Develop Reference

Upgraded to Spring Security 4 and now I'm unable to login

I just upgraded to Spring Security 4.2.3.RELEASE and now I can't login. Specifically, when I login, submitting these parameters
OWASP_CSRFTOKEN ZLCK-J3VV-OJTK-8GZW-H68V-C8N6-CE6G-U6AQ
j_password aaa
j_username mouser
I get the error
Could not verify the provided CSRF token because your session was not found.
You can clearly see from the above it is there. Below is my Spring security configuration. What else do I need to check to get this working?
<beans:bean id="mycoUsernamePasswordUrlAuthenticationFilter"
class="org.collegeboard.myco.core.security.mycoUsernamePasswordUrlAuthenticationFilter">
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationFailureHandler">
<beans:bean
class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login/failure" />
<beans:property name="exceptionMappings" ref="exceptionMappings" />
</beans:bean>
</beans:property>
<beans:property name="authenticationSuccessHandler">
<beans:bean
class="org.collegeboard.myco.security.mycoAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/authenticate" />
<beans:property name="sessionService" ref="sessionService" />
</beans:bean>
</beans:property>
</beans:bean>
...
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg name="loginFormUrl" value="/login" />
</beans:bean>
<http name="defaultSecurity" security-context-repository-ref="mycoSecurityContextRepository"
auto-config="false" use-expressions="true" authentication-manager-ref="authenticationManager"
entry-point-ref="loginUrlAuthenticationEntryPoint">
<!-- <access-denied-handler error-page="/denied"/> -->
<custom-filter position="FORM_LOGIN_FILTER"
ref="mycoUsernamePasswordUrlAuthenticationFilter" />
<intercept-url pattern="/lti/launch" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/status" access="permitAll" />
<intercept-url pattern="/termsOfUse" access="permitAll" />
<intercept-url pattern="/privacyPolicy" access="permitAll" />
<intercept-url pattern="/contactUs" access="permitAll" />
<intercept-url pattern="/legal" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
...
<intercept-url pattern="/dwrsetcookie" access="isFullyAuthenticated()" />
<intercept-url pattern="/dwrpageid" access="permitAll" />
<logout invalidate-session="true" logout-success-url="/logout" logout-url="/j_spring_security_logout" />
</http>
<authentication-manager alias="authenticationManager" id="authenticationManager">
<authentication-provider user-service-ref="sbdUserDetailsService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>

Try to add the below CSRF input to your login jsp,
<input type="hidden" name="${_csrf.parameterName}"value="${_csrf.token}"/>
Or disable CSRF by adding the below to http tag
<csrf disabled="true"/>

