Imagine the user A have multiple logins (are logged in) in diferent machines. When he logs out in one machine, the other sessions should automatically redirect to login page.
how i can implement this in spring security?
For now, i have tis http configuration on security.xml
<http auto-config="true" use-expressions="true">
<anonymous />
<intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/login.do" />
<logout logout-url="/j_spring_security_logout"
success-handler-ref="myLogoutSuccessHandler" />
<remember-me data-source-ref="dataSource" />
</http>
I would recomment you to have a look at SessionRegistry .You can check this here . There has been a discussion on this at Is it possible to invalidate a spring security session? . Check this out too
Spring sessions are stored as JsessionID cookies. Check here for a discussion on cookie removal.
Related
We have an application implemented with Spring Security 3.20 and CAS 3.5. Everything is working fine expect for the anonymous portion. If someone has logged into CAS, we would like them to show up in the application with their logged in username, but instead they show up as anonymousUser. This is only on pages that allow both anonymous or a logged in user. If they explicitly go to a page requiring a role, then the SSO on kicks in and they show up as whatever the logged in user is. What do we need to configure so that they show up as the logged in user without forcing them to go to a secure page (or is that the only way)?
Our configuration is as follows:
<http auto-config="true" entry-point-ref="casEntryPoint" use-expressions="true">
<intercept-url pattern="/canary.html" access="permitAll" />
<intercept-url pattern="/test.html" access="hasRole('ADM')" />
<intercept-url pattern="/testAnon.html" access="hasRole('SEC') or isAnonymous()" />
<intercept-url pattern="/policySelect.html" access="hasRole('ADM')" />
<intercept-url pattern="/**" access="hasRole('SEC') or isAnonymous()" />
<custom-filter position="CAS_FILTER" ref="casFilter" />
<logout logout-success-url="/cas-logout.jsp"/>
<custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>
<custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
<access-denied-handler error-page="/WEB-INF/jsp/403.jsp"/>
</http>
If someone is logged into CAS and goes to testAnon.html, they still show up and anonymous until they go to another page like test.html that requires the role of ADM. After that they are logged in and stay that way on all pages.
I have setup Spring Security on my webapp project.
My application setting for session expiration time is 15 min.
The spring security config is pretty basic and I have
<http use-expressions="true" disable-url-rewriting="true">
<csrf />
<intercept-url pattern="/login/auth" access="permitAll" />
<intercept-url pattern="/login*" access="permitAll" />
<intercept-url pattern="/about" access="permitAll"/>
<intercept-url pattern="/contact-us" access="permitAll"/>
<intercept-url pattern="/" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" requires-channel="any"/>
<session-management invalid-session-url="/?invalidSession=1"
session-authentication-error-url="/login?session=fail"
session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true"
expired-url="/login?invalidSession=1"/>
</session-management>
Now the problem I'm having is that for example given the user sends an invalid session id spring always redirects to the homepage with '/?invalidSession=1'.
I'm saying it is a problem due to the fact that if the user, after a certain period of time, tries for example to go to the /contact-us page (which us an unprotected resource) he gets redirected to the homepage.
I think one solution would be that spring creates a new session and then redirects to the previously requested resource instead of always the invalid-session-url.
How do you deal with these situations?
After I successfully login when I try to login with another browser It redirects me to authentication-failure-url. Why it doesn't redirect to expired-url?
<http auto-config='false' use-expressions="true">
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<logout logout-success-url="/login.xhtml" invalidate-session="true" delete-cookies="JSESSIONID"/>
<form-login login-page="/login.xhtml"
login-processing-url="/j_spring_security_check"
default-target-url="/pages/index.xhtml"
always-use-default-target="true"
authentication-failure-url="/login.xhtml?error=true"/>
<custom-filter before="FORM_LOGIN_FILTER" ref="customAjaxControlFilter" />
<session-management invalid-session-url="/login.xhtml?error=sessionExpired" session-authentication-error-url="/login.xhtml?error=alreadyLogin">
<concurrency-control error-if-maximum-exceeded="true" max-sessions="1" expired-url="/login.xhtml?error=expired"/>
</session-management>
EDIT: By the way, After I successfully logout it redirects me to invalid-session-url. I don't understand what is going on.
