Currently, the ConcurrentSessionVerifier.verifySessionForUser does 2 things:
- verifies the user if he/she is allowed to have another session
- registers the given token into the concurrentSessionCounter map
These 2 functionalities should be split:
- boolean verifySessionForUser(String userName);
- void registerToken(String userName, JWT token);
With this split, in WebSSOResource, the session verification can be done before the token is actually created and token registration can be done after. It's important because it might be a security leak to generate tokens in advance that will not be used at all but, in case of token management is enabled, may fill up the disk/memory with unused tokens.