Add Max Session to WebFlux

[bentenzheng]

When i am using webflux , how can i achieve a similar effect ,get all login user session ,
like as :
http.sessionManagement() .maximumSessions(1).sessionRegistry(getSessionRegistry()).maxSessionsPreventsLogin(false)

[rwinch]

We do not currently support max sessions in WebFlux. I converted this issue into a ticket for that support

[ankurpathak]

Can I give it a try??

[rwinch]

@ankurpathak Sure! The ticket is yours

[ankurpathak]

@rwinch I would like to dicusss this ticket progressively:
Here is a top lable flow I am thinking to use:

class AuthenticationWebFilter {
          	private ServerSessionAuthenticationStrategy sessionAuthenticationStrategy = NullAuthenticatedServerSessionStrategy.getInstance();

               private Mono<Void> authenticate(ServerWebExchange exchange,
		WebFilterChain chain, Authentication token) {
		WebFilterExchange webFilterExchange = new WebFilterExchange(exchange, chain);
		return this.authenticationManager.authenticate(token)
			.switchIfEmpty(Mono.defer(() -> Mono.error(new IllegalStateException("No provider found for " + token.getClass()))))
			.flatMap(authentication -> sessionAuthenticationStrategy.onAuthentication(authentication, webFilterExchange.getExchange()).then(Mono.just(authentication)))
			.flatMap(authentication -> onAuthenticationSuccess(authentication, webFilterExchange))
			.onErrorResume(AuthenticationException.class, e -> this.authenticationFailureHandler
				.onAuthenticationFailure(webFilterExchange, e));
	}
}

public interface ServerSessionAuthenticationStrategy {
	Mono<Void> onAuthentication(Authentication authentication, ServerWebExchange exchange);
}

public class  NoOpServerSessionAuthenticationStrategy implements ServerSessionAuthenticationStrategy {
	Mono<Void> onAuthentication(Authentication authentication, ServerWebExchange exchange){
             return Mono.empty();
        }

}

public interface ConcurrentServerSessionAuthenticationStrategy implements ServerSessionAuthenticationStrategy{
	Mono<Void> onAuthentication(Authentication authentication, ServerWebExchange exchange){
             return Mono.error(new SessionAuthenticationException("Error"));
        }

}

1. AuthenticationWebFilter will have instanace of ServerSessionAuthenticationStrategy
2. After authentication check session counts delegating it to ServerSessionAuthenticationStrategy
3. Two implementation of ServerSessionAuthenticationStrategy NoOp and Concurrent
   4 Support for adding ServerSessionAuthenticationStrategy in all AuthenticationWebFilter in ServerHttpSecurity

[ankurpathak]

@rwinch What is equivalent of SessionRegistry in reactive world?
I think we would need ReactiveSessionRegistry for this issue as using SessionRegistry may be non
blocking for InMemoryImplementatio but may be blocking for SessionRegistry implemenation for
Redis, Mongo, JDBC in Spring Session. What do you think?

[rwinch]

We don't currently have an equivalent. Note: I'd try and reimagine the API a bit rather than copy it directly. See exactly what is needed by Spring Security and limit it to that.

[issilin]

@rwinch
Is this ticket alive? Can I try to solve this?

[mukeshkamboj]

@rwinch
Do we have any solution?

[ankurpathak]

@mukeshkamboj @rwinch I am not working on this.

[issilin]

@rwinch
Still relevant? May I suggest a solution?

[Johannes-Rost]

Is this ticket still considered relevant?
The ability to control the number of parallel sessions is often requested in reviews as a security function.

[rishisc]

Is there any workaround for it in webflux using ReactiveRedisSessionRepository

[Danushka96]

Any progress of this issue?

[SuveenVundavalli]

Hi, any progress or suggestions on this?

[yangdq1]

Hi, any progress or suggestions on this issue ?

[maradanasai]

Hi, any progress or suggestions on this?

[RajeevKumarMarrapu]

Hi, any progress or suggestions on this?

[dgallego58]

this seems to be a long way, since authorization server is focused in Oauth2 patterns with spring security team i don't see coming this feature soon

[JonnyDeates]

Any Progress on this?

[marcusdacoregio]

Hi everyone, that has been no progress yet on this. Please give a thumbs up to the root comment if you would like to see this feature in Spring Security, this helps us prioritize issues.

If anyone is interested in working on this feature, you are welcome.

[marcusdacoregio]

For those waiting for this, the initial support is available in Spring Security 6.3.0-M1, please give it a try and, if possible, report any issues/enhancements. The docs are available at https://docs.spring.io/spring-security/reference/6.3/reactive/authentication/concurrent-sessions-control.html

[jsantana3c]

the example seems to not be working on the 3.3.0-RC1 (I'm using OAuthLogin),

this is my config:

 @Bean
    SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        http
                .authorizeExchange(authorizeRequests -> authorizeRequests
                        .anyExchange()
                        .authenticated()
                )
                .sessionManagement(sessions -> sessions
                        .concurrentSessions(concurrency -> concurrency
                                .maximumSessions(SessionLimit.of(1))
                                .maximumSessionsExceededHandler(new PreventLoginServerMaximumSessionsExceededHandler())
                        )
                )
                .csrf(ServerHttpSecurity.CsrfSpec::disable)
                .oauth2Login(withDefaults())
                .logout(logout -> logout
                        .logoutSuccessHandler(oidcLogoutSuccessHandler())
                )
                .oauth2Client(withDefaults());

        return http.build();
    }

@Bean
    ReactiveSessionRegistry reactiveSessionRegistry() {
        return new InMemoryReactiveSessionRegistry();
    }

[marcusdacoregio]

Hi @jsantana3c, can you provide a minimal, reproducible sample?

[jsantana3c]

Here you go,
I created both authorization server and gateway

https://github.com/joaquinjsb/security-oauth-example