(window.webpackJsonp=window.webpackJsonp||[]).push([[329],{754:function(e,t,s){"use strict";s.r(t);var n=s(56),i=Object(n.a)({},(function(){var e=this,t=e.$createElement,s=e._self._c||t;return s("ContentSlotsDistributor",{attrs:{"slot-key":e.$parent.slotKey}},[s("h1",{attrs:{id:"spring-security-integration"}},[s("a",{staticClass:"header-anchor",attrs:{href:"#spring-security-integration"}},[e._v("#")]),e._v(" Spring Security Integration")]),e._v(" "),s("p",[e._v("Spring Session provides integration with Spring Security.")]),e._v(" "),s("h2",{attrs:{id:"spring-security-remember-me-support"}},[s("a",{staticClass:"header-anchor",attrs:{href:"#spring-security-remember-me-support"}},[e._v("#")]),e._v(" Spring Security Remember-me Support")]),e._v(" "),s("p",[e._v("Spring Session provides integration with "),s("a",{attrs:{href:"https://docs.spring.io/spring-security/site/docs/5.6.2/reference/html5/#servlet-rememberme",target:"_blank",rel:"noopener noreferrer"}},[e._v("Spring Security’s Remember-me Authentication"),s("OutboundLink")],1),e._v(".\nThe support:")]),e._v(" "),s("ul",[s("li",[s("p",[e._v("Changes the session expiration length")])]),e._v(" "),s("li",[s("p",[e._v("Ensures that the session cookie expires at "),s("code",[e._v("Integer.MAX_VALUE")]),e._v(".\nThe cookie expiration is set to the largest possible value, because the cookie is set only when the session is created.\nIf it were set to the same value as the session expiration, the session would get renewed when the user used it but the cookie expiration would not be updated (causing the expiration to be fixed).")])])]),e._v(" "),s("p",[e._v("To configure Spring Session with Spring Security in Java Configuration, you can use the following listing as a guide:")]),e._v(" "),s("div",{staticClass:"language- extra-class"},[s("pre",{pre:!0,attrs:{class:"language-text"}},[s("code",[e._v("@Override\nprotected void configure(HttpSecurity http) throws Exception {\n\thttp\n\t\t// ... additional configuration ...\n\t\t.rememberMe((rememberMe) -> rememberMe\n\t\t\t.rememberMeServices(rememberMeServices())\n\t\t);\n}\n\n@Bean\npublic SpringSessionRememberMeServices rememberMeServices() {\n\tSpringSessionRememberMeServices rememberMeServices =\n\t\t\tnew SpringSessionRememberMeServices();\n\t// optionally customize\n\trememberMeServices.setAlwaysRemember(true);\n\treturn rememberMeServices;\n}\n")])])]),s("p",[e._v("An XML-based configuration would look something like the following:")]),e._v(" "),s("div",{staticClass:"language- extra-class"},[s("pre",{pre:!0,attrs:{class:"language-text"}},[s("code",[e._v('\n\t\x3c!-- ... --\x3e\n\t\n\t\n\n\n\n')])])]),s("h2",{attrs:{id:"spring-security-concurrent-session-control"}},[s("a",{staticClass:"header-anchor",attrs:{href:"#spring-security-concurrent-session-control"}},[e._v("#")]),e._v(" Spring Security Concurrent Session Control")]),e._v(" "),s("p",[e._v("Spring Session provides integration with Spring Security to support its concurrent session control.\nThis allows limiting the number of active sessions that a single user can have concurrently, but, unlike the default\nSpring Security support, this also works in a clustered environment. This is done by providing a custom\nimplementation of Spring Security’s "),s("code",[e._v("SessionRegistry")]),e._v(" interface.")]),e._v(" "),s("p",[e._v("When using Spring Security’s Java config DSL, you can configure the custom "),s("code",[e._v("SessionRegistry")]),e._v(" through the"),s("code",[e._v("SessionManagementConfigurer")]),e._v(", as the following listing shows:")]),e._v(" "),s("div",{staticClass:"language- extra-class"},[s("pre",{pre:!0,attrs:{class:"language-text"}},[s("code",[e._v("@Configuration\npublic class SecurityConfiguration extends WebSecurityConfigurerAdapter {\n\n\t@Autowired\n\tprivate FindByIndexNameSessionRepository sessionRepository;\n\n\t@Override\n\tprotected void configure(HttpSecurity http) throws Exception {\n\t\t// @formatter:off\n\t\thttp\n\t\t\t// other config goes here...\n\t\t\t.sessionManagement((sessionManagement) -> sessionManagement\n\t\t\t\t.maximumSessions(2)\n\t\t\t\t.sessionRegistry(sessionRegistry())\n\t\t\t);\n\t\t// @formatter:on\n\t}\n\n\t@Bean\n\tpublic SpringSessionBackedSessionRegistry sessionRegistry() {\n\t\treturn new SpringSessionBackedSessionRegistry<>(this.sessionRepository);\n\t}\n\n}\n")])])]),s("p",[e._v("This assumes that you have also configured Spring Session to provide a "),s("code",[e._v("FindByIndexNameSessionRepository")]),e._v(" that\nreturns "),s("code",[e._v("Session")]),e._v(" instances.")]),e._v(" "),s("p",[e._v("When using XML configuration, it would look something like the following listing:")]),e._v(" "),s("div",{staticClass:"language- extra-class"},[s("pre",{pre:!0,attrs:{class:"language-text"}},[s("code",[e._v('\n\t\x3c!-- other config goes here... --\x3e\n\t\n\t\t\n\t\n\n\n\n\t\n\n')])])]),s("p",[e._v("This assumes that your Spring Session "),s("code",[e._v("SessionRegistry")]),e._v(" bean is called "),s("code",[e._v("sessionRegistry")]),e._v(", which is the name used by all"),s("code",[e._v("SpringHttpSessionConfiguration")]),e._v(" subclasses.")]),e._v(" "),s("h2",{attrs:{id:"limitations"}},[s("a",{staticClass:"header-anchor",attrs:{href:"#limitations"}},[e._v("#")]),e._v(" Limitations")]),e._v(" "),s("p",[e._v("Spring Session’s implementation of Spring Security’s "),s("code",[e._v("SessionRegistry")]),e._v(" interface does not support the "),s("code",[e._v("getAllPrincipals")]),e._v("method, as this information cannot be retrieved by using Spring Session. This method is never called by Spring Security,\nso this affects only applications that access the "),s("code",[e._v("SessionRegistry")]),e._v(" themselves.")])])}),[],!1,null,null,null);t.default=i.exports}}]);