Pass session data between two different applications - session

I have two applications running on Tomcat, JSF 2 Mojarra 2. Both applications are mapped to the same domain but each to a different pattern within this domain. One application is used as a front page while the other is used to access protected resources (don't ask why not all in one app, it's been design deliberately to separate the apps as two different entities, each responsible for it's own thing). Now the question is: is it possible, and if it is, how to pass the session state between those two separate apps. To illustrate here are some common situations:
A user does something on the main application running the website and then logs in and whatever he/she was up to doing is being taken to the new session after login to the new app.
(This one is slightly more complex I think) The user registers in the first app and is automatically logged in upon successful registration into the other app. The app where yo have to log in is using j_security_check form login (this would be the hard part)

Several ways:
Store the data in DB which and identify it by a long, unique, hard-to-guess autogenerated key which you in turn also store in a domain-wide cookie. This way the both applications can get the data from the DB based on the key found in the cookie.
Expose the ServletContext of the both applications to each other. In Tomcat, it's a matter of adding crossContext="true" to the <Context> element of the webapplication's context.xml. This way you can get the each other's ServletContext by ServletContext#getContext(). Finally put some Map<String, SomeData> in there which is keyed by some ID which is shared between the both applications, for example the logged-in user ID (you should only ensure that the same user can't have more than one session).

Related

Can two different struts Web application share same session and can I utilize the same for single sign on

I have two different struts2 Applications, tried implementing SessionAware but still other application is not able to use the session variables set by first application.
If I am doing something wrong or is it not possible the way I am doing. Thanks
application, request, session and page scoped objects are only specific to one application.
Session variable is not the solution for your problem.
Let your Single Sign-On Application send those variables to both the applications as custom attributes. Just like the authenticated user name.
Or use a Database table to share the session info.
Note: You will run into race conditions unless app2 access is initiated from app1.

In Spring, how do I redirect the user to a different domain, while preserving their session?

I’m using Spring and Spring Security 3.1.4.RELEASE. I am logged in, with session established on one subdomain — https://main.mydomain.com/myapp but I would like to redirect the user to a different subdomain, e.g. https://second.mydomain.com/myapp but keep the user logged in. How do I do that? I don’t want the user to have to login a second time but I would like something secure .
I can upgrade Spring if it solves my problem.
In order to share application sessions, you'd need two things (not really Spring related actually):
the session cookie should be set on the shared domain mydomain.com and not on a subdomain main.mydomain.com
sessions should be stored in a shared repository (such as redis)
This can be tricky, because those two applications now need to be in sync regarding what's stored in session. Serialization, change of implementation, etc can render this strategy useless.
If you're looking for Single Sign On, then you should take a look at the various SSO implementations out there.

Session identifier in Portal Application

I'm building several Portlets to deploy on a WebSphere Portal Server, and each Portlet is deployed in it's own WAR. Now, I'm needing to track every Portlet a user visits while it's logged on the Portal. I was trying to get the Session Identifier from a Portlet using this:
HttpServletRequest servletRequest = PortletUtils.getHttpServletRequest(request);
String sessionId = servletRequest.getSession().getId();
But after I logged in, I'm getting different sessionId values from every Portlet/WAR I visited. I guess that makes sense since there's one Session Scope per WAR.
So, how do I get an identifier for the Portal Session (not the Portlet one)? I'm seeing that JSESSIONID cookie is the same in every HTTP Request, but I'm not sure if that's exposed through Servlet or Portlet API.
Users that are not logged into the portal don't have a session like that. You can have Portal keep track of session information for anonymous users by enabling public sessions.
http://www-10.lotus.com/ldd/portalwiki.nsf/xpDocViewer.xsp?lookupName=IBM+WebSphere+Portal+7+Product+Documentation#action=openDocument&res_title=Portal_configuration_services_wp7&content=pdcontent
Look under navigator service for the property to change.
Also, I think this might be more easily accomplished in the theme or a portlet filter. You should still be able to get access to the Portal session in either of these places but you won't need to include code in every portlet.
Here's a link for creating a global portlet filter.
http://wpcertification.blogspot.com/2010/11/applying-global-filter-to-all-portlets.html
UPDATE: Like any big framework there are lots of options. I'll offer a brain dump of what I can think of / find. You may have to experiment and see which method you prefer.
The JSESSIONID cookie should be same for a user throughout the whole session. If the session expires they'll get a new JSESSIONID cookie. Using this you'll be able to track a user through a single session but possibly not across multiple sessions.
You could consider using getUserPrinipal() or getRemoteUser() off of the PortletRequest object. I haven't used those method in a while so you'll have to see what info comes out of them.
There is also request.getAttribute(PortletRequest.USER_INFO). You'll have to do some config in the portlet.xml to make certain attributes available in the Map that returns. There is an example here. We're using ibm-primaryEmail instead of the first and last name like the example on my current project.
Lastly you could look into using the PUMA API thats built into Portal. It'll will be a bit heavier on the coding and is obviously more container specific but should be able to do just about any job you need related to users.

How to store additional user info?

Here's the issue at hand: I have developed an ASP.NET MVC3 application using Razor. I have also implemented a custom membership provider and overridden the ValidateUser() method. Within, I query my db and get a lot of user information in addition to the password auth.
At the moment, I am pushing this information, i.e. companyId, to static properties of a class. This works and I can display/use this information throughout my app. The problem arises when a user closes their browser tab. Upon re-opening the app, the user is authenticated via a cookie, so they don't need to re-login; however, those static variables are blown away.
So guys and girls, how would/do you conquer this issue? Should I append the extra info to the session cookie? Or perhaps a better solution?
Use the ProfileProvider in ASP.NET.
For application level variables, they are going to be subject to application pool recycles and similar "simulated" restarts related to users starting all over. These variables should be completely independent of user usage and should be able to be recreated easily. If you have variables that are user dependent or that can't be restored easily without some sort of outside intervention then you will definitely need a different method of storage.
If the data is user specific, storing it in the session cookie is probably the best idea. If the data is user-related but branches multiple users it should be stored in a database or a flat file somewhere. If the data has nothing to do with users specifically then it should just be in a database or configuration file.

Logging out a user's other sessions in ASP.NET MVC3 with Forms Authentication

I am building an ASP.NET MVC3 app using Forms Authentication and I'd like to log out all existing sessions for a user when that user logs in. I'm trying to prevent multiple people at different workstations from logging in and working under the same account.
Is there a standard way of handling this? Logging out the existing session is easy, but I haven't come across a way to check for other sessions by the same account and log them out.
I have a few ideas on how to hack this, but I'm curious if there's an established method for this using IIS or the FormsAuthentication API.
Because of the statelessness of the web, you can't "log out" a session until they make their next request (for instance, session might be maintained in a cookie, which can't be written on the client outside of the context of a request-response interaction).
There is still a solution, which assumes you are using session state, and preferably you have a common base controller for all of your controllers requiring "Authentication".
Upon successful login, generate a token (a guid perhaps) and store that with the session. Also write this to a application-wide store (database or application context for instance) keyed by the userid.
In the Base Controller (or otherwise you'd have to create an action filter) check the token in session against the token registered for the userid in the application-wide store. If they don't match, log out the user using the standard SignOut() call.
You could use the Membership.IsOnline property which is based on LastActivityDate:
A user is considered online if the
current date and time minus the
UserIsOnlineTimeWindow property value
is earlier than the LastActivityDate
for the user.

Resources