Coverage Report

Coverage Report - org.acegisecurity.concurrent.ConcurrentSessionControllerImpl

Classes in this File

Line Coverage

Branch Coverage

Complexity

ConcurrentSessionControllerImpl

88%

91%

2.444

 /* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 package org.acegisecurity.concurrent;
 
 import org.acegisecurity.AcegiMessageSource;
 import org.acegisecurity.Authentication;
 import org.acegisecurity.AuthenticationException;
 
 import org.springframework.beans.factory.InitializingBean;
 
 import org.springframework.context.MessageSource;
 import org.springframework.context.MessageSourceAware;
 import org.springframework.context.support.MessageSourceAccessor;
 
 import org.springframework.util.Assert;
 
 
 /**
  * Base implementation of {@link ConcurrentSessionControllerImpl} which prohibits simultaneous logins.<p>By default
  * uses {@link SessionRegistryImpl}, although any <code>SessionRegistry</code> may be used.</p>
  *
  * @author Ben Alex
  * @version $Id: ConcurrentSessionControllerImpl.java 2279 2007-12-02 03:00:26Z benalex $
  */
 public class ConcurrentSessionControllerImpl implements ConcurrentSessionController, InitializingBean,
     MessageSourceAware {
     //~ Instance fields ================================================================================================
 
     protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
     private SessionRegistry sessionRegistry;
     private boolean exceptionIfMaximumExceeded = false;
     private int maximumSessions = 1;
 
     //~ Methods ========================================================================================================
 
     public void afterPropertiesSet() throws Exception {
         Assert.notNull(sessionRegistry, "SessionRegistry required");
         Assert.isTrue(maximumSessions != 0,
             "MaximumLogins must be either -1 to allow unlimited logins, or a positive integer to specify a maximum");
         Assert.notNull(this.messages, "A message source must be set");
     }
 
     /**
      * Allows subclasses to customise behaviour when too many sessions are detected.
      *
      * @param sessionId the session ID of the present request
      * @param sessions either <code>null</code> or all unexpired sessions associated with the principal
      * @param allowableSessions DOCUMENT ME!
      * @param registry an instance of the <code>SessionRegistry</code> for subclass use
      *
      * @throws ConcurrentLoginException DOCUMENT ME!
      */
     protected void allowableSessionsExceeded(String sessionId, SessionInformation[] sessions, int allowableSessions,
         SessionRegistry registry) {
         if (exceptionIfMaximumExceeded || (sessions == null)) {
             throw new ConcurrentLoginException(messages.getMessage("ConcurrentSessionControllerImpl.exceededAllowed",
                     new Object[] {new Integer(allowableSessions)},
                     "Maximum sessions of {0} for this principal exceeded"));
         }
 
         // Determine least recently used session, and mark it for invalidation
         SessionInformation leastRecentlyUsed = null;
 
         for (int i = 0; i < sessions.length; i++) {
             if ((leastRecentlyUsed == null)
                     || sessions[i].getLastRequest().before(leastRecentlyUsed.getLastRequest())) {
                 leastRecentlyUsed = sessions[i];
             }
         }
 
         leastRecentlyUsed.expireNow();
     }
 
     public void checkAuthenticationAllowed(Authentication request)
         throws AuthenticationException {
         Assert.notNull(request, "Authentication request cannot be null (violation of interface contract)");
 
         Object principal = SessionRegistryUtils.obtainPrincipalFromAuthentication(request);
         String sessionId = SessionRegistryUtils.obtainSessionIdFromAuthentication(request);
 
         SessionInformation[] sessions = sessionRegistry.getAllSessions(principal, false);
 
         int sessionCount = 0;
 
         if (sessions != null) {
             sessionCount = sessions.length;
         }
 
         int allowableSessions = getMaximumSessionsForThisUser(request);
         Assert.isTrue(allowableSessions != 0, "getMaximumSessionsForThisUser() must return either -1 to allow "
                 + "unlimited logins, or a positive integer to specify a maximum");
 
         if (sessionCount < allowableSessions) {
             // They haven't got too many login sessions running at present
             return;
         } else if (allowableSessions == -1) {
             // We permit unlimited logins
             return;
         } else if (sessionCount == allowableSessions) {
             // Only permit it though if this request is associated with one of the sessions
             for (int i = 0; i < sessionCount; i++) {
                 if (sessions[i].getSessionId().equals(sessionId)) {
                     return;
                 }
             }
         }
 
         allowableSessionsExceeded(sessionId, sessions, allowableSessions, sessionRegistry);
     }
 
