessionStrategy
public SessionManagementConfigurer<H>.ConcurrencyControlConfigurer expiredSessionStrategy(SessionInformationExpiredStrategy expiredSessionStrategy) Determines the behaviour when an expired session is detected.- Parameters:
expiredSessionStrategy- theSessionInformationExpiredStrategyto use when an expired session is detected.- Returns:
- the
SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>.ConcurrencyControlConfigurerfor further customizations
-
maxSessionsPreventsLogin
public SessionManagementConfigurer<H>.ConcurrencyControlConfigurer maxSessionsPreventsLogin(boolean maxSessionsPreventsLogin) If true, prevents a user from authenticating when themaximumSessions(int)has been reached. Otherwise (default), the user who authenticates is allowed access and an existing user's session is expired. The user's who's session is forcibly expired is sent toexpiredUrl(String). The advantage of this approach is if a user accidentally does not log out, there is no need for an administrator to intervene or wait till their session expires.- Parameters:
maxSessionsPreventsLogin- true to have an error at time of authentication, else false (default)- Returns:
- the
SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>.ConcurrencyControlConfigurerfor further customizations
-
sessionRegistry
public SessionManagementConfigurer<H>.ConcurrencyControlConfigurer sessionRegistry(SessionRegistry sessionRegistry) Controls theSessionRegistryimplementation used. The default isSessionRegistryImplwhich is an in memory implementation.- Parameters:
sessionRegistry- theSessionRegistryto use- Returns:
- the
SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>.ConcurrencyControlConfigurerfor further customizations
-
and
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UseSessionManagementConfigurer.sessionConcurrency(Customizer)insteadUsed to chain back to theSessionManagementConfigurer- Returns:
- the
SessionManagementConfigurerfor further customizations
-