Spring Oauth2 - update to 2.0.x and configuration no longer works

Ok, so, after updating to Spring Oauth2 2.0.6 - from 1.0.0.M6, my configuration stopped working. I had to make a few tweaks here and the (like, some classes that no longer exists and some that changed package).
The current configuration is the following one:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd">
<global-method-security pre-post-annotations="enabled" />
<http pattern="/favicon.ico" security="none" />
<http pattern="/login/**" security="none" />
<http pattern="/css/**" security="none" />
<http pattern="/js/**" security="none" />
<http pattern="/img/**" security="none" />
<http pattern="/mockdata/**" security="none" />
<http pattern="/p/api/**" security="none" />
<http pattern="/p/public/**" entry-point-ref="oauthAuthenticationEntryPoint" authentication-manager-ref="clientAuthenticationManager">
<intercept-url pattern="/p/public/**" access="ROLE_OAUTH_CLIENT" />
<custom-filter ref="resourceServerFilter" before="EXCEPTION_TRANSLATION_FILTER" />
</http>
<http pattern="/public/**" entry-point-ref="oauthAuthenticationEntryPoint" authentication-manager-ref="clientAuthenticationManager">
<intercept-url pattern="/public/**" access="ROLE_OAUTH_CLIENT" />
<custom-filter ref="resourceServerFilter" before="EXCEPTION_TRANSLATION_FILTER" />
</http>
<http pattern="/p/oauth/token" create-session="never" authentication-manager-ref="clientAuthenticationManager">
<intercept-url pattern="/p/oauth/token" access="ROLE_OAUTH_CLIENT" />
<anonymous enabled="false" />
<http-basic />
<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<http access-decision-manager-ref="accessDecisionManager">
<intercept-url pattern="/p/tasks/comment" access="ROLE_ACTIVE,ROLE_OAUTH_CLIENT" />
<intercept-url pattern="/**" access="ROLE_ACTIVE"/>
<!-- ATTENTION TO THIS LINE - If commented out the login works -->
<custom-filter ref="resourceServerFilter" before="EXCEPTION_TRANSLATION_FILTER" />
<access-denied-handler error-page="/login/" />
<form-login login-page="/login/" default-target-url="/" authentication-failure-url="/login/?error=1" />
<http-basic/>
<logout logout-url="/logout" logout-success-url="/" />
<remember-me user-service-ref="userDetailsServiceImpl" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsServiceImpl">
<password-encoder hash="md5"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<beans:property name="realmName" value="on-tasks2" />
</beans:bean>
<beans:bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<beans:bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<beans:property name="authenticationManager" ref="clientAuthenticationManager" />
</beans:bean>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<beans:bean class="org.springframework.security.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="" />
</beans:bean>
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
<authentication-manager id="clientAuthenticationManager">
<authentication-provider user-service-ref="clientDetailsUserDetailsService" />
</authentication-manager>
<beans:bean id="clientDetailsUserDetailsService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<beans:constructor-arg ref="clientDetails" />
</beans:bean>
<beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<beans:property name="tokenStore" ref="tokenStore" />
<beans:property name="supportRefreshToken" value="false" />
<beans:property name="clientDetailsService" ref="clientDetails" />
</beans:bean>
<beans:bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore">
<beans:constructor-arg ref="dataSource" />
</beans:bean>
<oauth:authorization-server
client-details-service-ref="clientDetails"
token-services-ref="tokenServices"
authorization-endpoint-url="/p/oauth/authorize"
token-endpoint-url="/p/oauth/token"
user-approval-page="access_confirmation">
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password />
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter" resource-id="on-tasks" token-services-ref="tokenServices" />
<beans:bean id="clientDetails" class="org.springframework.security.oauth2.provider.client.JdbcClientDetailsService">
<beans:constructor-arg ref="dataSource" />
</beans:bean>
</beans:beans>
With this configuration as-is, whenever I try to login, it redirects to the login page with a 302 code on /j_spring_security_check. If I comment that line (custom-filter ref="resourceServerFilter" before="EXCEPTION_TRANSLATION_FILTER") out, the login works.
Also, now, if I try to access localhost:8080/p/oauth/token?client_id=the-client-ids&client_secret=someMockedSecret&grant_type=client_credentials&scope=comment I get a 404, whereas before it used to create the access token.
The lines that were changed with the update are the following:
- <beans:bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.MediaTypeAwareAuthenticationEntryPoint">
+ <beans:bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
- <beans:bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.MediaTypeAwareAccessDeniedHandler" />
+ <beans:bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
- <beans:bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.filter.ClientCredentialsTokenEndpointFilter">
+ <beans:bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
- <beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.RandomValueTokenServices">
+ <beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
- <beans:bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.JdbcTokenStore">
+ <beans:bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore">
- <beans:bean id="clientDetails" class="org.springframework.security.oauth2.provider.JdbcClientDetailsService">
+ <beans:bean id="clientDetails" class="org.springframework.security.oauth2.provider.client.JdbcClientDetailsService">
Any suggestions? I've tried a few different configurations that I found here in StackOverflow but none of them worked for me.
Thanks in any advance.
-glauber

