Home/ Questions/Q 9174723
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T16:48:00+00:00

I have in my applicationContext-security.xml <session-management session-authentication-error-url=/genesis> <concurrency-control max-sessions=1 error-if-maximum-exceeded=true expired-url=/genesis?sessionExpired=true/> </session-management> which limits

  • 0

I have in my applicationContext-security.xml 

<session-management session-authentication-error-url="/genesis"> 
        <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/genesis?sessionExpired=true"/> 
    </session-management>

which limits a user to a single session. However, I now have a requirement that one account must be allowed multiple sessions whilst still limiting all other accounts to single session.

Any suggestions as to how I can achieve this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Override default concurrency filter. Skip processing for your special user:

    public class CustomConcurrentSessionFilter extends ConcurrentSessionFilter {

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
        ServletException {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (!auth.getName().equals("bob")) {
            super.doFilter(req, res, chain);
        }
    }

}

    Replace default filter by custom one in conf:

    <security:http ... >
    <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="customConcurrentSessionFilter"/>
</security:http>

<bean id="customConcurrentSessionFilter" class="com.domain.CustomConcurrentSessionFilter"/>
    • 0