I have an application which uses spring security 3.0. The application uses my company's Active directory for login. I borrowed some of the code from the examples on the net and now I am able to successfully perform a bind. But the remember-me functionality is not working. To be more specific, I am able to sign into the application but when I close the browser and open the application it is redirecting to the login page again. Can anyone please tell me what is wrong in my configuration.
Security.xml
<http path-type="regex" use-expressions="true" auto-config="true">
<form-login
login-page="/Login.html"
login-processing-url="/j_spring_security_check"
default-target-url="/home.html"
authentication-failure-url = "/Login.html?login_error=1"
/>
<logout logout-success-url="/Login.html" invalidate-session="true"
delete-cookies="JSESSIONID" />
<intercept-url pattern="\A/Login\Z" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="\A/(?!Login).*\Z" access="isAuthenticated()" />
<remember-me key="_spring_security_remember_me" token-validity-seconds="3600" user-service-ref="ldapUserDetailsService"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="ldapAuthProvider"/>
</authentication-manager>
<beans:bean class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider" id="ldapAuthProvider">
<beans:constructor-arg ref="ldapBindAuthenticator"/>
<beans:property name="userDetailsContextMapper" ref="ldapUserDetailsContextMapper"/>
</beans:bean>
<beans:bean class="org.springframework.security.ldap.DefaultSpringSecurityContextSource" id="ldapServer">
<!-- MS Active Directory -->
<beans:constructor-arg value="ldap://hostname/DC=myCompany,DC=com"/>
<beans:property name="userDn" value="CN=user,OU=Users,DC=mycompany,DC=com"/>
<beans:property name="password" value="xxxxxx"/>
</beans:bean>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator" id="ldapBindAuthenticator">
<beans:constructor-arg ref="ldapServer"/>
<beans:property name="userSearch" ref="ldapSearchBean"/>
</beans:bean>
<beans:bean class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch" id="ldapSearchBean">
<beans:constructor-arg value="OU=Users"/>
<beans:constructor-arg value="(sAMAccountName={0})"/>
<beans:constructor-arg ref="ldapServer"/>
</beans:bean>
<beans:bean class="org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper" id="ldapUserDetailsContextMapper"/>
<beans:bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<beans:constructor-arg index="0">
<beans:ref local="ldapSearchBean" />
</beans:constructor-arg>
</beans:bean>
<!-- Bean used for LDAP querying. -->
<beans:bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<beans:constructor-arg ref="ldapServer" />
</beans:bean>
<beans:bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" id="expressionHandler"/>
Related
I have a maven multi-modules application where the main module depends on others. This main module is secured with Spring Security CAS and submodules required a basic authentication. This is a example of the security configuration of a submodule:
<security:http name="boobkingapiHttp" create-session="stateless" pattern="/hub/book/**"
authentication-manager-ref="apiAuthenticationManager">
<security:intercept-url pattern="/hub/book" access="ROLE_ORDER_MANAGER" />
<security:http-basic />
</security:http>
And the security configuration for the main module:
<security:http entry-point-ref="casEntryPoint" pattern="/**" realm="ecab" use-expressions="false">
<security:intercept-url pattern="/flow/googlestatistics/**" access="ROLE_ADMIN" />
<security:intercept-url pattern="/**" access="ROLE_ADMIN" />
<security:custom-filter position="CAS_FILTER" ref="casFilter" />
<security:logout logout-success-url="/logout.xhtml"/>
<security:custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>
<security:custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
</security:http>
<beans:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<beans:property name="loginUrl" value="http://localhost:8082/sso/login" />
<beans:property name="serviceProperties" ref="serviceProperties" />
</beans:bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>
<beans:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="authenticationUserDetailsService">
<beans:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:constructor-arg ref="hwsAuthenticationUserDetailsService" />
</beans:bean>
</beans:property>
<beans:property name="serviceProperties" ref="serviceProperties" />
<beans:property name="ticketValidator">
<beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<beans:constructor-arg index="0" value="http://localhost:8082/sso" />
</beans:bean>
</beans:property>
<beans:property name="key" value="an_id_for_this_auth_provider_only" />
</beans:bean>
<beans:bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties">
<beans:property name="service" value="http://localhost:8080/cas-client/login/cas" />
<beans:property name="sendRenew" value="false" />
</beans:bean>
The problem is, when the CAS server grants the ticket and redirects to the service url: http://localhost:8080/cas-client/login/cas?ticket=ST-19-1clKw2tZ5MVp0OznfAun the casAuthenticationProvider is not invoked. The one invoked is the submodule's authenticationProvider and the result is 401 Unauthorized error.
