Concurrent Sessions Control for Servlet Applications: configuring the `maximumSessions` value

[ClaudenirFreitas]

Hi all,
Hope everyone is doing well.

First, thank you for maintaining this repo; it's handy!

For Reactive Applications, the maximumSessions value can be configured using the SessionLimit abstraction (refer to this documentation) which also allows us to return the value based on the current authentication e.g.

@Bean
SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
    http
        // ...
        .sessionManagement((sessions) -> sessions
            .concurrentSessions((concurrency) -> concurrency
                .maximumSessions(maxSessions()))
        );
    return http.build();
}

private SessionLimit maxSessions() {
    return (authentication) -> {
        if (authentication.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_UNLIMITED_SESSIONS"))) {
            return Mono.empty(); // allow unlimited sessions for users with ROLE_UNLIMITED_SESSIONS
        }
        if (authentication.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_ADMIN"))) {
            return Mono.just(2); // allow two sessions for admins
        }
        return Mono.just(1); // allow one session for every other user
    };
}

The SessionLimit abstraction was introduced by this Pull Request.

For Servlet Applications, we do not have this mechanism (refer to this page). The maximumSessions is an Integer (this sample illustrate this).

I have a Servlet Application running in production and cannot migrate it to a Reactive Application. I would like a similar SessionLimit abstraction for the Servlet Application. I have not found an elegant way to do it by checking the spring-security code.

I already cloned the spring-security repo and implemented a solution to support the SessionLimit abstraction for the Servlet Application. Still, before creating a GitHub issue and Pull Request, I would like your input on this.

Many thanks for considering my request.