I had written CustomAuthenticationProcessingFilter class because spring-security's concurrency control was not working.
Also, I had to check whether the username and their role had access to login to the application.
But, forgetting the above problems, I have even tried removing CustomAuthenticationProcessingFilter class
completely(replacing by class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" in context file)
and having only custom implementation of UserDetailsService(for DB Access) & UserDetailsContextMapper(for Ldap Access), still the problem persists.
The User's A session is getting destroyed as soon as User B is logging in the application.
I am sorry. But I just still don't understand why you seem to be making it more complex than it needs to be. It sounds like you are using the latest version of Spring Security but trying to do some older style of configuration usage of it.
For instance, you say "(replacing by class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" in context file) "
Why would you even have to know that class or use it directly in the context file?
If you create a custom UserDetailsService and use it your configuration is very basic, you don't need to know any Spring Security class in your configuration. Just using the security namespace.
In you web.xml you just deploy the DelegatingFilterProxy and map it to all the URLs in your web app.
Then in a security-config.xml file use
And then map your incloming URLs to roles.
For setting up the custom UserDetailsService you would have
As suggested, I have rewritten the security context with basic configuration and now facing the concurency control problem.
My application-security looks like this:
posted 7 years ago
Finally found the solution to the above problem. There were multiple causes:
While testing the above problem I was making a mistake, that I was trying to achieve concurrency control when users opens the application in a tabbed browser.
Spring internally stores the ip address of the machine to prevent multiple users to login from same machine. Thus had to make code changes so that user's having multiple roles are not allowed to login from the same machine.