Why the CAS SecurityFilterChain is not invoked? I thought that was handled by Spring Security CAS but it seems not.
I use Spring Security 5.1.2.RELEASE
Thanks a lot for your help.
I found the reason why the CasAuthenticationProvider was not invoked. It's just because of this:
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>
I changed alias to id.
I have a requirement that on the login page I have a userId , password field and also another text entry field called customer. If a user logins in with userId and password , the spring-security configuration which I have works good.
Second login scenario is If the customer puts in only their customer Id , they are supposed to login to a different page as well. How do I make the two different logins works with the same spring-security xml configuration from the same login page.
<security:http auto-config="true" use-expressions="true" >
<!-- URL restrictions (order is important!) Most specific matches should be at top -->
<!-- Don't set any role restrictions on login.jsp. Any requests for the login page should be available for anonymous users -->
<security:intercept-url pattern="/login.jsp*" access="isAuthenticated()" />
<security:access-denied-handler error-page="/noaccess.jsp" />
<security:intercept-url pattern="/board.htm" access="hasRole('ROLE_ALL_USER')" />
<security:intercept-url pattern="/AddItems.htm*" access="hasRole('ROLE_USER')" />
<!-- Set the login page and what to do if login fails -->
<security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" />
<!-- Set the logout page and where to go after logout is successful -->
<security:logout logout-url="/logout" logout-success-url="/logoutSuccess.jsp" />
<security:custom-filter position="PRE_AUTH_FILTER" ref="customPreAuthFilter" />
<security:custom-filter ref="switchUserFilter" position="SWITCH_USER_FILTER" />
</security:http>
<security:http>
</security:http>
<beans:bean id="customPreAuthFilter" class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
<!-- Load the UserDetails object for the user. -->
<beans:bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:property name="userDetailsService" ref="currentUserDetailsService"/>
</beans:bean>
</beans:property>
</beans:bean>
<!-- Aliasing (Switch User) -->
<beans:bean id="switchUserFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
<beans:property name="userDetailsService" ref="currentUserDetailsService" />
</beans:bean>
Thanks
Dhiren
#Ritesh Thanks for the link.. I tried your solution but My Filter does not get invoked.
does web.xml need to be modified.
Any way I tried to implement the entire springSecurityFilterChain but still I have not able to invoke my Filter from my login form. My filter that I need invoked is customBadgeAuthFilter
<beans:bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<beans:constructor-arg>
<beans:list>
<security:filter-chain pattern="/resources/**" filters="none"/>
<security:filter-chain pattern="/**"
filters="securityContextPersistenceFilterWithASCTrue,
logoutFilter,
customBadgeAuthFilter,
formLoginFilter,
formLoginExceptionTranslationFilter,
filterSecurityInterceptor" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="securityContextPersistenceFilterWithASCTrue"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="formLoginExceptionTranslationFilter"
class="org.springframework.security.web.access.ExceptionTranslationFilter">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg value="/login"/>
</beans:bean>
</beans:constructor-arg>
<beans:property name="accessDeniedHandler">
<beans:bean
class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<beans:property name="errorPage" value="/exception" />
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean id="formLoginFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="allowSessionCreation" value="true"/>
<beans:property name="authenticationSuccessHandler">
<beans:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<beans:constructor-arg value="/"/>
<beans:property name="alwaysUseDefaultTargetUrl" value="true"/>
</beans:bean>
</beans:property>
<beans:property name="authenticationFailureHandler">
<beans:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:constructor-arg value="/login?error=true"/>
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="runAsManager" ref="runAsManager" />
<beans:property name="securityMetadataSource">
