Session not cleared when logging out of Liferay in third party application - session

An application has been integrated into liferay using iFrame. Application is developed in JSF with bean being in session scoped. For authentication CAS has been used with liferay. The application uses login username of liferay. When liferay is loggout out, the session of application is not cleared so because of which logging with another account shows old data. How can I clear the session of application when logging out of liferay?
Looking for the help.

Have a look at com.liferay.portal.action.LogoutAction.execute() method. Here at line#100.
You have to call your jsf application code at this moment to invalidate the session that you have in that particular application.
Now, in order to change the LogoutAction, you can use the EXT environment or you can write the code into LogoutPostAction by modifying the same using hook.

Related

Maintaining same session accross Angular2 and Spring Applications

I have a Spring + JSF based web application currently running. We are planning to migrate it in Angular 2 with Typescript module by module.
How can I achieve integration of session state between the two web applications? User will sign in only once. Depending upon the module he selects, he will be redirected to Spring or Angular app.
This is possible using session storage. Once you login to spring application, make a call to token store with username and password. This will give you access and refresh tokens back as a JSON response. Store that in session storage. Use the same tokens to login to angular.
Its working fine for me.

What to do to activate persistent sessions?

What should i do in Spring Boot to activate persistent sessions ?
I tried to play with theses properties without luck:
server.session.persistent=true
server.session.store-dir=/some/path/sessions
When i stop the daemon a see a file SESSIONS.cer on the session store-dir which disappears when I restart the daemon, but the user not logged anymore (go to login page).
My Spring boot project is an Oauth2 authorization server (I use Spring Security Oauth2) which is used with the Implicit grant. The session is used to avoid the user the retype its credential (login form) when asking for a token (/oauth/authorize). This is the default behaviour of spring security oauth2
EDIT:
I tried with the following property too without luck:
server.tomcat.basedir=/tmp
To me, it didn't work because the objects i stored in session were not Serializable.
Just check they are.
Object stored in session must implement Serializable along with a fixed serialVersionUID. Otherwise JVM will assign a random serialVersionUID which will be different for each server deployment. Since it is different for each deployment, server will not able to find a previous session and result in creating a new session.
Reference:
Why jvm generates serialVersionUID?

Invalidating Http Session on maximum allowable session for a user

I developed a web application using spring and hibernate. By using Spring Security , i am restricting one session per user. When user try to attempt multiple login then old session will be invalidated and new one will be active.I have registered HttpSessionListener in my web.xml file.In sessionDistroyed method i am writing some functionality that will be executed when Http Session getting invalidating.
Now problem is when a single user try to do multiple login ,spring security expiring the old session but not invalidating the old session.So in that case sessionDistroyed method not being executed.But i want sessionDistroyed method to be called when spring security expiring the old session.
Can anyone please help to resolve this problem.

Sharing security context between few web applications

I need to have web application which actually consist from few separate wars unified into same navigration bar on UI, i need to have all system secured but have authentication only to main web application and after automatic propagation of this security context to sub web applications. I'm using spring security, could someone help me with advice? thanks
This can be achieved by following approach. In Spring, SecurityContext by default is stored in HttpSession. Instead you can configure it to store in some shared repository.
So, configuration should be changed to use your own SecurityContextRepository implementation instead of HttpSessionSecurityContextRepository. Once configured, the security framework will look at the Repository which is available to all your web applications.
The Repository can be either a database or a cached server.
Spring Security stores the login data in the http session. So what I would try is to share the session between the applications.
It seams that this is possible (in Tomcat) by using the Single Sing On attribute.
But be warned, sharing the session between two applications is not without danger. See this Stack Overflow question.

Spring Security - Preventing Users access to a page if an id is invalid

I am new to Spring Security and am mulling over the idea of using it or not in my application.
The requirement is as follows :
In my web application i store a session information inside the database,a key for this is stored in a cookie
2.Now whenever someone tries to access a url which is not according to the flow i want to deny access.
3.Can i use Spring Security for this.
I am using Spring MVC,Mongo DB and MySQL as the develeoment environment.
Regards,
Abhishek
If you're trying to simply control the flow of an application, I'd suggest using Spring Webflow. This allows you to define set flows in a multi-page application.
Spring Security can be used to control flows, but only for access control. It integrates well with Webflow (and with Spring MVC) to ensure you can secure some or all of your flows.

Resources