Error while deploying spring security application on ec2 instance

I am struggling with below error while deploying the application on ec2 instance
10:59:13,129 [localhost-startStop-1] [] [ERROR] [ContextLoader].[initWebApplicationContext()]:312 :: Context initialization failed
java.lang.VerifyError: (class: org/springframework/security/web/FilterChainProxy, method: signature: (Lorg/springframework/security/web/SecurityFilterChain;)V) Expecting to find object/array on stack
When I remove http tags from security context file, we are able to deploy the application on ec2 isntance.
How ever same war is getting deployed on our local instance(windows).
Please find below our security context file
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" authentication-manager-ref="mizuAuthenticationManager" ></global-method-security>
<beans:bean id="mizuPropertiesHolder" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<beans:property name="locations">
<beans:list>
<beans:value>classpath*:mizu-conf.properties</beans:value>
</beans:list>
</beans:property>
<beans:property name="ignoreUnresolvablePlaceholders" value="true"/>
</beans:bean>
<beans:bean id="preAuthFilter" class="com.converse.mizu.service.filter.UrlParametersAuthenticationFilter">
</beans:bean>
<beans:bean id="mizuAuthenticationEntryPoint" class="com.converse.mizu.service.security.MizuAuthenticationEntryPoint">
<beans:constructor-arg name="loginUrl" value="/" />
</beans:bean>
<beans:bean id="rememberMeFilter" class= "org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
<beans:constructor-arg name="authenticationManager" ref="mizuAuthenticationManager" />
<beans:constructor-arg name="rememberMeServices" ref="mizuRememberMeServices"/>
</beans:bean>
<beans:bean id="mizuUserDetailsService" class="com.converse.mizu.service.security.UserDetailsServiceImpl"></beans:bean>
<beans:bean id="mizuAuthenticationProvider" class="com.converse.mizu.service.security.MizuAuthenticationProvider"></beans:bean>
<beans:bean id="mizuRememberMeServices" class= "com.converse.mizu.service.security.CustomTokenBasedRememberMeService">
<beans:constructor-arg name="key" value="${remembeMeCoockie.key}"></beans:constructor-arg>
<beans:constructor-arg name="userDetailsService" ref="mizuUserDetailsService"></beans:constructor-arg>
<beans:property name="tokenValiditySeconds" value="2592000" />
<beans:property name="cookieName" value="${remembeMeCoockie.name}" />
<beans:property name="cookiePath" value="/" />
</beans:bean>
<beans:bean id="rememberMeAuthenticationProvider" class= "org.springframework.security.authentication.RememberMeAuthenticationProvider">
<beans:property name="key" value="${remembeMeCoockie.key}"/>
</beans:bean>
<beans:bean id="logoutSuccessHandler" class="com.converse.mizu.service.security.LogoutSuccessHandler" >
<beans:property name="logoutSuccessUrl" value="/"/>
</beans:bean>
<beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/" />
</beans:bean>
<beans:bean id="sas" class= "org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<http pattern="/js/**" security="none" />
<http pattern="/css/**" security="none" />
<http pattern="/img/**" security="none" />
<http pattern="/font/**" security="none" />
<http pattern="/index.html*" security="none" />
<http pattern="/rest/url/**" security="none" />
<http pattern="/rest/user/resetpwd/**" security="none" />
<http pattern="/rest/uiads/analytics/uispec/**" security="none" />
<http entry-point-ref="http403EntryPoint" pattern="/autologin">
<custom-filter ref="preAuthFilter" position="PRE_AUTH_FILTER"/>
<session-management invalid-session-url="/" >
<concurrency-control session-registry-ref="sessionRegistry" max-sessions="1" />
</session-management>
</http>
<http use-expressions="true" entry-point-ref="mizuAuthenticationEntryPoint" >
<intercept-url pattern="/rest/signup/selfserve/register/account**" access="hasRole('CREATE_ACCOUNT')"/>
<intercept-url pattern="/html/account/register.html" access="hasRole('CREATE_ACCOUNT')"/>
<intercept-url pattern="/html/adStudio.htm**" access="isAuthenticated()"/>
<intercept-url pattern="/html/adcreator.htm**" access="isAuthenticated() and hasRole('AD_CREATOR_TOOL')"/>
<intercept-url pattern="/rest/signup/**" access="permitAll"/>
<intercept-url pattern="/rest/**" access="isAuthenticated()"/>
<custom-filter ref="mizuAuthenticationProcessingFilter" position="FORM_LOGIN_FILTER"/>
<custom-filter ref="rememberMeFilter" position="REMEMBER_ME_FILTER"/>
<custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>
<session-management session-authentication-strategy-ref="sas"/>
<logout invalidate-session="true" success-handler-ref="logoutSuccessHandler"/>
<access-denied-handler ref="accessDeniedHandler"/>
</http>
<beans:bean id="mizuAuthenticationProcessingFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
<beans:property name="authenticationManager" ref="mizuAuthenticationManager"/>
<beans:property name="usernameParameter" value="username" />
<beans:property name="passwordParameter" value="password" />
<beans:property name="authenticationFailureHandler" ref="loginFailureHandler"/>
<beans:property name="authenticationSuccessHandler" ref="loginSuccessHandler"/>
<beans:property name="rememberMeServices" ref="mizuRememberMeServices" />
</beans:bean>
<!-- Register authentication manager for form login-->
<authentication-manager alias="mizuAuthenticationManager">
<authentication-provider ref="mizuAuthenticationProvider"/>
<authentication-provider ref="rememberMeAuthenticationProvider"/>
</authentication-manager>
<beans:bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"></beans:bean>

j_spring_security_check is not available

I upgraded Spring Security from 2 to 3
Previously Security.xml has AuthenticationProcessingFilter and AuthenticationProcessingFilterEntryPoint
So my new Security.xml is
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<beans:bean id="userAuthenticationService"
class="com.raykor.core.service.UserAuthenticationService" />
<beans:bean id="shaEncoder"
class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />
<global-method-security />
<http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint">
<intercept-url pattern="/resettingPassword.do**" access="ROLE_ADMIN" />
<intercept-url pattern="/resetPassword.do**" access="ROLE_ADMIN" />
<logout logout-success-url="/index.jsp" invalidate-session="true" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userAuthenticationService">
<password-encoder ref="shaEncoder">
<salt-source user-property="salt" />
</password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationFailureHandler"
ref="failureHandler" />
<beans:property name="authenticationSuccessHandler"
ref="successHandler" />
</beans:bean>
<beans:bean id="successHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="alwaysUseDefaultTargetUrl" value="false" />
<beans:property name="defaultTargetUrl" value="/home.do" />
</beans:bean>
<beans:bean id="failureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.do?error=true" />
</beans:bean>
<beans:bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.do" />
<beans:property name="forceHttps" value="false" />
</beans:bean>
`
Also added filter springSecurityFilterChain in web.xml
On login.do it opens Login Page,On Submit it submits to j_spring_security_check with username and password as j_username & j_password
So why is it saying as j_spring_security_checknot avaliable