This is the expected behaviour. From the manual:
The second login will then be rejected. By “rejected”, we mean that the user will be sent to the authentication-failure-url if form-based login is being used.
This is what happens if you set error-if-maximum-exceeded="true".
The expired-url parameter is used if you haven't set error-if-maximum-exceeded="true". In that case, the new login will be allowed, the original session will be marked as expired and if you try to use it, you will be redirected to this URL.
I'm using Spring 3.2 + primefaces 3.5 + hibernate 4.1.9
The security context is:
<http auto-config='false' use-expressions="true" >
<intercept-url pattern="/**/login" access="permitAll" requires-channel="https"/>
<intercept-url pattern="/**/registration" access="permitAll" requires-channel="https" />
<intercept-url pattern="/**/cart" access="permitAll" requires-channel="https" />
<intercept-url pattern="/**/cart/**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" />
<intercept-url pattern="/pages/adm/**" access="hasRole('ADMIN')" requires-channel="https" />
<intercept-url pattern="/*/account**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" />
<intercept-url pattern="/**" requires-channel="any" />
<form-login login-page="/loginRedirect"
authentication-failure-handler-ref="pennyUrlAuthenticationFailureHandler"
authentication-success-handler-ref="pennyAuthSuccessHandler"
default-target-url="/pages/account/orders.xhtml" />
<logout logout-success-url="/" invalidate-session="true"/>
</http>
If I go to a page that requires HTTPS, for the rest of session, it will use the HTTPS protocol, even if the user is not authenticated.
If I go to https ://mystite/en/cart, HTTPS will be used for all browsing session.
I do not want to switch HTTPS to HTTP forever, but only if the user is not authenticated.
Can I force the HTTP for non-authenticated users?
If I go to a page that requires HTTPS, for the rest of session, it
will use the HTTPS protocol, even if the user is not authenticated.
That's correct because of
<intercept-url pattern="/**/cart/**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" />
Also, because of
<intercept-url pattern="/**" requires-channel="any" />
it will stick with HTTPS once the user requested a resource that requires HTTPS. Why would it have to switch back if you say any (HTTPS is as good as any)?
Can I force the HTTP for non-authenticated users?
No, not that I know of. Personally, I don't think this would make much sense either.
I'm using Spring to handle security in my JSF application. I have a login page at /login and I've configured Spring like this:
<http authentication-manager-ref="authenticationManager">
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/admin" access="ROLE_ADMIN" />
<intercept-url pattern="/javax.faces.resource/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER" />
<form-login login-page="/login" authentication-failure-url="/login" />
<logout logout-url="/logout" />
</http>
I want the admin page at /admin to be available only for users with the ROLE_ADMIN role. Users with ROLE_ADMIN or ROLE_USER may access pages starting from the application root.
When I login with a user having either role I see the page you should see after login. However, whatever my next action may be I get redirected to /login like I'm not logged in. Can someone please explain this as I'm trying to get this thing to work for a day now. I've been reading the Spring 3.1.x documentation but it doesn't give me a clue about how to solve the problem. I'm running Spring 3.1.1.Release by the way.
Extra bonus info: the page you should see after login has an element that should only render if the user had ROLE_ADIN. I can see that element after login. The problems began when I implemented PrettyFaces. I've searched the web for common problems and only came up with that the PrettyFaces filter should appear after the Spring security filter. This is the case so it should work right?
UPDATE: I've updated my config to use expressions. However the problem still exists.
<http authentication-manager-ref="authenticationManager" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/javax.faces.resource/**" access="permitAll" />
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
<form-login login-page="/login" authentication-failure-url="/login" />
<logout logout-url="/logout" />
</http>
Output in Firebug's console just after login (the page tries an AJAX call):
First, always debug Spring Security when having problems (add log4j.logger.org.springframework.security=DEBUG).
Second, I think that you wanted hasAnyRole:
<intercept-url pattern="/**" access="hasAnyRole(ROLE_ADMIN,ROLE_USER)" />
plus add use-expressions="true" to http:
<http authentication-manager-ref="authenticationManager" use-expressions="true">
to allow ROLE_ADMIN xor ROLE_USER users to access page. In your current config user must have both roles to access /**.