Is there a way for me as an administrator of a web application to programatically manually disable another user's session (log him out)?
I'm using Tomcat web server and Spring MVC.
You can login to the Tomcat Web Application Manager (usually under /manager/html path), find the row for the webapp in question, click on the number indicating number of sessions. Find the session for the user you want to logout and Invalidate that session.
Related
I am developing spring MVC application, in my project, i have login page where I can successfully log in, the problem is that if I open new tab and log in with different username it's logging in, means at a time in the same browser I am able to login in multiple users which I don't want ,I want my application to single user login per browser how to make it.
While rendering login page, you check authentication. If you are using Spring security, you can check for principal auth present or not. If auth is present render home page else render login page. I think this can solve your issue neatly.
I suppose that Spring Security session management is what you're looking for:
Spring Security is able to prevent a principal from concurrently
authenticating to the same application more than a specified number of
times. Many ISVs take advantage of this to enforce licensing, whilst
network administrators like this feature because it helps prevent
people from sharing login names. You can, for example, stop user
“Batman” from logging onto the web application from two different
sessions. You can either expire their previous login or you can report
an error when they try to log in again, preventing the second login.
For more information, read the following docs:
http://docs.spring.io/spring-security/site/docs/3.1.x/reference/session-mgmt.html
Control the Session with Spring Security
We have a desktop application that is used to upload content to a web application, both use Okta for authentication. Before uploading, the desktop application authenticates the user via Okta using an embedded browser control. Later in the workflow we want to open the user's default browser so he/she can start using the web application directly. At the moment the user will need to login a second time when their default browser opens.
We planned to implement a mechanism to generate a one-time key (transferable session token) that can be passed as a URL parameter when the browser is opened. For our application's own token we can achieve this but we also need to transfer the Okta session (cookie) and we have not found a way to transfer this from the desktop browser control to the standalone browser.
What options are available to achieve this?
Edit: it is acceptable if a new session is created for the standalone browser as long as the user identity stays the same and the user does not have to provide login details a second time.
Unfortunately, Okta does not have a way to transfer one active session to another as you describe.
However, if you have enough control over the organization's environment, you could simulate this behavior. For Okta organizations that use IWA to authenticate users, you would get this sort of feature "automatically" (provided that the user's default browser supports Active Directory). Another way could be to configure your web application as a "SAML IdP" and have it "transfer a session" to Okta using a SAML Response and Okta's Inbound SAML functionality.
I need help, since I am new to websphere.
We have 2 applications, deployed in the same websphere server. The problem is that we cannot run those 2 applications simultaneously. Running the 2nd application will immediately expire the 1st application (the 2nd application will also expire after a few seconds) .
Here are the series of events
Login to the 1st application http: //stackoverflow:8080/Application1URL/
Leave the application 1 gui running (you must be logged into the application).
Open another browser tab. Run the 2nd application on the new tab: http: //stackoverflow:8080/Application2URL/
You will notice that the application1 session will immediately expire (“Session Expired. Please login again.”). This happens as soon as the application2 login screen appears
If you try to login back into application1 you will get a message saying the user is already logged in (“User is already logged in. Do you want to force logout the other session ?”)
Kindly suggest any ideas to debug the issue.
Your applications probably invalidate sessions for each other. For example they are looking for some attribute in the session and if it is not found they invalidate session. Since same sessionId is shared by default across applications, once the second app invalidate the session the id is changed and first app cannot find its session any more.
Go to one of your applications and change session cookie name to something different.
In web admin console click Enterprise Applications > yourApp > Session management
Check Override session management and click Apply and Save
Click Enable cookies link, and change default cookie name to something custom. Click OK and Save changes
Restart application.
Your applications shouldn't logout each other anymore.
I'm doing a sample webapp project, use spring and saml on it. I did login part, so when I run this project ,its move direclty to my identity server and there I login on this server than go to the my project home page. But I couldnt do logout part. When I click my project logout button , logout page is coming but my seesion isn't lost. So if I want login again, this time project dont go the identity server login page. Because, actually according to my project, I dont logout on project. I want logout on identity server , so want to lost my session.
How can I do it?
Thank you so much for now,
Ezgi,
Only SAML2 supports Single Logout, but you may want to read this pages to understand couple issues before starting to implement it:
https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues
How can I achieve such functionality in java ee (servlets, web.xml):
In database there are user credentials (username and password). All users that like to access my service should be prompted to login. When session expires user should be logged out and see login page again. All resources under my WEB-INF should be protected.
I read about user roles and realms, but this is not what I need. It limits users to defined in application container.
I'd like to provide my users functionality to register and login.
How can this be achieved in java ee? Can this be done by configuring web.xml ?
I tried servlet mapping on /* and authentication in servler (redirect to login page in case of session expiration) but it didn't worked for my static content (i.e. index.html)
Examples appreciated. Thanks for all answers.
Using google app engine and gwt.
You can use container based authentication like JDBCRealm for login/logout functionality but you have to implement the register functionality yourself. A simple CRUD-application for your user and group table in the database should be a good starting point.
If you use JSF, Tutorials for creating CRUD applications with JSF can be found here for Netbeans IDE.