Right now in Spring security I have this code:
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
If someone attempts to start a concurrent session, an exception is thrown. The way my application handles exceptions is by catching them and then throwing a custom exception that will be displayed to the user. My question is two-part.
First, and most importantly, how do I create a custom class that can be given to session management so that it can catch the old exception and throw the new? It seems to me that I need to subclass concurrency-control, and make a bean of some sort within my security context, but I am not sure how to do that.
Second, what is the name of the exception that will be thrown (the one I need to catch)? My guess is that it will be an AccessDeniedException, but I am unsure. This is not as important as the first question, because once I know the correct class I must subclass, I will know what exceptions it could be.
Thanks for the help,
MirroredFate
Ahh... I have found my answer.
I subclassed ConcurrentSessionControlStrategy, and over-rode the method allowableSessionsExceeded. This method throws a SessionAuthenticationException, who's message I changed before throwing it again. I had to add this code:
<security:session-management session-authentication-strategy-ref="ccc"/>
<beans:bean id="ccc"
class="com.lim.lds.client.sqlloader.security.CustomConcurrencyControl">
<beans:constructor-arg name="sessionRegistry"
ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
to my spring-security.xml file.
I hope this helps anyone in a similar situation!