Spring security several logins from the same ip address

Question

My greetings.

I've got such a question. Is there any way in spring security to check the amount of logins from the same IP address? I mean if there is someone logged in from this current IP, I'd like to inform him that he cannot login with the different credentials (for example from the different browser) and deny the login attempt.

I tried to google it and found the following, but it is not the thing I'm looking for:

IP filter using Spring Security

Authenticating By IP Address In Spring 3.1: Smartest Way To Do That?

Answer 1

A possible solution is to implement a pair of custom AuthenticationSuccessHandler and LogoutSuccessHandler that (both having access to the http request) can manitain a concurrent map holding the number of logged in users keyed by their ip address. Then add a custom filter that intercepts login requests, checks that map, and redirects the user if the number of users from his ip adress exeeds the limit.

Answer 2

I think there is no way to do it out of the box. What you can do actually is restrict maximum number of connection from one browser instance (see concurrent session chapiter ).

If it's not enough for you then you can do it manually (thanks to carefully designed extension points in Spring Security). Define your custom filter as explained here . Declare an alias for session registry and load all principals . In a normal case each principal will be represented by Authentication object. Authentication.getDetails() may contain an IP address. Find duplicates and redirect user to some error page. Hope this helps.

EDIT. It wouldn't work because a principal from a session registry is actually an instance of org.springframework.security.core.userdetails.User and not Authentication.

Answer 3

SessionAuthenticationStrategy is the point to monitor and control login attempts. There is already ConcurrentSessionControlStrategy for limiting session logined by same username. You can extend it or learn from it. and redirect or forward to error page in SimpleUrlAuthenticationFailureHandler .

/**
 * Strategy which handles concurrent session-control, in addition to the functionality provided by the base class.
 *
 * When invoked following an authentication, it will check whether the user in question should be allowed to proceed,
 * by comparing the number of sessions they already have active with the configured <tt>maximumSessions</tt> value.
 * The {@link SessionRegistry} is used as the source of data on authenticated users and session data.
 * <p>
 * If a user has reached the maximum number of permitted sessions, the behaviour depends on the
 * <tt>exceptionIfMaxExceeded</tt> property. The default behaviour is to expired the least recently used session, which
 * will be invalidated by the {@link ConcurrentSessionFilter} if accessed again. If <tt>exceptionIfMaxExceeded</tt> is
 * set to <tt>true</tt>, however, the user will be prevented from starting a new authenticated session.
 * <p>
 * This strategy can be injected into both the {@link SessionManagementFilter} and instances of
 * {@link AbstractAuthenticationProcessingFilter} (typically {@link UsernamePasswordAuthenticationFilter}).
 *
 * @author Luke Taylor
 * @since 3.0
 */
public class ConcurrentSessionControlStrategy extends SessionFixationProtectionStrategy