We already have an OAuth2 authorization server set up, so I need to create a corresponding resource server (separate server). We plan to use the Spring Security OAuth2 project. Their documentation for setting up a resource server:
https://github.com/spring-projects/spring-security-oauth/wiki/oAuth2#resource-server-configuration
token-services-ref should point to the token-handling bean. However it seems like the token handling is done by the server itself even though it is the resource server. There doesn't seem to be any remote token services class or any configuration relating to a remote server. This is in contrast with the CloudFoundary UAA (https://github.com/cloudfoundry/uaa/blob/master/samples/api/src/main/webapp/WEB-INF/spring-servlet.xml) which has:
<bean id="tokenServices"
class="org.cloudfoundry.identity.uaa.oauth.RemoteTokenServices">
<property name="checkTokenEndpointUrl" value="${checkTokenEndpointUrl}" />
Is there any way to use Spring Security OAuth2 for a resource server that communicates with a separate OAuth2 Authorization server? How can I set the communication endpoint?
This is possible as long as the authorization server and resource server(s) access a shared tokenStore (e.g. using JdbcTokenStore with a common dataSource). You can just use DefaultTokenServices with a reference to your shared tokenStore. Below is an example Spring config which you should be able to tweak to fit your needs:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2.xsd">
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.JdbcTokenStore">
<constructor-arg name="dataSource" ref="dataSource" />
</bean>
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
</bean>
<bean id="authenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="myRealm" />
</bean>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<!-- This is not actually used, but it's required by Spring Security -->
<security:authentication-manager alias="authenticationManager" />
<oauth2:expression-handler id="oauthExpressionHandler" />
<oauth2:web-expression-handler id="oauthWebExpressionHandler" />
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
<security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>
<oauth2:resource-server id="myResource" resource-id="myResourceId" token-services-ref="tokenServices" />
<security:http pattern="/myPattern/**" create-session="never"
entry-point-ref="authenticationEntryPoint" access-decision-manager-ref="accessDecisionManager">
<security:anonymous enabled="false" />
<security:intercept-url pattern="/**" access="SCOPE_READ" method="GET" />
<security:intercept-url pattern="/**" access="SCOPE_READ" method="HEAD" />
<security:intercept-url pattern="/**" access="SCOPE_READ" method="OPTIONS" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE" method="PUT" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE" method="POST" />
<security:intercept-url pattern="/**" access="SCOPE_WRITE" method="DELETE" />
<security:custom-filter ref="myResource" before="PRE_AUTH_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>
</beans>
Yes its possible. Like you have already mentioned in your question, RemoteTokenServices is the solution.
I have created one sample which has separate auth and resource server. Its just a sample to give a quick idea about the concept and open for extension.
Spring-AngularJS-OAuth2-Sample
Related
I am trying to configure a filter to run for pre authentication to my web app using Ping Federate. I want this filter to be ran when all resources are being accessed, except for '/login'.
That is, every page should go through a filter except '/login'.
I am using Spring Security 3.2 and I understand that using
<security:http pattern="/login" auto-config="true" security="none">
is the new way to write
<intercept-url pattern="/login*" filters="none" />
However, when adding security='none' to my XML config file, the filter is still being picked up when I access localhost:8080/login.
Below is my XML configuration file:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<context:annotation-config />
<context:property-placeholder />
<security:global-method-security
pre-post-annotations="enabled" />
<bean id="resourceLoader" class="com.foo.bar.ResourceLoader">
<constructor-arg value="${PING_IDENTITY_CONFIG_FILE_NAME}" />
</bean>
<bean id="openTokenReader" class="com.foo.bar.OpenTokenReader" />
<security:http pattern="/login" use-expressions="true" security="none" />
<security:http use-expressions="true" auto-config="true"
entry-point-ref="http403EntryPoint">
<security:custom-filter position="PRE_AUTH_FILTER"
ref="openTokenFilter" />
<security:session-management
invalid-session-url="/login" />
<security:session-management>
<security:concurrency-control
max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>
<security:logout />
</security:http>
<bean id="openTokenFilter"
class="com.foo.bar.OpenTokenRequestAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="logoutURL" value="${PING_IDENTITY_LOGOUT_URL}" />
<property name="authenticationFailureHandler">
<bean
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login" />
</bean>
</property>
</bean>
<bean id="preauthAuthProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="customUserDetailsService" />
</bean>
</property>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="preauthAuthProvider" />
</security:authentication-manager>
<bean id="customUserDetailsService" class="com.foo.bar.UserDetailsServiceImpl"></bean>
<bean id="http403EntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"></bean>
</beans>
I have tried nearly everything I can think of and for something that should be completely straightforward I have been unable to figure out the issue for quite some time.
