Add Max Sessions on WebFlux

Closes gh-6192

Author: marcusdacoregio

Diff for: config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -682,6 +682,36 @@ class ServerHttpSecurityDsl(private val http: ServerHttpSecurity, private val in
         this.http.oidcLogout(oidcLogoutCustomizer)
     }
 
+    /**
+     * Configures Session Management support.
+     *
+     * Example:
+     *
+     * ```
+     * @Configuration
+     * @EnableWebFluxSecurity
+     * open class SecurityConfig {
+     *
+     *  @Bean
+     *  open fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+     *      return http {
+     *          sessionManagement {
+     *              sessionConcurrency { }
+     *          }
+     *       }
+     *   }
+     * }
+     * ```
+     *
+     * @param sessionManagementConfig custom configuration to configure the Session Management
+     * @since 6.3
+     * @see [ServerSessionManagementDsl]
+     */
+    fun sessionManagement(sessionManagementConfig: ServerSessionManagementDsl.() -> Unit) {
+        val sessionManagementCustomizer = ServerSessionManagementDsl().apply(sessionManagementConfig).get()
+        this.http.sessionManagement(sessionManagementCustomizer)
+    }
+
     /**
      * Apply all configurations to the provided [ServerHttpSecurity]
      */

Diff for: config/src/main/kotlin/org/springframework/security/config/web/server/ServerHttpSecurityDsl.kt

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.web.server
+
+import org.springframework.security.core.session.ReactiveSessionRegistry
+import org.springframework.security.web.server.authentication.ServerMaximumSessionsExceededHandler
+import org.springframework.security.web.server.authentication.SessionLimit
+
+/**
+ * A Kotlin DSL to configure [ServerHttpSecurity] Session Concurrency support using idiomatic Kotlin code.
+ *
+ * @author Marcus da Coregio
+ * @since 6.3
+ */
+@ServerSecurityMarker
+class ServerSessionConcurrencyDsl {
+    var maximumSessions: SessionLimit? = null
+    var maximumSessionsExceededHandler: ServerMaximumSessionsExceededHandler? = null
+    var sessionRegistry: ReactiveSessionRegistry? = null
+
+    internal fun get(): (ServerHttpSecurity.SessionManagementSpec.ConcurrentSessionsSpec) -> Unit {
+        return { sessionConcurrency ->
+            maximumSessions?.also {
+                sessionConcurrency.maximumSessions(maximumSessions!!)
+            }
+            maximumSessionsExceededHandler?.also {
+                sessionConcurrency.maximumSessionsExceededHandler(maximumSessionsExceededHandler!!)
+            }
+            sessionRegistry?.also {
+                sessionConcurrency.sessionRegistry(sessionRegistry!!)
+            }
+        }
+    }
+}

Diff for: config/src/main/kotlin/org/springframework/security/config/web/server/ServerSessionConcurrencyDsl.kt

@@ -0,0 +1,64 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.web.server
+
+/**
+ * A Kotlin DSL to configure [ServerHttpSecurity] Session Management using idiomatic Kotlin code.
+ *
+ * @author Marcus da Coregio
+ * @since 6.3
+ */
+@ServerSecurityMarker
+class ServerSessionManagementDsl {
+    private var sessionConcurrency: ((ServerHttpSecurity.SessionManagementSpec.ConcurrentSessionsSpec) -> Unit)? = null
+
+    /**
+     * Enables Session Management support.
+     *
+     * Example:
+     *
+     * ```
+     * @Configuration
+     * @EnableWebFluxSecurity
+     * open class SecurityConfig {
+     *
+     *  @Bean
+     *  open fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+     *      return http {
+     *          sessionManagement {
+     *              sessionConcurrency {
+     *                  maximumSessions = { authentication -> Mono.just(1) }
+     *              }
+     *          }
+     *       }
+     *   }
+     * }
+     * ```
+     *
+     * @param backChannelConfig custom configurations to configure OIDC 1.0 Back-Channel Logout support
+     * @see [ServerOidcBackChannelLogoutDsl]
+     */
+    fun sessionConcurrency(sessionConcurrencyConfig: ServerSessionConcurrencyDsl.() -> Unit) {
+        this.sessionConcurrency = ServerSessionConcurrencyDsl().apply(sessionConcurrencyConfig).get()
+    }
+
+    internal fun get(): (ServerHttpSecurity.SessionManagementSpec) -> Unit {
+        return { sessionManagement ->
+            sessionConcurrency?.also { sessionManagement.concurrentSessions(sessionConcurrency) }
+        }
+    }
+}

Diff for: config/src/main/kotlin/org/springframework/security/config/web/server/ServerSessionManagementDsl.kt

@@ -56,9 +56,11 @@
 import org.springframework.security.web.server.ServerRedirectStrategy;
 import org.springframework.security.web.server.WebFilterChainProxy;
 import org.springframework.security.web.server.authentication.AnonymousAuthenticationWebFilterTests;
+import org.springframework.security.web.server.authentication.DelegatingServerAuthenticationSuccessHandler;
 import org.springframework.security.web.server.authentication.HttpBasicServerAuthenticationEntryPoint;
 import org.springframework.security.web.server.authentication.HttpStatusServerEntryPoint;
 import org.springframework.security.web.server.authentication.ServerAuthenticationFailureHandler;
+import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler;
 import org.springframework.security.web.server.authentication.ServerX509AuthenticationConverter;
 import org.springframework.security.web.server.authentication.logout.DelegatingServerLogoutHandler;
 import org.springframework.security.web.server.authentication.logout.LogoutWebFilter;
@@ -592,6 +594,7 @@ public void postWhenServerXorCsrfTokenRequestAttributeHandlerThenOk() {
 	}
 
 	@Test
+	@SuppressWarnings("unchecked")
 	public void shouldConfigureRequestCacheForOAuth2LoginAuthenticationEntryPointAndSuccessHandler() {
 		ServerRequestCache requestCache = spy(new WebSessionServerRequestCache());
 		ReactiveClientRegistrationRepository clientRegistrationRepository = mock(
@@ -613,8 +616,11 @@ public void shouldConfigureRequestCacheForOAuth2LoginAuthenticationEntryPointAnd
 		OAuth2LoginAuthenticationWebFilter authenticationWebFilter = getWebFilter(securityFilterChain,
 				OAuth2LoginAuthenticationWebFilter.class)
 			.get();
-		Object handler = ReflectionTestUtils.getField(authenticationWebFilter, "authenticationSuccessHandler");
-		assertThat(ReflectionTestUtils.getField(handler, "requestCache")).isSameAs(requestCache);
+		DelegatingServerAuthenticationSuccessHandler handler = (DelegatingServerAuthenticationSuccessHandler) ReflectionTestUtils
+			.getField(authenticationWebFilter, "authenticationSuccessHandler");
+		List<ServerAuthenticationSuccessHandler> delegates = (List<ServerAuthenticationSuccessHandler>) ReflectionTestUtils
+			.getField(handler, "delegates");
+		assertThat(ReflectionTestUtils.getField(delegates.get(0), "requestCache")).isSameAs(requestCache);
 	}
 
 	@Test