I developed a web application using spring and hibernate. By using Spring Security , i am restricting one session per user. When user try to attempt multiple login then old session will be invalidated and new one will be active.I have registered HttpSessionListener in my web.xml file.In sessionDistroyed method i am writing some functionality that will be executed when Http Session getting invalidating.
Now problem is when a single user try to do multiple login ,spring security expiring the old session but not invalidating the old session.So in that case sessionDistroyed method not being executed.But i want sessionDistroyed method to be called when spring security expiring the old session.
Can anyone please help to resolve this problem.
Related
I'm writing a web application with Spring boot, Spring web flow and thymeleaf. When the user session expires the csrf token in the registration form expires.
How can I handle the session expiration showing a template file in Spring web flow?
Session should be handled by Spring Security. You can redirect the current user to another page by adding configuration like this:
http.sessionManagement()
.expiredUrl("/sessionExpired.html")
.invalidSessionUrl("/invalidSession.html");
In Thymeleaf, you can use session variable and add th:if attribute to check if session exist or something similar:
${session.isEmpty()}
Check this answer https://stackoverflow.com/a/22120387/2230060
What should i do in Spring Boot to activate persistent sessions ?
I tried to play with theses properties without luck:
server.session.persistent=true
server.session.store-dir=/some/path/sessions
When i stop the daemon a see a file SESSIONS.cer on the session store-dir which disappears when I restart the daemon, but the user not logged anymore (go to login page).
My Spring boot project is an Oauth2 authorization server (I use Spring Security Oauth2) which is used with the Implicit grant. The session is used to avoid the user the retype its credential (login form) when asking for a token (/oauth/authorize). This is the default behaviour of spring security oauth2
EDIT:
I tried with the following property too without luck:
server.tomcat.basedir=/tmp
To me, it didn't work because the objects i stored in session were not Serializable.
Just check they are.
Object stored in session must implement Serializable along with a fixed serialVersionUID. Otherwise JVM will assign a random serialVersionUID which will be different for each server deployment. Since it is different for each deployment, server will not able to find a previous session and result in creating a new session.
Reference:
Why jvm generates serialVersionUID?
I am writing web application using Spring MVC, Security. I would like to store some information for not logged users, and keep it in anonymous session. It will be some random uid, and some configurations that anonymous user could change. When user logs in, that data should be used in authentication using custom AuthenticationProvider.
How can I hook into Spring security anonymous authentication to put there UID?
How can I retrieve later the session while user is loging in?
thanks for any advices :)
I tried searching in Google, but I could not find any good examples where a username and password are checked with a database for authentication purposes.
In further simple words, how can I create a simple login form using Spring and Hibernate and NOT SPRING SECURITY where the credentials are checked with the database.
Please help me creating a simple login form with just Spring 3.0 and no Spring Security 3.0. Thanks.
Simplest way to do a login form post to a Spring Controller which take username and password as parameter.
In the controller you do what ever you want to authenticate the username and password. Best is to delegate to some service layer which takes care of it.
If successfully authenticated then what you want to do? May be redirect to say home page.
Now the home page rendering should know that the user is already authenticated. This is where spring security helps.
But you can also achieve by writing a Servlet Filter where you check if user is already authenticated by checking the http session. Of course after successful login you need to store that in the session then only it will be available to the filter.
There are many other ways to achieve the same which depends upon your requirement as in what kind of security control is required.
Your solution has two parts, one of which involves Spring and another that is your code:
// DAO returns null if no such username appears in the table.
String password = userDao.findPassword(username);
boolean isValidUser = (!password.equals(null));
// Write the code to implement behavior for valid and invalid users.
If you can do a database SELECT for a password, you can do Spring authentication without Spring Security.
You may need to put that logic in an aspect that's woven in before method calls.
You may want to cache that result in session and invalidate it if a timeout is exceeded.
An application has been integrated into liferay using iFrame. Application is developed in JSF with bean being in session scoped. For authentication CAS has been used with liferay. The application uses login username of liferay. When liferay is loggout out, the session of application is not cleared so because of which logging with another account shows old data. How can I clear the session of application when logging out of liferay?
Looking for the help.
Have a look at com.liferay.portal.action.LogoutAction.execute() method. Here at line#100.
You have to call your jsf application code at this moment to invalidate the session that you have in that particular application.
Now, in order to change the LogoutAction, you can use the EXT environment or you can write the code into LogoutPostAction by modifying the same using hook.