Home/ Questions/Q 8102209
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T23:11:13+00:00

I’m using Spring Security 3 and my ApplicationContext-Security.xml specifies <form-login login-page=/genesis default-target-url=/diagnostics/start-diagnostics authentication-failure-url=/genesis?authfailed=true authentication-success-handler-ref=customTargetUrlResolver/>

  • 0

I’m using Spring Security 3 and my ApplicationContext-Security.xml specifies

 <form-login login-page="/genesis" default-target-url="/diagnostics/start-diagnostics"
      authentication-failure-url="/genesis?authfailed=true"
      authentication-success-handler-ref="customTargetUrlResolver"/>
      <access-denied-handler error-page="/genesis?notauthorized=true"/>

     <logout logout-success-url="/genesis"/> 

    <session-management session-authentication-error-url="/genesis"> 
            <concurrency-control max-sessions="1"/>
    </session-management>

However when I log into my app in a second browser, then return to my first browser as soon as I try to do anything I get a plain white screen with the message “This session has been expired (possibly due to multiple concurrent logins being attempted as the same user”

How do I configure Spring Security 3 to display my own “you’ve been disconnected” URL?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can either:

    • force concurrency filter to throw authentication exception (and it’ll be handled by <form-login>),
    • provide your own session-expired page.

    These situations are described here in Spring Security manual:

    <concurrency-control> Attributes

    error-if-maximum-exceeded

    If set to “true” a SessionAuthenticationException will be raised when
    a user attempts to exceed the maximum allowed number of sessions. The
    default behaviour is to expire the original session.

    expired-url

    The URL a user will be redirected to if they attempt to use a session
    which has been “expired” by the concurrent session controller because
    the user has exceeded the number of allowed sessions and has logged in
    again elsewhere. Should be set unless exception-if-maximum-exceeded is
    set. If no value is supplied, an expiry message will just be written
    directly back to the response.

    Also check ConcurrentSessionFilter and ConcurrentSessionControlStrategy for more details.

    Answering your question: in your config you should have something like this:

    <session-management session-authentication-error-url="/genesis"> 
    <concurrency-control max-sessions="1" expired-url="/sessionExpired.jsp" />
</session-management>

    Note that expired-url is not the same as session-authentication-error-url.

    • 0