You instantiate a UsernamePasswordAuthenticationFilter, but it won't be part of the security filter chain just by creating it. Try removing the auto-config="false" from the http config element, and include a <form-login> element within that. I think all the configuration that you have done through the bean definitions can be done using the more concise namespace configuration which should be preferred with Spring Security 3.

I missed to add custom-filter ref i updated
as
<http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint">
<custom-filter position="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
<intercept-url pattern="/resettingPassword.do**" access="ROLE_ADMIN" />
<intercept-url pattern="/resetPassword.do**" access="ROLE_ADMIN" />
<logout logout-success-url="/index.jsp" invalidate-session="true" />
</http>

Unable to make Spring 3 Session Concurency Control work

Using Spring Security 3.1.0, I cannot seem to get the concurrent session control feature to work. When I log into my system at the same time using IE and FireFox (using my local workstation) I see my user principle in the session registry twice. I am expecting the concurrent session control to log me out or throw an exception or do something that indicates I am logged into the site more than once and it is not permitted.
For what it's worth, I could not get the concurrency control to work at all using the auto config of the HTTP namespace element, even with specifying that my site uses a custom login form. I'm wondering if that might be due to the fact that my authentication is provided via LDAP...?
Here's my security config.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http auto-config="false" use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint">
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter"/>
<session-management session-authentication-strategy-ref="sas"/>
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/css/**" access="permitAll" />
<intercept-url pattern="/images/**" access="permitAll" />
<intercept-url pattern="/js/**" access="permitAll" />
<intercept-url pattern="/public/**" access="permitAll" />
<intercept-url pattern="/home/**" access="permitAll" />
<intercept-url pattern="/admin/user/**" access="hasRole('AUTH_MANAGE_USERS')" />
<intercept-url pattern="/admin/group/**" access="hasRole('AUTH_MANAGE_USERS')" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<access-denied-handler error-page="/403.html"/>
<logout invalidate-session="true" logout-success-url="/public/home.do"/>
</http>
<beans:bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/public/login.do"/>
<beans:property name="forceHttps" value="false"/>
</beans:bean>
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/expired.html" />
</beans:bean>
<beans:bean id="myAuthFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
<beans:property name="exceptionIfMaximumExceeded" value="true"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref='ldapProvider' />
<authentication-provider ref="externalUserLdapProvider"/>
</authentication-manager>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<beans:bean id="securityContext"
class="org.springframework.security.core.context.SecurityContextHolder" factory-method="getContext"/>
<beans:bean id="ldapProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg ref="bindAuthenticator" />
<beans:constructor-arg ref="userService" />
<beans:property name="userDetailsContextMapper" ref="permissionedUserContextMapper" />
</beans:bean>
<beans:bean id="permissionedUserContextMapper"
class="...service.impl.PermissionedUserContextMapperImpl" >
<beans:property name="userDao" ref="userDao"/>
</beans:bean>
<!-- LDAP via AD-->
<beans:bean id="bindAuthenticator"
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userSearch" ref="userSearch" />
</beans:bean>
<beans:bean id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg>
<beans:value></beans:value>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:value>(sAMAccountName={0})</beans:value>
</beans:constructor-arg>
<beans:constructor-arg ref="contextSource" />
<beans:property name="searchSubtree">
<beans:value>true</beans:value>
</beans:property>
</beans:bean>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg
value="ldap://omitted" />
<beans:property name="userDn"
value="ommitted" />
<beans:property name="password" value="omitted" />
</beans:bean>
<!-- Second LDAP Authenticator (Apache DS) -->
<beans:bean id="externalUserLdapProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg ref="externalUserBindAuthenticator"/>
<beans:constructor-arg ref="userService" />
<beans:property name="userDetailsContextMapper" ref="permissionedUserContextMapper" />
</beans:bean>
<beans:bean id="externalUserBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="externalUserContextSource" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>cn={0},ou=Users</beans:value>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="externalUserContextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://omitted"/>
</beans:bean>
</beans:beans>
Am I missing some property that should tell the concurrency control strategy to barf if the user logs more than 1 session? I know the same user is logging more than one session -- as I am seeing duplicate principles in the session registry.
Any/all replies are very much appreciated! Thanks in advance!

SessionRegistry uses equals()/hashCode() of UserDetails to find sessions of the same user. If you have custom UserDetails, perhaps it's not implemented.