     /**
      * Method intended for use by subclasses to override the maximum number of sessions that are permitted for
      * a particular authentication. The default implementation simply returns the <code>maximumSessions</code> value
      * for the bean.
      *
      * @param authentication to determine the maximum sessions for
      *
      * @return either -1 meaning unlimited, or a positive integer to limit (never zero)
      */
     protected int getMaximumSessionsForThisUser(Authentication authentication) {
         return maximumSessions;
     }
 
     public void registerSuccessfulAuthentication(Authentication authentication) {
         Assert.notNull(authentication, "Authentication cannot be null (violation of interface contract)");
 
         Object principal = SessionRegistryUtils.obtainPrincipalFromAuthentication(authentication);
         String sessionId = SessionRegistryUtils.obtainSessionIdFromAuthentication(authentication);
 
         sessionRegistry.registerNewSession(sessionId, principal);
     }
 
     public void setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded) {
         this.exceptionIfMaximumExceeded = exceptionIfMaximumExceeded;
     }
 
     public void setMaximumSessions(int maximumSessions) {
         this.maximumSessions = maximumSessions;
     }
 
     public void setMessageSource(MessageSource messageSource) {
         this.messages = new MessageSourceAccessor(messageSource);
     }
 
     public void setSessionRegistry(SessionRegistry sessionRegistry) {
         this.sessionRegistry = sessionRegistry;
     }
 }