<security:filter-security-metadata-source use-expressions="true">
<security:intercept-url pattern="/**"
access="isAuthenticated()" />
</security:filter-security-metadata-source>
</beans:property>
</beans:bean>
<beans:bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.access.vote.RoleVoter"/>
<beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
</beans:list>
</beans:constructor-arg>
<beans:property name="allowIfAllAbstainDecisions" value="false"/>
</beans:bean>
<beans:bean id="runAsManager"
class="org.springframework.security.access.intercept.RunAsManagerImpl">
<beans:property name="key" value="TELCO_RUN_AS"/>
</beans:bean>
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="/login"/>
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler">
<beans:constructor-arg>
<beans:list>
<beans:value>JSESSIONID</beans:value>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="customBadgeAuthFilter" class="com.company.security.filter.BadgeProcessingSecurityFilter">
<beans:constructor-arg value="/login.jsp"></beans:constructor-arg>
<beans:property name="authenticationManager" ref="authManager" />
</beans:bean>
<security:authentication-manager alias="authManager" >
<security:authentication-provider ref='normalAuthenticationProvider ' />
<security:authentication-provider ref='badgeAuthenticationProvider ' />
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.jsp"/>
</beans:bean>
<beans:bean id="badgeAuthenticationProvider" class="com.company.security.filter.BadgeAuthenticationProvider">
</beans:bean>
I think I finally figured how to get my securityFilter to get invoked.
I was doing debugging to see the springsecurity flow and see that there is a method called. requestAuthorization in the subclass of AbstractAuthenticationProcessingFilter. It compares the uri which is configured for the default value for the filter to get invoked and if they don't match the filter is bypassed. For some reason even thought the POSt request is /j_security_check .. it transforms into FSS/home.htm when it is being compared and so the filter was getting bypassed.
I have an application develop on Spring 4.1.4 and Spring Security 4.0.2, deployed on a server with Apache Tomcat 8 and JDK 1.7.
It happens that after some days some users can't login anymore even if they specity correct user/password combination.
Restarting Tomcat fixes the problem.
Any suggestion?
May it be a session related issue?
This is my security configuration
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jee="http://www.springframework.org/schema/jee"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
">
<http auto-config="true" use-expressions="true">
<custom-filter after="EXCEPTION_TRANSLATION_FILTER" ref="ajaxTimeoutRedirectFilter"/>
<custom-filter position="SWITCH_USER_FILTER" ref="switchUserProcessingFilter" />
<intercept-url pattern="/j_spring_security_switch_user" access="hasRole('ROLE_SUPERVISOR')"/>
<session-management invalid-session-url="/login.html?invalidSession=1" session-fixation-protection="newSession">
<concurrency-control max-sessions="10" error-if-maximum-exceeded="true" />
</session-management>
<intercept-url pattern="/login.html" access="hasRole('ROLE_ANONYMOUS')" requires-channel="https"/>
<intercept-url pattern="/resources/**" access="permitAll" requires-channel="any"/>
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" requires-channel="https"/>
<intercept-url pattern="/rest/**" access="hasRole('ROLE_USER')" requires-channel="https"/>
<intercept-url pattern="/index" access="hasRole('ROLE_USER')" requires-channel="https"/>
<intercept-url pattern="/upload/**" access="hasRole('ROLE_USER')" requires-channel="https"/>
<headers>
<xss-protection block="false"/>
<frame-options disabled="true"/>
<cache-control/>
</headers>
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login.html"
default-target-url="/index"
always-use-default-target="true"
authentication-failure-url="/login.html?error=1"
username-parameter="username"
password-parameter="password"/>
<logout logout-success-url="/login.html?logout=1" invalidate-session="false" delete-cookies="JSESSIONID"/>
<!-- enable csrf protection -->
<!-- <csrf disabled="true" /> -->
<port-mappings>
<port-mapping http="8080" https="8443"/>
</port-mappings>
</http>
<beans:bean id="ajaxTimeoutRedirectFilter" class="com.finconsgroup.mens.springsecurity.AjaxTimeoutRedirectFilter">
<beans:property name="customSessionExpiredErrorCode" value="419"/>
