Is it possible to synchronise liferay session with siteminder session ?
Scenario :
There are 2 applications say A & B which uses siteminder authentication.Both of the application shares same siteminder session. Application A is running liferay portlet and the application B is a servlet application.
User logs in to the Application A and navigate to Application B using SSO.
User works in Application B for some amount of time which keeps siteminder session from getting expired.But liferay session in application A is getting expired due to inactivity.
Is there any way to keep the session in liferay synch with the siteminder session? Any suggestions would be really helpful?
Set the below properties in portal-ext.properties file
Set the auto-extend mode to true to avoid having to ask the user whether to extend the session or not. Instead, it will be automatically extended. The purpose of this mode is to keep the session open as long as the user's browser is open with a portal page loaded.
session.timeout=30
session.timeout.auto.extend=true
This would not expire liferay session and if siteminder session expires and you access a resources which is protected by siteminder, you will be asked to login again.
Related
We are using Vaadin 14 on a Tomcat9.
A session is immediately created in Tomcat as soon as the login page of our app is called up. If a lot of sessions have been created here (e.g. penetration test), the Tomcat takes a very long time to delete them. The CPU load also rises to 100%.
Is it possible to prevent the automatic creation of a session and only create one after the login?
We have reduced the session timeout in Tomcat so that there are not so many open sessions.
You can not use Vaadin (for your Login) and no sessions. Vaadin stores the
state of the UI in the session and there is no way around it:
A user session begins when a user first makes a request to a Vaadin servlet
by opening the URL of a particular UI. All server requests belonging to
a particular UI class are processed by the VaadinServlet class. When a new
client connects, it creates a new user session, represented by an instance of
VaadinSession. Sessions are tracked using cookies stored in the browser.
https://vaadin.com/docs/latest/advanced/application-lifecycle/#application.lifecycle.session
So you have to prevent this and not send your users directly into the
Vaadin application (first). In your case you could provide a login form
or some SSO gatekeeper to "protect" your resources.
I have developed a web application in Java Spring Boot. After login to the web application JSESSIONID is stored in browser cookies, now when I copy this cookie details from my current browser and create same cookie in some other browser then I'm able to login to the system without asking me for login.
Please let me know how can we prevent this Session hijacking threat. Is there anything I need to do at application level or anything on server level.
I was creating my own oauth2 server with SSO enabled for Google and Facebook. I found this example https://github.com/spring-guides/tut-spring-boot-oauth2 to be very useful and I was able to make my oauth2 server expandable after several tweaks.
For session storage, I used redis and everything seems to be working with the spring magics.
However I encountered a session problem when implementing logout. According to single sign on best practice, when a user logout from one client, all other clients with the same session from the auth server should also be logged out. So I added an endpoint for each client to invoke upon successful login to register it's name based on the user session from the auth server. However I noticed that each time I refresh the page on my client web app, I get a new session from the auth server. As a result, each time when I try to logout, the session associated with all registered clients will always become the old one.
I've been searching for solutions online but no luck yet. It would be greatly appreciated if someone could help me with this issue.
TL;DR version:
I implemented an oauth2 server with SSO enabled for Facebook with Spring Boot. After I successfully logged in with my Facebook account, I can see my client web app resources. Every time I refresh the page, I see a new session gets created from the oauth2 server and it gets stored in the redis storage and all the old sessions are kept in the storage as well.
UPDATE
It seems that all the new sessions are generated by anonymous users each time I refresh the page.
Ok after some digging, it turns out that anonymous user by Spring Boot is not much different from unauthenticated users, according to this doc https://docs.spring.io/spring-security/site/docs/current/reference/html/anonymous.html.
It makes sense that every time I refresh page a new session would generate. My problem was that I wasn't using the correct session ID when registering client app upon successful user authentication. Therefore I override "SavedRequestAwareAuthenticationSuccessHandler.java" file so that I can obtain client_id from the request parameter and then register the correct session ID obtained from the Authentication object to this client ID.
I am programming a Symfony2 web application and I have a backend bundle, in which the user is authenticated using an emergent window. What I need is that the session expires using a timeout or when I close de browser. Now it doesn't...
Any idea?
I am working on a J2EE web application that uses Struts and Spring.
Problem: When session times out, a login page appears and the user enters the login information. Then, the application tries to restore the session but there is an exception.
How do I make the application go to the home page AFTER login on all session timeouts (fresh start).
Thanks a lot.