Adding logout timer to spring security application - spring

I created one of the spring application project (a simple login form). where I recently added "logout" functionality. I was wondering how to add a logout timer so the user will be logged out fo inactivity after a certain interval of time. I tried looking resource on stack overflow as well as spring documentation but couldn't find one. Please note that I am using ALL JAVA CONFIGURATION (NO XML bsaed configuration).
So far I have designed a simple login functionality, which works as desired but I am trying refactor the "logout functionality" so user won't have to click on logout functionality all the time. I am attaching link for my codebase, please review it.
project: https://drive.google.com/file/d/1K1yhxsrUWxJe6iaeEL_Pj2HJ9C41vYaT/view?usp=share_link
*Note
while importing my project from DRIVE, you will have to add tomcat server (v9.0) and add the path of the server in the project as well.

Related

ASP NET Boilerplate API project creation problem

It is a first time that I am using ASP.NET Boilerplate for API development. There are default features like multi tenancy and role management which I don’t want to use in the template. When creating a new project. in the project wizard I am choosing “Single Page Web Application” and I am unchecking the “Include login, register, user, role and tenant management pages” box. But when I do this, it is removing the connection between Swagger and Application Service. So the methods I am writing in Application Service are not being translated as API endpoints automatically.
Ideally, I want this: ABP Template + Empty API solution + swagger connection.
Am I missing something? Could you point me in the right direction? Thanks in advance.
"The methods that I am writing in the Application Service are not automatically translated as API endpoints." Regarding that, the app service should be translated automatically in the version that does not include login and roles, check the documentation. Regarding the swagger, you have to add it manually.

Spring Boot share code across different projects

I've been reading a lot about micro-services and modules but still I can not figure out how can I achieve this scenario.
I've got many Spring Boot projects and almost all of them having the same features like:
Login and Registration
Email for password reset
Email for account confirmation
JWT Access
Web UI
Even the database structure of those features is identical across them.
I imagine there must be a way to take it out from the app and re-use it in every project, instead of duplicating it on every project.
I was also thinking in having it on a separate repo.
Can please someone point me in the right direction?
Right now what I'm doing is: I have a base (boiler-plate) Spring Boot project and use it as starting point of any app. The problem is that whenever I add a new feature or fix a bug on the boiler-plate I need to "cascade" those changes to every project using it
Thank you!

spring mvc only one user login per browser

I am developing spring MVC application, in my project, i have login page where I can successfully log in, the problem is that if I open new tab and log in with different username it's logging in, means at a time in the same browser I am able to login in multiple users which I don't want ,I want my application to single user login per browser how to make it.
While rendering login page, you check authentication. If you are using Spring security, you can check for principal auth present or not. If auth is present render home page else render login page. I think this can solve your issue neatly.
I suppose that Spring Security session management is what you're looking for:
Spring Security is able to prevent a principal from concurrently
authenticating to the same application more than a specified number of
times. Many ISVs take advantage of this to enforce licensing, whilst
network administrators like this feature because it helps prevent
people from sharing login names. You can, for example, stop user
“Batman” from logging onto the web application from two different
sessions. You can either expire their previous login or you can report
an error when they try to log in again, preventing the second login.
For more information, read the following docs:
http://docs.spring.io/spring-security/site/docs/3.1.x/reference/session-mgmt.html
Control the Session with Spring Security

SSO on Maintaining session in 2 different servers

Sorry if this is a bit long. Got a requirement to integrate our application with client's main portal site. The portal is maintained with a SAML 2.0 SSO features and as such, we'll need to integrate our login using SAML 2.0 as well.
The integration is done via an iframe, i.e. on the main portal, an iframe with the url pointing to our application. When user is logged in and click on a menu link, he/she will be presented with the iframe page, with our session checking with their IDP to make sure they are valid users. If so, then our application will continue to load as per usual.
The issue is that we'll need to maintain our session on our servers, while they shall maintain the session on their app server. If the user stayed on our site for a while, the session on the client main portal will timeout. And when the user click on the main portal link, they will be required to log in again.
It is suggested that when the user tries to navigate to the main portal pages, it will call a service (for now assuming it's an IDP) on our end to check whether the user session is valid or not. If it is, then we need to return a SAML response to them to validate the user.
We're exploring setting up an IDP service at our end to facilitates this, but it seems to be overkill to me. Is there a way for an IDP to only provides check on a user's session? Or is there a better option for us to achieve this?
Things that could not be changed:
1. SSO language: SAML 2.0
2. Server: Weblogic 10+
3. HTTPS a must.
Appreciate any suggestion or feedback.
Thanks.
Based on the provided information, I assume your application runs on WebLogic 10+. If the remote server too uses WebLogic you might be able to just implement the SAML authentication between the WebLogic federation. This will simplify everything and you don't need to do complicated application customization.
If the remote site does implement SAML and not on WebLogic, you still should be able to implement SAML authentication through the WebLogic configuration. This is straightforward and can be done without much hassle.
However, please be reminded that WebLogic 10+ does not support SAML SSO logout. Therefore, this needs to be handled separately.

SAML logout and lost session

I'm doing a sample webapp project, use spring and saml on it. I did login part, so when I run this project ,its move direclty to my identity server and there I login on this server than go to the my project home page. But I couldnt do logout part. When I click my project logout button , logout page is coming but my seesion isn't lost. So if I want login again, this time project dont go the identity server login page. Because, actually according to my project, I dont logout on project. I want logout on identity server , so want to lost my session.
How can I do it?
Thank you so much for now,
Ezgi,
Only SAML2 supports Single Logout, but you may want to read this pages to understand couple issues before starting to implement it:
https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues

Resources