</beans:bean>
<beans:bean id="switchUserProcessingFilter" class="com.finconsgroup.mens.springsecurity.MensSwitchUserFilter">
<beans:property name="userDetailsService" ref="mensAuthenticationService"/>
<beans:property name="switchUserUrl" value="/j_spring_security_switch_user"/>
<beans:property name="exitUserUrl" value="/j_spring_security_exit_user"/>
<beans:property name="targetUrl" value="/index"/>
</beans:bean>
<beans:bean name="bcryptEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<!-- Select users and user_roles from database -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="mensAuthenticationService">
<password-encoder ref="bcryptEncoder"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="mensAuthenticationService" class="com.finconsgroup.mens.springsecurity.MensAuthenticationProvider">
<beans:property name="dataSource" ref="mensDataSource"/>
<beans:property name="usersByUsernameQuery" value="my_query"/>
<beans:property name="authoritiesByUsernameQuery" value="my_query"/>
<beans:property name="groupAuthoritiesByUsernameQuery" value="my_query"/>
<beans:property name="enableGroups" value="true"/>
</beans:bean>
<!-- Spring Security -->
<beans:bean id="mensPermissionEvaluator" class="com.finconsgroup.mens.springsecurity.MensPermissionEvaluator">
<beans:constructor-arg ref="aclService"/>
</beans:bean>
<beans:bean id="securityExpressionHandler"
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="mensPermissionEvaluator"/>
</beans:bean>
<global-method-security
authentication-manager-ref="authenticationManager"
pre-post-annotations="enabled"
secured-annotations="enabled">
<expression-handler ref="securityExpressionHandler"/>
</global-method-security>
<!-- ================================================================== -->
<!-- ACL service -->
<!-- ================================================================== -->
<beans:bean id="aclService" class="org.springframework.security.acls.jdbc.JdbcMutableAclService">
<beans:constructor-arg ref="mensDataSource" />
<beans:constructor-arg ref="lookupStrategy" />
<beans:constructor-arg ref="aclCache" />
</beans:bean>
<beans:bean id="aclCache" class="org.springframework.security.acls.domain.EhCacheBasedAclCache">
<beans:constructor-arg>
<beans:bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<beans:property name="cacheManager">
<beans:ref bean="mensEhCacheManager"/>
</beans:property>
<beans:property name="cacheName" value="aclCache"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
</beans:constructor-arg>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<beans:constructor-arg value="ROLE_ACL_ADMIN"/>
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="lookupStrategy" class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
<beans:constructor-arg ref="mensDataSource" />
<beans:constructor-arg ref="aclCache" />
<beans:constructor-arg>
<!-- Decides whether current principal can make ACL changes. See
AclAuthorizationStrategyImpl Javadoc for the rules involved. -->
<beans:bean class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
<beans:constructor-arg>
<beans:list>
<!-- Role required to change ACL ownership -->
<beans:ref bean="adminRole" />
<!-- Role required to change auditing details -->
<beans:ref bean="adminRole" />
<!-- Role required to change other ACL/ACE details -->
<beans:ref bean="adminRole" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.acls.domain.ConsoleAuditLogger" />
</beans:constructor-arg>
</beans:bean>
<beans:bean id="adminRole" class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<beans:constructor-arg value="ADMIN" />
</beans:bean>
Thank you in advance for your help!
I fixed the problem changing the session-fixation-protection attribute to migrateSession.
Now I have no need to restart Tomcat periodically.
I am struggling with below error while deploying the application on ec2 instance
10:59:13,129 [localhost-startStop-1] [] [ERROR] [ContextLoader].[initWebApplicationContext()]:312 :: Context initialization failed
java.lang.VerifyError: (class: org/springframework/security/web/FilterChainProxy, method: signature: (Lorg/springframework/security/web/SecurityFilterChain;)V) Expecting to find object/array on stack
When I remove http tags from security context file, we are able to deploy the application on ec2 isntance.
How ever same war is getting deployed on our local instance(windows).
