I’d like to limit the number of sessions for users.

Here is an example configuration (taken here) that I used:

<http>
  <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
  <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />

  <session-management session-authentication-strategy-ref="sas"/>
</http>

<beans:bean id="concurrencyFilter"
   class="org.springframework.security.web.session.ConcurrentSessionFilter">
  <beans:property name="sessionRegistry" ref="sessionRegistry" />
  <beans:property name="expiredUrl" value="/session-expired.htm" />
</beans:bean>

<beans:bean id="myAuthFilter" class=
   "org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
  <beans:property name="sessionAuthenticationStrategy" ref="sas" />
  <beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>

<beans:bean id="sas" class=
 "org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
  <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
  <beans:property name="maximumSessions" value="1" />
</beans:bean>

<beans:bean id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" />

I don’t get any errors and can see the number of users in SessionRegistry. But maximumSessions value is 1, and I can create 2 sessions for one user (I used different browsers for that).

The following property also didn’t lead to any exceptions: <beans:property name="exceptionIfMaximumExceeded" value="true" />. I also tried to override equals() and hashCode() for UserDetails implementation (as it was suggested here).

Why do I have an ability to log in twice for one user with this maximumSessions value? Should I limit sessions number somehow else? Any suggestion would be appreciated, thanks in advance.