When invoked following an authentication, it will check whether the user in question should be allowed to proceed, by comparing the number of sessions they already have active with the configured maximumSessions value. The {@link SessionRegistry} is used as the source of data on authenticatedusers and session data.
If a user has reached the maximum number of permitted sessions, the behaviour depends on the exceptionIfMaxExceeded property. The default behaviour is to expired the least recently used session, which will be invalidated by the {@link ConcurrentSessionFilter} if accessed again. IfexceptionIfMaxExceeded is set to true, however, the user will be prevented from starting a new authenticated session.
This strategy can be injected into both the {@link SessionManagementFilter}and instances of {@link AbstractAuthenticationProcessingFilter} (typically{@link UsernamePasswordAuthenticationFilter}), but is typically combined with {@link RegisterSessionAuthenticationStrategy} using{@link CompositeSessionAuthenticationStrategy}.
@see CompositeSessionAuthenticationStrategy @author Luke Taylor @author Rob Winch @since 3.2 | |