1		/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
2		*
3		* Licensed under the Apache License, Version 2.0 (the "License");
4		* you may not use this file except in compliance with the License.
5		* You may obtain a copy of the License at
6		*
7		* http://www.apache.org/licenses/LICENSE-2.0
8		*
9		* Unless required by applicable law or agreed to in writing, software
10		* distributed under the License is distributed on an "AS IS" BASIS,
11		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		* See the License for the specific language governing permissions and
13		* limitations under the License.
14		*/
15
16		package org.acegisecurity.concurrent;
17
18		import org.acegisecurity.AcegiMessageSource;
19		import org.acegisecurity.Authentication;
20		import org.acegisecurity.AuthenticationException;
21
22		import org.springframework.beans.factory.InitializingBean;
23
24		import org.springframework.context.MessageSource;
25		import org.springframework.context.MessageSourceAware;
26		import org.springframework.context.support.MessageSourceAccessor;
27
28		import org.springframework.util.Assert;
29
30
31		/**
32		* Base implementation of {@link ConcurrentSessionControllerImpl} which prohibits simultaneous logins.<p>By default
33		* uses {@link SessionRegistryImpl}, although any <code>SessionRegistry</code> may be used.</p>
34		*
35		* @author Ben Alex
36		* @version $Id: ConcurrentSessionControllerImpl.java 2279 2007-12-02 03:00:26Z benalex $
37		*/
38	4	public class ConcurrentSessionControllerImpl implements ConcurrentSessionController, InitializingBean,
39		MessageSourceAware {
40		//~ Instance fields ================================================================================================
41
42	4	protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
43		private SessionRegistry sessionRegistry;
44	4	private boolean exceptionIfMaximumExceeded = false;
45	4	private int maximumSessions = 1;
46
47		//~ Methods ========================================================================================================
48
49		public void afterPropertiesSet() throws Exception {
50	2	Assert.notNull(sessionRegistry, "SessionRegistry required");
51	0	Assert.isTrue(maximumSessions != 0,
52		"MaximumLogins must be either -1 to allow unlimited logins, or a positive integer to specify a maximum");
53	0	Assert.notNull(this.messages, "A message source must be set");
54	0	}
55
56		/**
57		* Allows subclasses to customise behaviour when too many sessions are detected.
58		*
59		* @param sessionId the session ID of the present request
60		* @param sessions either <code>null</code> or all unexpired sessions associated with the principal
61		* @param allowableSessions DOCUMENT ME!
62		* @param registry an instance of the <code>SessionRegistry</code> for subclass use
63		*
64		* @throws ConcurrentLoginException DOCUMENT ME!
65		*/
66		protected void allowableSessionsExceeded(String sessionId, SessionInformation[] sessions, int allowableSessions,
67		SessionRegistry registry) {
68	2	if (exceptionIfMaximumExceeded \|\| (sessions == null)) {
69	1	throw new ConcurrentLoginException(messages.getMessage("ConcurrentSessionControllerImpl.exceededAllowed",
70		new Object[] {new Integer(allowableSessions)},
71		"Maximum sessions of {0} for this principal exceeded"));
72		}
73
74		// Determine least recently used session, and mark it for invalidation
75	1	SessionInformation leastRecentlyUsed = null;
76
77	2	for (int i = 0; i < sessions.length; i++) {
78	1	if ((leastRecentlyUsed == null)
79		\|\| sessions[i].getLastRequest().before(leastRecentlyUsed.getLastRequest())) {
80	1	leastRecentlyUsed = sessions[i];
81		}
82		}
83
84	1	leastRecentlyUsed.expireNow();
85	1	}
86
87		public void checkAuthenticationAllowed(Authentication request)
88		throws AuthenticationException {
89	4	Assert.notNull(request, "Authentication request cannot be null (violation of interface contract)");
90
91	4	Object principal = SessionRegistryUtils.obtainPrincipalFromAuthentication(request);
92	4	String sessionId = SessionRegistryUtils.obtainSessionIdFromAuthentication(request);
93
94	4	SessionInformation[] sessions = sessionRegistry.getAllSessions(principal, false);
95
96	4	int sessionCount = 0;
97
98	4	if (sessions != null) {
99	3	sessionCount = sessions.length;
100		}
101
102	4	int allowableSessions = getMaximumSessionsForThisUser(request);
103	4	Assert.isTrue(allowableSessions != 0, "getMaximumSessionsForThisUser() must return either -1 to allow "
104		+ "unlimited logins, or a positive integer to specify a maximum");
105
106	4	if (sessionCount < allowableSessions) {
107		// They haven't got too many login sessions running at present
108	1	return;
109	3	} else if (allowableSessions == -1) {
110		// We permit unlimited logins
111	0	return;
112	3	} else if (sessionCount == allowableSessions) {
113		// Only permit it though if this request is associated with one of the sessions
114	5	for (int i = 0; i < sessionCount; i++) {
115	3	if (sessions[i].getSessionId().equals(sessionId)) {
116	1	return;
117		}
118		}
119		}
120
121	2	allowableSessionsExceeded(sessionId, sessions, allowableSessions, sessionRegistry);
122	1	}
123
124		/**
125		* Method intended for use by subclasses to override the maximum number of sessions that are permitted for
126		* a particular authentication. The default implementation simply returns the <code>maximumSessions</code> value
127		* for the bean.
128		*
129		* @param authentication to determine the maximum sessions for
130		*
131		* @return either -1 meaning unlimited, or a positive integer to limit (never zero)
132		*/
133		protected int getMaximumSessionsForThisUser(Authentication authentication) {
134	4	return maximumSessions;
135		}
136
137		public void registerSuccessfulAuthentication(Authentication authentication) {
138	3	Assert.notNull(authentication, "Authentication cannot be null (violation of interface contract)");
139
140	3	Object principal = SessionRegistryUtils.obtainPrincipalFromAuthentication(authentication);
141	3	String sessionId = SessionRegistryUtils.obtainSessionIdFromAuthentication(authentication);
142
143	3	sessionRegistry.registerNewSession(sessionId, principal);
144	3	}
145
146		public void setExceptionIfMaximumExceeded(boolean exceptionIfMaximumExceeded) {
147	2	this.exceptionIfMaximumExceeded = exceptionIfMaximumExceeded;
148	2	}
149
150		public void setMaximumSessions(int maximumSessions) {
151	1	this.maximumSessions = maximumSessions;
152	1	}
153
154		public void setMessageSource(MessageSource messageSource) {
155	0	this.messages = new MessageSourceAccessor(messageSource);
156	0	}
157
158		public void setSessionRegistry(SessionRegistry sessionRegistry) {
159	2	this.sessionRegistry = sessionRegistry;
160	2	}
161		}