Please find below our security context file
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" authentication-manager-ref="mizuAuthenticationManager" ></global-method-security>
<beans:bean id="mizuPropertiesHolder" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<beans:property name="locations">
<beans:list>
<beans:value>classpath*:mizu-conf.properties</beans:value>
</beans:list>
</beans:property>
<beans:property name="ignoreUnresolvablePlaceholders" value="true"/>
</beans:bean>
<beans:bean id="preAuthFilter" class="com.converse.mizu.service.filter.UrlParametersAuthenticationFilter">
</beans:bean>
<beans:bean id="mizuAuthenticationEntryPoint" class="com.converse.mizu.service.security.MizuAuthenticationEntryPoint">
<beans:constructor-arg name="loginUrl" value="/" />
</beans:bean>
<beans:bean id="rememberMeFilter" class= "org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
<beans:constructor-arg name="authenticationManager" ref="mizuAuthenticationManager" />
<beans:constructor-arg name="rememberMeServices" ref="mizuRememberMeServices"/>
</beans:bean>
<beans:bean id="mizuUserDetailsService" class="com.converse.mizu.service.security.UserDetailsServiceImpl"></beans:bean>
<beans:bean id="mizuAuthenticationProvider" class="com.converse.mizu.service.security.MizuAuthenticationProvider"></beans:bean>
<beans:bean id="mizuRememberMeServices" class= "com.converse.mizu.service.security.CustomTokenBasedRememberMeService">
<beans:constructor-arg name="key" value="${remembeMeCoockie.key}"></beans:constructor-arg>
<beans:constructor-arg name="userDetailsService" ref="mizuUserDetailsService"></beans:constructor-arg>
<beans:property name="tokenValiditySeconds" value="2592000" />
<beans:property name="cookieName" value="${remembeMeCoockie.name}" />
<beans:property name="cookiePath" value="/" />
</beans:bean>
<beans:bean id="rememberMeAuthenticationProvider" class= "org.springframework.security.authentication.RememberMeAuthenticationProvider">
<beans:property name="key" value="${remembeMeCoockie.key}"/>
</beans:bean>
<beans:bean id="logoutSuccessHandler" class="com.converse.mizu.service.security.LogoutSuccessHandler" >
<beans:property name="logoutSuccessUrl" value="/"/>
</beans:bean>
<beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/" />
</beans:bean>
<beans:bean id="sas" class= "org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<http pattern="/js/**" security="none" />
<http pattern="/css/**" security="none" />
<http pattern="/img/**" security="none" />
<http pattern="/font/**" security="none" />
<http pattern="/index.html*" security="none" />
<http pattern="/rest/url/**" security="none" />
<http pattern="/rest/user/resetpwd/**" security="none" />
<http pattern="/rest/uiads/analytics/uispec/**" security="none" />
<http entry-point-ref="http403EntryPoint" pattern="/autologin">
<custom-filter ref="preAuthFilter" position="PRE_AUTH_FILTER"/>
<session-management invalid-session-url="/" >
<concurrency-control session-registry-ref="sessionRegistry" max-sessions="1" />
</session-management>
</http>
<http use-expressions="true" entry-point-ref="mizuAuthenticationEntryPoint" >
<intercept-url pattern="/rest/signup/selfserve/register/account**" access="hasRole('CREATE_ACCOUNT')"/>
<intercept-url pattern="/html/account/register.html" access="hasRole('CREATE_ACCOUNT')"/>
<intercept-url pattern="/html/adStudio.htm**" access="isAuthenticated()"/>
<intercept-url pattern="/html/adcreator.htm**" access="isAuthenticated() and hasRole('AD_CREATOR_TOOL')"/>
<intercept-url pattern="/rest/signup/**" access="permitAll"/>
<intercept-url pattern="/rest/**" access="isAuthenticated()"/>
<custom-filter ref="mizuAuthenticationProcessingFilter" position="FORM_LOGIN_FILTER"/>
<custom-filter ref="rememberMeFilter" position="REMEMBER_ME_FILTER"/>
<custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>
<session-management session-authentication-strategy-ref="sas"/>
<logout invalidate-session="true" success-handler-ref="logoutSuccessHandler"/>
<access-denied-handler ref="accessDeniedHandler"/>
</http>
<beans:bean id="mizuAuthenticationProcessingFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
<beans:property name="authenticationManager" ref="mizuAuthenticationManager"/>
<beans:property name="usernameParameter" value="username" />
<beans:property name="passwordParameter" value="password" />
<beans:property name="authenticationFailureHandler" ref="loginFailureHandler"/>
<beans:property name="authenticationSuccessHandler" ref="loginSuccessHandler"/>
<beans:property name="rememberMeServices" ref="mizuRememberMeServices" />
</beans:bean>
<!-- Register authentication manager for form login-->
<authentication-manager alias="mizuAuthenticationManager">
<authentication-provider ref="mizuAuthenticationProvider"/>
<authentication-provider ref="rememberMeAuthenticationProvider"/>
</authentication-manager>
<beans:bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"></beans:bean>
Using Spring Security 3.1.0, I cannot seem to get the concurrent session control feature to work. When I log into my system at the same time using IE and FireFox (using my local workstation) I see my user principle in the session registry twice. I am expecting the concurrent session control to log me out or throw an exception or do something that indicates I am logged into the site more than once and it is not permitted.
