# Spring Security Integration

Spring Session provides integration with Spring Security.

# Spring Security Remember-me Support

Spring Session provides integration with Spring Security’s Remember-me Authentication (opens new window). The support:

  • Changes the session expiration length

  • Ensures that the session cookie expires at Integer.MAX_VALUE. The cookie expiration is set to the largest possible value, because the cookie is set only when the session is created. If it were set to the same value as the session expiration, the session would get renewed when the user used it but the cookie expiration would not be updated (causing the expiration to be fixed).

To configure Spring Session with Spring Security in Java Configuration, you can use the following listing as a guide:

protected void configure(HttpSecurity http) throws Exception {
		// ... additional configuration ...
		.rememberMe((rememberMe) -> rememberMe

public SpringSessionRememberMeServices rememberMeServices() {
	SpringSessionRememberMeServices rememberMeServices =
			new SpringSessionRememberMeServices();
	// optionally customize
	return rememberMeServices;

An XML-based configuration would look something like the following:

	<!-- ... -->
	<security:form-login />
	<security:remember-me services-ref="rememberMeServices"/>

<bean id="rememberMeServices"

# Spring Security Concurrent Session Control

Spring Session provides integration with Spring Security to support its concurrent session control. This allows limiting the number of active sessions that a single user can have concurrently, but, unlike the default Spring Security support, this also works in a clustered environment. This is done by providing a custom implementation of Spring Security’s SessionRegistry interface.

When using Spring Security’s Java config DSL, you can configure the custom SessionRegistry through theSessionManagementConfigurer, as the following listing shows:

public class SecurityConfiguration<S extends Session> extends WebSecurityConfigurerAdapter {

	private FindByIndexNameSessionRepository<S> sessionRepository;

	protected void configure(HttpSecurity http) throws Exception {
		// @formatter:off
			// other config goes here...
			.sessionManagement((sessionManagement) -> sessionManagement
		// @formatter:on

	public SpringSessionBackedSessionRegistry<S> sessionRegistry() {
		return new SpringSessionBackedSessionRegistry<>(this.sessionRepository);


This assumes that you have also configured Spring Session to provide a FindByIndexNameSessionRepository that returns Session instances.

When using XML configuration, it would look something like the following listing:

	<!-- other config goes here... -->
		<security:concurrency-control max-sessions="2" session-registry-ref="sessionRegistry"/>

<bean id="sessionRegistry"
	<constructor-arg ref="sessionRepository"/>

This assumes that your Spring Session SessionRegistry bean is called sessionRegistry, which is the name used by allSpringHttpSessionConfiguration subclasses.

# Limitations

Spring Session’s implementation of Spring Security’s SessionRegistry interface does not support the getAllPrincipalsmethod, as this information cannot be retrieved by using Spring Session. This method is never called by Spring Security, so this affects only applications that access the SessionRegistry themselves.