caarlos0 caarlos0 - 17 days ago 8
Java Question

Can I manage multiple browser tabs with Spring Security?

I wonder if, with Spring Security, I can validate the user sessions, allowing only one browser tab open. Is it possible?

I would also like to know if I can do it, when the user closes the tab and open it again before the end of his session SessionFilter it from direct application, without going to the login screen.

I'm using JSF 1.2, RichFaces 3.3.3, Hibernate and co ...

Detail: I know the spring security, I'm just researching it.

Now thanks and excuse me for my bad English.

See ya!

Answer

No. Spring Security cannot tell if the request was from the original tab or from a new tab - that information is strictly client-side. From http://static.springsource.org/spring-security/site/faq.html :

2.1.

I'm using Spring Security's concurrent session control to prevent users from logging in more than once at a time. When I open another browser window after logging in, it doesn't stop me from logging in again. Why can I log in more than once?

Browsers generally maintain a single session per browser instance. You cannot have two separate sessions at once. So if you log in again in another window or tab you are just reauthenticating in the same session. The server doesn't know anything about tabs, windows or browser instances. All it sees are HTTP requests and it ties those to a particular session according to the value of the the JSESSIONID cookie that they contain. When a user authenticates during a session, Spring Security's concurrent session control checks the number of other authenticated sessions that they have. If they are already authenticated with the same session, then re-authenticating will have no effect.