To configure this at boot-up time we can either set it in the HttpSecurity object or in application.yml. But how can we do this at dynamically at run-time? i.e. in response to a user prompt after the system has started up and is already serving requests and has logged-in users.
Related
Our application is created by Jhipster which comprise with spring boot and keycloak and postgress db. I have set the "SSO Session Idle" time as 1 minute in the keycloak realm settings.
Expectation is keycloak should send logout event if the user is idle for 1 minute and more. But nothing is happening(even no log in keycloak) and the session is still alive. I am able to call other rest API without any issue.
While logging in through key cloak I am able to see following log in keycloak. Not sure whether this is creating problem.
03:57:20,717 WARN [org.keycloak.events] (default task-64) type=REFRESH_TOKEN_ERROR, realmId=google, clientId=youtube, userId=8299cea8-8ebf-45df-8685-b37445620255, ipAddress=10.198.140.148, error=invalid_token, grant_type=refresh_token, refresh_token_type=Offline, refresh_token_id=2b031b6d-5ff4-4967-a300-42b930dfc04b, client_auth_method=client-secret
Is there anything specific I have to configure in application.yaml or application_prod.yaml for getting session expired event in spring boot Jhipster application ?
I am struck for many days. Any help would be much appreciated.
I am expecting while setting session idle time in keycloak, keycloak should send session time out or logout event. And Jhipster spring boot application should able to log out.
Problem
Implementing SSO login for multiple OAuth2 providers in Spring Boot.
Setup
Two Spring Boot web applications (App1 and App2) that are configured to be OAuth2 clients. Both will communicate with a Keycloak authorization server that has two realms.
Business Requirements
Implement Single Sign-On functionality (SSO).
Multi tenancy with shared user base.
Only one user can access one tenant at any time.
I have two spring boot applications which are OAuth2 clients running in docker containers. We are setting up multiple Keycloak realms that are configured for each tenant. From the Spring side of things, we include the auto configuration properties for two providers where each provider will be mapped to a different Keycloak realm. So the properties will look as follows:
spring.security.oauth2.client.provider.realm1......
spring.security.oauth2.client.provider.realm2......
Behavior
When a user logs into the first application (App1), Spring shows a generated html page. This page shows a list of each provider configured from the application.properties as an option to login to.
A user can select one and is redirected to the Keycloak login page with the realm that was mapped from Spring's provider properties. Then when successfully logged in, the user is redirected back as expected.
We use Spring Mongo session to store the session information and we also see in the Keycloak admin client the realm that shows the active session as well.
When trying to access the other application (App2), Spring does not detect the user or session and will show the same generated html page that shows the providers to select and login to.
When clicking on the same provider (realm), Spring will then find the session and will be redirected to the requested resource and all is well. This part is what I am trying to implement without asking for the provider first. The main reason is to enforce a business requirement where a user in a session can not access more than one realm at a time.
Attempted Solution
Provide a Spring Security login controller that will have a service layer to find the mongo session and then build the OAuth2 link Spring generates when you click a provider from the list.
However, I dont have the user yet. This also becomes a problem when opening a different tab as I dont believe I have any scope to the cookies that were created from the first application as well.
The only other thing I can think of is trying to get the client ip and store that in the session so I can find it later. However, when using nginx proxy configuration, this becomes a problem as I cant seem to get the actual ip and always seem to get the proxy ip instead even with the nginx headers I have seen from documentation.
Question
Is there anyway to find the session and redirect to the requested provider programmatically?
Note: I am currently aware of the keycloak starter dependencies that are available but I was trying to see if there is a more Spring oriented solution with its general OAuth2 client security configuration.
Front end solution
User navigate to app1, app1 detects no user session (need for login), app1 redirects user to app2 with some query parameters indicating purpose of redirect.
App2 receives redirect request and check if session exist (user logged in to app2). Now you can deal with it. redirect back to app1 or display some error, etc.
User not logged in to app2 , app2 redirects back to app1 with indication "show providers"
Symmetrical behavior shall be implemented on app1 too.
Depending on security requirements query parameters can be encrypted to prevent manual url hacking.
If you need further protection Keycloak authentication can be extended with functionality to check your Session storage for already logged in users.
I'm setting the session timeout in the application properties
server.servlet.session.timeout=10m
But I want to change it when the user in specific pages is there any method to do it?
What should i do in Spring Boot to activate persistent sessions ?
I tried to play with theses properties without luck:
server.session.persistent=true
server.session.store-dir=/some/path/sessions
When i stop the daemon a see a file SESSIONS.cer on the session store-dir which disappears when I restart the daemon, but the user not logged anymore (go to login page).
My Spring boot project is an Oauth2 authorization server (I use Spring Security Oauth2) which is used with the Implicit grant. The session is used to avoid the user the retype its credential (login form) when asking for a token (/oauth/authorize). This is the default behaviour of spring security oauth2
EDIT:
I tried with the following property too without luck:
server.tomcat.basedir=/tmp
To me, it didn't work because the objects i stored in session were not Serializable.
Just check they are.
Object stored in session must implement Serializable along with a fixed serialVersionUID. Otherwise JVM will assign a random serialVersionUID which will be different for each server deployment. Since it is different for each deployment, server will not able to find a previous session and result in creating a new session.
Reference:
Why jvm generates serialVersionUID?
I developed a web application using spring and hibernate. By using Spring Security , i am restricting one session per user. When user try to attempt multiple login then old session will be invalidated and new one will be active.I have registered HttpSessionListener in my web.xml file.In sessionDistroyed method i am writing some functionality that will be executed when Http Session getting invalidating.
Now problem is when a single user try to do multiple login ,spring security expiring the old session but not invalidating the old session.So in that case sessionDistroyed method not being executed.But i want sessionDistroyed method to be called when spring security expiring the old session.
Can anyone please help to resolve this problem.