Trifork Blog

Posts Tagged ‘spring-security’

Using Spring Session for concurrent session control in a clustered environment

April 8th, 2016 by

For a long time, Spring Security has provided support to limit the number of sessions a single user can have concurrently. This prevents users from being logged in from many different devices at the same time, for example to ensure that they won’t share their credentials to a paid site with their friends and family.

My former colleague Quinten Krijger has blogged about this feature beforeNote the last paragraph, which explains how this support is limited to single-node applications.

Although running on a single node may suffice for many applications, there are plenty applications running in a clustered environment that should be able to benefit from concurrent session control as well. As hinted in the aforementioned blog, this requires both implementing a custom SessionRegistry as well as ensuring that expiring a session is propagated to all nodes in the cluster.

This is exactly what I’ve done recently using Spring Session, a framework that allows you to take control over managing sessions using a shared external registry like Redis. In this post I’d like to walk you through the code, which can be found here:


Based on the code I wrote for this blog I’ve opened a pull request for Spring Session. That request is scheduled for inclusion in Spring Session 1.3, but the code works just fine with the upcoming 1.2 release and removes the limitation of not providing an expiry notification after exceeding the maximum number of sessions.

Read the rest of this entry »

Session Timeout and Concurrent Session Control with Spring Security and Spring-MVC

February 28th, 2014 by


A web application me and my team are building recently underwent a security review. As usual, because you haven’t yet had time to put any real effort into it, some security risks did surface. We use Spring Security and Spring-MVC and I will talk about implementing a session timeout and concurrent session control: nice subjects from the trenches.

In general, sessions should be managed as restrictively as possible for your web application. Category number two on OWASP top ten security threats of 2013 is broken authentication and session management. Here you can find some nice examples of the problem never lying with the internet, but with the human mistakes in using it.


Read the rest of this entry »

Declarative multi-tenant security with Spring Security and Spring-MVC

September 5th, 2013 by

It’s been a while since our last ‘from the trenches’ entry, and as I’ve found I am better at authoring blogs than convincing colleagues to do the same I figured I’d write you another installment. This time I’d like to focus on an easy yet powerful approach that we used to secure a multi-tenant Spring-MVC application using Spring Security and its support for annotation-based declarative authorization.


If you’re developing enterprise web applications, then you have certainly applied some form of security to your apps. In some cases it suffices to come up with a number of roles that you can assign to (groups of) users and to perform authorization based on that. However, in many cases that’s not enough and the concept of data access control comes into play: only users that are somehow related to the data they’re trying to work with should be allowed to access that data. This can be through direct ownership, access control lists, some temporary relation like a doctor-patient treatment relationship, etc. A common requirement in multi-tenant applications, where a single application instance is used by people from different organizations whose data should be strictly separated, is that data should only be accessible by people who work for the organization that that data belongs to.

In this blog we’ll show you one approach that we used to implement this with Spring Security.

Read the rest of this entry »

Authenticate against a hippo repository using spring security

July 17th, 2012 by

Within a number of my projects we use Hippo to create a website. Hippo contains a JackRabbit repository that has capabilities for authenticating and authorizing users. Hippo builds on this functionality for its own security model. In most of these projects we create an integration component to store content in the repository from other systems and retrieve content from the repository to be useful in other applications. The integration component contains a web interface created using spring-mvc. We use spring-security to secure the web application. Since we do not want to maintain a separate list of users for the integration application we want to authenticate against the hippo repository. In my current project we have a lot of users that do not need access to the integration web application. We want to reuse the security domains functionality of Hippo to authorize the users.

In this blog post I am going to explain the different parts of the solution in such a way that you can use the solution in your own project.

Read the rest of this entry »