I have been working on jaas ldap authentication of an application. For the development purpose I am using tomcat to deploy the application. When I am deploying the application in tomcat , system is successfully authenticating the user by authenticating the user credentials against a ldap server and authorizing the user by fetching roles from database.
But my problem is when I deploying the application in web sphere server, I am encountering an exception
"unable to find LoginModule class: com.enterprise.security.ldap.TrivialLoginModule"
I have not included any trivial module in my application
But my application is running fine in tomcat.
For my authentication module following classes are defined:
CustomAuthenticationProvider.java
DummyRoleGranter.java
JaasLdapLogin.java
The configuration file is
ldap.jaas.config
Could someone please help me in identifying what I am missing for the Web Sphere Server.
My spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:security="http://www.springframework.org/schema/security"
xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jdbc="http://www.springframework.org/schema/jdbc"
xsi:schemaLocation="http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<bean id="userDetailsService" class="com.work.application.service.UserDetailsService" />
<security:authentication-manager alias="authenticationmanager">
<security:authentication-provider ref="customauthProvider" />
</security:authentication-manager>
<security:http pattern="/resources/**" security="none" />
<security:http pattern="/login*" security="none" />
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:form-login login-page="/login" authentication-failure-url="/loginfailed" default-target-url="/index"/>
<security:logout invalidate-session="true" delete-cookies="JSESSIONID" logout-success-url="/login" logout-url="/j_spring_security_logout"/>
<security:session-management session-fixation-protection="newSession">
<security:concurrency-control max-sessions="1" expired-url="/loginfailed" error-if-maximum-exceeded="false"/>
</security:session-management>
<security:csrf />
</security:http>
<bean id="csrfFilter" class="org.springframework.security.web.csrf.CsrfFilter">
<constructor-arg>
<bean
class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository">
<property name="headerName" value="X-SECURITY" />
</bean>
</constructor-arg>
</bean>
<bean id="customauthProvider" class="com.work.application.authprovider.CustomAuthenticationProvider">
<constructor-arg name="delegate" ref="jaasAuthProvider" />
<property name="userDetailsService" ref="userDetailsService" />
</bean>
<bean id="jaasAuthProvider" class="org.springframework.security.authentication.jaas.JaasAuthenticationProvider">
<property name="loginConfig" value="classpath:ldap.jaas.config" />
<property name="authorityGranters">
<list>
<bean class="com.work.application.authprovider.DummyRoleGranter" />
</list>
</property>
<property name="loginContextName" value="LDAPLogin" />
<property name="callbackHandlers">
<list>
<bean class="org.springframework.security.authentication.jaas.JaasNameCallbackHandler" />
<bean class="org.springframework.security.authentication.jaas.JaasPasswordCallbackHandler" />
</list>
</property>
</bean>
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="/login"/>
<constructor-arg>
<list>
<bean class="org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler">
<constructor-arg>
<list>
<value>JSESSIONID</value>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</list>
</constructor-arg>
</bean>
</beans>
ldap.jaas.config
LDAPLogin
{
com.work.application.authprovider.JaasLdapLogin Sufficient
contextProvider="com.sun.jndi.ldap.LdapCtxFactory"
providerURL="ldap://aeiou:389/dc=app,dc=off,dc=net"
providerURL_2="ldap://aeiou3:389/dc=app,dc=off,dc=net"
providerURL_3="ldap://aeiou2:389/dc=app,dc=off,dc=net"
authenticationMode="simple"
providerURL_3="ldap://ABCDEFGH:389/"
providerURL_2="ldap://ABCDEFGI:389/"
principalPattern="cn={0},cn=Users,dc=app,dc=off,dc=net"
;
};
Got the work around. Since Websphere is not recognizing the config file so instead of using the JaasAuthenticationProvider I used DefaultJaasAuthenticationProvider and injected the configuration in the AppConfigurationEntry Map. It's working fine in websphere now.
