I am using Spring Security 3.0.2 on a web site where users can log into their account. The account landing page has a button that takes you to a second page. Various users report that they have trouble getting to that second page because they are asked to log in again and again when they press the button. I cannot reproduce the problem myself, and it seems to work for most people. However, enough people have complained about the issue that I take them seriously. What could be the cause for such a spurious malfunction?
I see some possible cases maybe some of them would produce a 403 and not a redirect :
the second page is protected by a intercept-url with a list of role and some user doesn't have the required role. Maybe your account has some "admin" role which allow you to access any page that why you can not reproduce it
same problem but whith method #Secured with role that some users doesn't have
maybe these user aren't accepting cookie
maybe you have multiple domain the cookie is created for the domain www.domain.com then the user is redirected to another domain like www1.domain.com where the cookie doesn't apply.
maybe you have some kind of miss configuration in the load balancing the session is created on the 1st server, then the 2nd page is handled by the 2nd server where the session doesn't exists
maybe somewhere in the code you call session.invalidate()
hope it helps
Related
good morning. I have several domains and subdomains with Laravel. One of the subdomains does the login, logout and verification tasks.
My question is, how can I log in to the rest of the subdomain that I log in?
The bigger problem I have is that it does not log in to the site but it runs online?
And that I send a request, it is sent, but the answer does not come for Ajax to show, but it comes in the network
thanks.
Perhaps you could make a database table that checks the user logins that will also expire. So when a user enters your sub domains it checks via ip(not recommended) or other things if that user is logged in.
I am developing spring MVC application, in my project, i have login page where I can successfully log in, the problem is that if I open new tab and log in with different username it's logging in, means at a time in the same browser I am able to login in multiple users which I don't want ,I want my application to single user login per browser how to make it.
While rendering login page, you check authentication. If you are using Spring security, you can check for principal auth present or not. If auth is present render home page else render login page. I think this can solve your issue neatly.
I suppose that Spring Security session management is what you're looking for:
Spring Security is able to prevent a principal from concurrently
authenticating to the same application more than a specified number of
times. Many ISVs take advantage of this to enforce licensing, whilst
network administrators like this feature because it helps prevent
people from sharing login names. You can, for example, stop user
“Batman” from logging onto the web application from two different
sessions. You can either expire their previous login or you can report
an error when they try to log in again, preventing the second login.
For more information, read the following docs:
http://docs.spring.io/spring-security/site/docs/3.1.x/reference/session-mgmt.html
Control the Session with Spring Security
I've developed an app in laravel and sentry2 as ACL. Login occurs through SAML.
Whenever a user logs in from SAML is redirected to my app where I check server variables, and if credentials are correct I let him pass to the site with sentry.
My issue occurs when I try to log in with the same account in two different browsers. Looks like when I log in in the second browser the existing session in the other browser gets overrided.
I've found out this looking into sessions table:
http://pastebin.com/6iEnRkEs
Any ideas? Will appreciate your help on this very much.
Thanks a lot!
Pablo
EDIT:
The idea would be that the app work like gmail/fb that allows the user to be logged in both browsers at the same time.
It's correct the way it is.
Different browsers different sessions. This is a security feature/matter every single app should enforce.
If you log in a different browser how could Laravel tell if it's not a different person login in from a different computer in the same network? Log someone off in this case it's also the correct thing to do, because if some kind of exploit is happening, user will see something is wrong and, maybe, change his/her password.
Some (ie: banking) also do: different browser tabs, different sessions, but this is not the Laravel case.
I want to know how can I force a user to log in the the application again if the page is being opened in new tab or new browser.
Edit:-
My apologies I misunderstood the requirement.
I am authenticating the user in my log-in page but not anywhere else. So what is happening because of that, even if i log out of application and type url say bla.com/apple I can access my application.
I figured to prevent this from happening, I have to write a base controller that checks for the right user. Am I moving in the right direction.
Thanks
Addressing the edit -
Authentication can be handled per controller or on individual actions. Simple place the [Authorize] attribute appropriately. This assumes however that somewhere an authentication token is being set. [Authorize] checks against the HttpContext's current User (an IPrincipal).
You mentioned above that you're just validating against a local username and password, in one place, so I'm guessing that no token (session, cookie) are being set?
You have a few options here to get that token stored and persisted across requests:
ASP.Net integrated membership provider (Intro)
A custom MembershipProvider (Example)
Full-on custom flow. (Example)
Each has ups and downs and depends on how exactly you want to handle on-boarding your users. It's hard to answer more specifically because it can be a very large topic (and a very broad question).
Here's the official pages for MVC security.
Currently I have a custom form login page in Spring Security 3 that sends its form data to the correct authentication url.
However now I need to extend the process to support security questions after logging in but before hitting the rest of the site.
I have a few options from reading the documentation, but I'm confused as to the correct option to choose.
Option 1: Keep the current login system and set a special role that only lets the user access the security questions page. If they pass through the security questions process successfully, add their correct roles into the security context.
Option 2: Subclass AbstractAuthenticationProcessingFilter and do security questions as a part of the login process. This seems more spring-like but I'm stuck on how to support the multiple pages for the questions with breaking the rest of the authentication framework.
What about this approach:
When a user submits her username/password, save them into her session.
Redirect her to your questions.
When she is finished answering your questions, see if you want to let her login.
3.1. If yes, POST her saved credentials so that they could be caught and processed by Spring Security filter chain.
3.2. If no, take her back to the login page. (Or whatever you want to do in this case.)
I ended up using Option 1. #craftsman's answer doesn't fit since the questions are specific per user. Its actually worked out really well.