I am developing spring MVC application, in my project, i have login page where I can successfully log in, the problem is that if I open new tab and log in with different username it's logging in, means at a time in the same browser I am able to login in multiple users which I don't want ,I want my application to single user login per browser how to make it.
While rendering login page, you check authentication. If you are using Spring security, you can check for principal auth present or not. If auth is present render home page else render login page. I think this can solve your issue neatly.
I suppose that Spring Security session management is what you're looking for:
Spring Security is able to prevent a principal from concurrently
authenticating to the same application more than a specified number of
times. Many ISVs take advantage of this to enforce licensing, whilst
network administrators like this feature because it helps prevent
people from sharing login names. You can, for example, stop user
“Batman” from logging onto the web application from two different
sessions. You can either expire their previous login or you can report
an error when they try to log in again, preventing the second login.
For more information, read the following docs:
http://docs.spring.io/spring-security/site/docs/3.1.x/reference/session-mgmt.html
Control the Session with Spring Security
Related
I have implemented a Spring Boot application with AngularJS frontend. Have also setup users along with their permissions. Right now I am able to login with any of these users and is working well with Spring security. I would like to turn this traditional login flow into a Facebook/Google OAuth login flow, where in I want the users to use their Facebook/Google account to log in and they will be mapped to their internal users automatically. This will help me in getting rid of maintaining passwords of these users.
I found many articles talking about setting up OAuth with Spring Boot and how can Facebook/Google login be integrated with a Spring Boot application. But I am having difficulty in finding an article which talks about linking a Facebook/Google user with internal users.
How should I go about this?
Look for a user with the associated facebook/google userID.
If that user does not exist you request an email address and try to match it with an existing legacy account.
If you do not get a email adress for any reason (not acceping the authorization request for example) you could show a popup box asking for the email adress explaining why you need it.
You then locate the legacy user and merge it adding the facebook/google ID to look it up in the future.
If no user is found with the email adress you either refuse the user or create a new account.
you should be able to do all of this by implementing your own AuthenticationProvider
Before you can fetch a user’s data from Facebook, you must specify your application’s ID and secret by setting the spring.social.facebook.appId and spring.social.facebook.appSecret properties. You can set these via any means supported by Spring Boot, including setting them in an application.properties file:
spring.social.facebook.appId=233668646673605
spring.social.facebook.appSecret=33b17e044ee6a4fa383f46ec6e28ea1d
For reference you can follow this article: https://spring.io/guides/gs/accessing-facebook/
I've successfully integrated Spring Social, but I am getting back the same facebook template across sessions.
Consider the following time line
Server restart
User A logs in using facebook
User A goes to another page on the site
User B logs in using facebook on a different computer
User B goes to another page on the site
The access token in the last step is same of the User A. I think I need to customize the behaviour of ConnectionRepository but I am not sure how to do it.
I am currently having a problem in implementing concurrent user session in spring mvc. My requirement is that "I have a web application which uses spring MVC, and I have my own login form and I have not implemented spring security yet(which means I have not configured any role based user restriction in my web application). I want only one user with same username to be logged in from a machine. I have surfed all over the net , but couldn't find any useful links nor example project(without role based).
My Requirement:
One user per session
No role based restriction
Have my own login form and once the user logs in , user object(which contains username an password) is stored in session object
If user tries to login for second time , previous user session should be terminated and new user(second user) should be allowed to home page.
Can some one please provide me a solution, links or example project for my requirement ? Many thanks in advance :)
Why not just go ahead and use Spring Security? It will take care of deactivating sessions for you. You can use your own login form and not restrict any of your endpoints based on roles.
You can configure the max number of sessions like so:
I am using Spring Security 3.0.2 on a web site where users can log into their account. The account landing page has a button that takes you to a second page. Various users report that they have trouble getting to that second page because they are asked to log in again and again when they press the button. I cannot reproduce the problem myself, and it seems to work for most people. However, enough people have complained about the issue that I take them seriously. What could be the cause for such a spurious malfunction?
I see some possible cases maybe some of them would produce a 403 and not a redirect :
the second page is protected by a intercept-url with a list of role and some user doesn't have the required role. Maybe your account has some "admin" role which allow you to access any page that why you can not reproduce it
same problem but whith method #Secured with role that some users doesn't have
maybe these user aren't accepting cookie
maybe you have multiple domain the cookie is created for the domain www.domain.com then the user is redirected to another domain like www1.domain.com where the cookie doesn't apply.
maybe you have some kind of miss configuration in the load balancing the session is created on the 1st server, then the 2nd page is handled by the 2nd server where the session doesn't exists
maybe somewhere in the code you call session.invalidate()
hope it helps
Currently I have a custom form login page in Spring Security 3 that sends its form data to the correct authentication url.
However now I need to extend the process to support security questions after logging in but before hitting the rest of the site.
I have a few options from reading the documentation, but I'm confused as to the correct option to choose.
Option 1: Keep the current login system and set a special role that only lets the user access the security questions page. If they pass through the security questions process successfully, add their correct roles into the security context.
Option 2: Subclass AbstractAuthenticationProcessingFilter and do security questions as a part of the login process. This seems more spring-like but I'm stuck on how to support the multiple pages for the questions with breaking the rest of the authentication framework.
What about this approach:
When a user submits her username/password, save them into her session.
Redirect her to your questions.
When she is finished answering your questions, see if you want to let her login.
3.1. If yes, POST her saved credentials so that they could be caught and processed by Spring Security filter chain.
3.2. If no, take her back to the login page. (Or whatever you want to do in this case.)
I ended up using Option 1. #craftsman's answer doesn't fit since the questions are specific per user. Its actually worked out really well.