For what it's worth, I could not get the concurrency control to work at all using the auto config of the HTTP namespace element, even with specifying that my site uses a custom login form. I'm wondering if that might be due to the fact that my authentication is provided via LDAP...?
Here's my security config.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http auto-config="false" use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint">
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter"/>
<session-management session-authentication-strategy-ref="sas"/>
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/css/**" access="permitAll" />
<intercept-url pattern="/images/**" access="permitAll" />
<intercept-url pattern="/js/**" access="permitAll" />
<intercept-url pattern="/public/**" access="permitAll" />
<intercept-url pattern="/home/**" access="permitAll" />
<intercept-url pattern="/admin/user/**" access="hasRole('AUTH_MANAGE_USERS')" />
<intercept-url pattern="/admin/group/**" access="hasRole('AUTH_MANAGE_USERS')" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<access-denied-handler error-page="/403.html"/>
<logout invalidate-session="true" logout-success-url="/public/home.do"/>
</http>
<beans:bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/public/login.do"/>
<beans:property name="forceHttps" value="false"/>
</beans:bean>
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/expired.html" />
</beans:bean>
<beans:bean id="myAuthFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
<beans:property name="exceptionIfMaximumExceeded" value="true"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref='ldapProvider' />
<authentication-provider ref="externalUserLdapProvider"/>
</authentication-manager>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<beans:bean id="securityContext"
class="org.springframework.security.core.context.SecurityContextHolder" factory-method="getContext"/>
<beans:bean id="ldapProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg ref="bindAuthenticator" />
<beans:constructor-arg ref="userService" />
<beans:property name="userDetailsContextMapper" ref="permissionedUserContextMapper" />
</beans:bean>
<beans:bean id="permissionedUserContextMapper"
class="...service.impl.PermissionedUserContextMapperImpl" >
<beans:property name="userDao" ref="userDao"/>
</beans:bean>
<!-- LDAP via AD-->
<beans:bean id="bindAuthenticator"
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userSearch" ref="userSearch" />
</beans:bean>
<beans:bean id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg>
<beans:value></beans:value>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:value>(sAMAccountName={0})</beans:value>
</beans:constructor-arg>
<beans:constructor-arg ref="contextSource" />
<beans:property name="searchSubtree">
<beans:value>true</beans:value>
</beans:property>
</beans:bean>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg
value="ldap://omitted" />
<beans:property name="userDn"
value="ommitted" />
<beans:property name="password" value="omitted" />
</beans:bean>
<!-- Second LDAP Authenticator (Apache DS) -->
<beans:bean id="externalUserLdapProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg ref="externalUserBindAuthenticator"/>
<beans:constructor-arg ref="userService" />
<beans:property name="userDetailsContextMapper" ref="permissionedUserContextMapper" />
</beans:bean>
<beans:bean id="externalUserBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="externalUserContextSource" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>cn={0},ou=Users</beans:value>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="externalUserContextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://omitted"/>
</beans:bean>
</beans:beans>
Am I missing some property that should tell the concurrency control strategy to barf if the user logs more than 1 session? I know the same user is logging more than one session -- as I am seeing duplicate principles in the session registry.
Any/all replies are very much appreciated! Thanks in advance!
SessionRegistry uses equals()/hashCode() of UserDetails to find sessions of the same user. If you have custom UserDetails, perhaps it's not implemented.