I have a general question. I have a web project written using Spring Security 3.2 and Spring 4. I deployed project in Tomcat 7.0. There are 2 roles in spring sec for project users: USER and COMPANY. When I log in from home computer (without any proxy), everything works fine. But if I login from my work computer (my computer is behind company proxy) my web application does not work properly, It cannot get localization or often it gives USER role to company account and etc. I looked for this issue in web, but cannot find any solutions. Hope anybody can figure out what can be the reason. Thanks in advance..
spring-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<bean id="securityExpressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" />
<security:global-method-security
pre-post-annotations="enabled">
<security:expression-handler ref="securityExpressionHandler" />
</security:global-method-security>
<security:http auto-config="false" use-expressions="true" access-denied-page="/login" entry-point-ref="authenticationEntryPoint">
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/account/register" access="permitAll"/>
<security:intercept-url pattern="/main" access="hasAnyRole('ROLE_USER, ROLE_COMPANY')"/>
<security:intercept-url pattern="/profile" access="hasAnyRole('ROLE_USER, ROLE_COMPANY')"/>
<security:intercept-url pattern="/wishlist" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/messagebox" access="hasAnyRole('ROLE_USER, ROLE_COMPANY')"/>
<security:intercept-url pattern="/settings" access="hasAnyRole('ROLE_USER, ROLE_COMPANY')"/>
<security:intercept-url pattern="/search" access="hasAnyRole('ROLE_USER, ROLE_COMPANY')"/>
<security:logout invalidate-session="true" logout-success-url="/login" logout-url="/logout" />
<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
<security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>
<security:session-management session-authentication-strategy-ref="sas" />
</security:http>
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:sessionAuthenticationStrategy-ref="sas"
p:authenticationManager-ref="authenticationManager"
p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler"/>
<bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/login?fail=true" />
<!-- We just actually need to set the default target url here -->
<bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
p:defaultTargetUrl="/main" />
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/login"/>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="customAuthenticationProvider" />
</security:authentication-manager>
<bean id="customAuthenticationProvider" class="service.CustomAuthenticationManager">
</bean>
<!-- A custom service where Spring will retrieve users and their corresponding access levels -->
<bean id="customUserDetailsService" class="service.CustomUserDetailsService"/>
<bean id="concurrencyFilter" class="filter.AzunisConcurrentSessionFilter"
p:sessionRegistry-ref="sessionRegistry"
p:expiredUrl="/login" />
<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"
p:maximumSessions="-1" p:exceptionIfMaximumExceeded="false" p:alwaysCreateSession="true">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>
<!-- Maintains a registry of SessionInformation instances
See: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/core/session/SessionRegistry.html -->
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
I think this is the caching mechanism of the proxy. Let the login and landingpage site expiring with in your Response Header.
I have a problem to properly configure Spring oauth using xml, as I have to add this support to an existing project is required to perform the configuration from XML, I have to integrate Spring MVC, Spring and Spring Security OAuth. I have a project which I have set for trial purposes Spring MVC and Spring security and I have another project where I could configure Spring Oauth it performs authentication password, I could not make it work integrating OAuth (safely through verification code) in the first project, not to me this missing, any suggestion or tip to configure this?
