Spring Security Example Tutorial - How to limit number of User Session in Java J2EE

Spring security can limit number of session a user can have. If you are developing web application specially secure web application in Java J2EE then you must have come up with requirement similar to online banking portals have e.g. only one session per user at a time or no concurrent session per user. You can also implement this functionality without using spring security but with Spring security its just piece of cake with coffee :). Spring Security provides lots of Out of Box functionality a secure enterprise or web application needed like authentication, authorization, session management, password encoding, secure access, session timeout etc. In our spring security example we have seen how to do LDAP Authentication in Active directory using spring security and in this spring security example we will see how to limit number of session user can have in Java web application or restricting concurrent user session.


Spring Security Example: Limit Number of User Session

spring security example - limit number of session in java J2EEAs I said it’s simple and easy when you use spring security framework or library. In fact is all declarative and no code is require to enable concurrent session disable functionality. You will need to include following xml snippet in your Spring Security Configuration file mostly named as applicaContext-security.xml. Here is sample spring security Example of limiting user session in Java web application:

<session-management invalid-session-url="/logout.html">
    <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />

As you see you can specify how many concurrent session per user is allowed, most secure system like online banking portals allow just one authenticate session per user. You can even specify a URL where user will be taken if they submit an invalid session identifier can be used to detect session timeout. Session-management element is used to capture session related stuff. Max-session specify how many concurrent authenticated session is allowed and if error-if-maximum-exceeded set to true it will flag error if user tries to login into another session.


This code has dependency on spring-security framework. You need to download spring security jar like spring-security-web-3.1.0.jar and add into application classpath.

This simple example of spring security shows power of spring security, a small piece of xml snippet can add very useful and handy security feature in your Java web application. I recommend using spring security for your new or existing Java web application created using Servlet JSP.

That’s all on how to limit number of user session using spring security in Java web application. Let me know if you face any issue while implementing this security feature in your project.

Further Reading
Expert Spring MVC and Web Flow (read here)
Spring Fundamentals By Bryan Hansen (see)
Introduction to Spring MVC 4 By Bryan Hansen (see)
Hibernate Interview Questions and answers (see here)

Other Java tutorials you may like

P.S. - If you are an experienced Java/JEE Program and want to learn Spring Security end-to-end, I recommend Learn Spring Security course by Eugen Paraschiv, The definitive guide to secure your Java application. It's useful for both junior and experienced Java Web developers.

P.S - If you like to learn from book, then Pro Spring Security by Carlo Scarioni is a good starting point. The content is not advanced enough for senior developers but for junior and intermediate programmer, it's a great book.


John Turner said...

How does this work in a clustered environment?

danish said...

Cool Example, just few lines of code. Indeed looks like Spring Security is full of such great feature which just need configuration to make them active. I am loving Security Security :)

Sashika said...

Does this handle browser close or browser crash scenarios? If we set the max-sessions=1 and if we close the browser without logging off, can the user login again immediately?

Sindhuraj said...

@Sashika, it doesn't handle browser close scenario. If user closes its browser without logging off from application, his user session will be active on Server and all subsequent login from same user will be denied as "maximum active session is 1".

By the way this feature is called Spring Security Concurrent Session Control and available from Spring security 3.0 in declarative format as mentioned in this tutorial.

I agreed with Writer that this is the easiest way to implement Concurrent Session Control on any Java web application but this feature requires a central Session Repository and if you are running on Two cluster where Session replication is not available and both Cluster have there own session repository, you will end up with Concurrent multiple User session. I am not sure if you can customize this behavior by implementing your own Session Repository, If you have any idea please jump in.

Sourabh Ghose said...

@Sinduraj, The concurrentsessionfilter indeed does not work in a clustered environment with multiple web servers. In order to make this work you would have to write a custom SessionRegistry as described here:

Anonymous said...

how to enable Spring Security in case of browser close or browser crash scenario....??

Neethu Krishna said...

Im using spring 2 version the same code is not working for me.i cant migrate to spring 3 as im doing enhancement if i try to migrate from spring 2 to spring 3 it is very difficult for me.can any body help me to fined the solution

Javin Paul said...

Hello Neethu, what is the error you are getting? some more information would be helpful because its spring spring security feature not core spring framework.

arnab chowdhury said...

Hi Javin Paul,

After implementing your code I observed that if I login as specific user say admin in internet explorer then I am able to login into IE with same user but it does not allow to login with admin in another browser chrome vice -versa .please tell why does not work for the same browser

Javin Paul said...

@arnab, there is a setting for that which allow multiple active session, as discussed on my post how to control active session in Spring security. You can configure it depending upon your requirement.

arnab chowdhury said...

Hi Javin,

After implementing your below code

I observed that concurrent session of a user
is possible from same browser e.g same user can login multiple times from same browser how can I stop user from second time login from the same browser e.g IE if that user is already logged ?
How can stop concurrent login for a specific user the above code is common to all user ?
How can i throw custom error messages in spring-security if the user tries to login for second time?

Post a Comment