*File: spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd">
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
</security:global-method-security>
<security:http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<security:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<security:anonymous enabled="false" />
<security:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
</security:http>
<!-- This is where we tells spring security what URL should be protected and what roles have access to them -->
<security:http pattern="/oauth/api/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint" access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security">
<security:anonymous enabled="false" />
<security:intercept-url pattern="/oauth/api/**" access="hasAnyRole('ROLE_USER')" />
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
</security:http>
<!-- Configuracion de spring global -->
<security:http pattern="/login**" security="none" />
<security:http pattern="/login/**" security="none" />
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER') or #oauth2.clientHasRole('ROLE_USER')"/>
<security:intercept-url pattern="/main" access="hasAnyRole('ROLE_USER') or #oauth2.clientHasRole('ROLE_USER')"/>
<security:form-login authentication-success-handler-ref="authenticationSuccessRedirectHandler"
login-page="/login" default-target-url="/" authentication-failure-url="/login/fail" />
<security:logout logout-success-url="/login" delete-cookies="true" invalidate-session="true" />
</security:http>
<bean id="authenticationSuccessRedirectHandler" class="mx.oauth.resourceserver.AuthenticationHandler" />
<security:authentication-manager id="authenticationManager">
<security:authentication-provider>
<security:user-service>
<security:user name="marcos" password="pwd" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<!-- Configuracion 2 Oauth -->
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices" user-approval-handler-ref="userApprovalHandler" >
<oauth:authorization-code/>
<oauth:implicit/>
<oauth:refresh-token />
<oauth:password authentication-manager-ref="authenticationManager"/>
</oauth:authorization-server>
<oauth:client-details-service id="clientDetails">
<!-- client -->
<oauth:client client-id="restapp2" authorized-grant-types="authorization_code,client_credentials" authorities="ROLE_USER" scope="read,write,trust" secret="secret" />
<oauth:client client-id="restapp" authorized-grant-types="password,authorization_code,refresh_token,implicit" secret="restapp" authorities="ROLE_USER" />
</oauth:client-details-service>
<!-- This defined token store, we have used inmemory tokenstore for now but this can be changed to a user defined one -->
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />
<!-- This is where we defined token based configurations, token validity
and other things -->
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="accessTokenValiditySeconds" value="120" />
<property name="clientDetailsService" ref="clientDetails" />
</bean>
<bean id="userApprovalHandler" class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
<property name="tokenServices" ref="tokenServices" />
</bean>
<bean id="accessConfirmationController" class="mx.oauth.resourceserver.AccessConfirmationController">
<property name="clientDetailsService" ref=""clientDetails />
<property name="approvalStore" ref="clientDetails" />
</bean>
</beans>
I had a working configuration with ConcurrentSessionControlStrategy and my own sessionRegistry implementation. I upgraded to spring security 3.2.4 and had to change ConcurrentSessionControlStrategy to ConcurrentSessionControlAuthenticationStrategy. and now it seems that the sessionRegistry isn't connected meaning ConcurrentSessionControlAuthenticationStrategy.onAuthenticaton doesn't enter the sessionRegistry.registerNewSession. What to de?
my configuration xml:
<security:http use-expressions="true" auto-config="false"
entry-point-ref="loginUrlAuthenticationEntryPoint">
<security:intercept-url pattern="/**"
access="isAuthenticated()" />
<security:custom-filter position="FORM_LOGIN_FILTER"
ref="twoFactorAuthenticationFilter" />
<security:logout logout-url="/player/logout"
logout-success-url="/demo/player/logoutSuccess" />
<security:session-management>
<security:concurrency-control
max-sessions="1" session-registry-ref="clusteredSessionRegistryImpl"
error-if-maximum-exceeded="false" />
</security:session-management>
</security:http>
<bean
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
<constructor-arg ref="clusteredSessionRegistryImpl" />
<property name="maximumSessions" value="1" />
</bean>
<bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/demo/player/login?login_error=true" />
</bean>
<bean id="twoFactorAuthenticationFilter" class="com.XXX.filter.TwoFactorAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationFailureHandler" ref="failureHandler" />
<property name="authenticationSuccessHandler" ref="playerAuthenticationSuccessHandler" />
<property name="postOnly" value="true" />
</bean>
<bean id="failureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login?login_error=true" />
</bean>
<bean id="bCryptPasswordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="authenticationProvider">
</security:authentication-provider>
</security:authentication-manager>
</beans>
Seems I'm late with the answer, but any way..
The functionality of ConcurrentSessionControlStrategy is exactly split between three Strategies now - ConcurrentSessionControlAuthenticationStrategy, SessionFixationProtectionStrategy and RegisterSessionAuthenticationStrategy.
To have a right substitute, you should use CompositeSessionAuthenticationStrategy adding these three delegates in mentioned order.
So, afraid, ConcurrentSessionControlAuthenticationStrategy is wrongly mentioned in deprecation comment as a substitute of ConcurrentSessionControlStrategy. It at least requires availability of RegisterSessionAuthenticationStrategy to maintain SessionRegistry. Otherwise, SessionRegistry remains empty, and the "substitute" always reports "ok".
I guess, the approach is changed to make it more flexible having several handlers as delegates instead of one (using CompositeSessionAuthenticationStrategy, you can have any number of SessionAuthenticationStrategy's doing independent :) things).