We've implemented session replication using Redisson, but we noticed that if we intentionally fail a node, the user's sessions do get replicated, but they're logged out when they're restored on the new server.
This answer here: Restore user login after tomcat 7 restart alludes that using the JAASRealm will allow someone to stay logged in across a restart.
To test this, I setup the JAAS Realm in Tomcat successfully using the properties login module. However, when I restart, the user gets logged out. I do see my sessions get written to disk by tomcat in it's work directory.
Is there a way to make this work properly so the user doesn't get logged out during a failover event? More importantly, is there a technical or security reason for this?
If you look at the Tomcat code, they actively try and avoid serialization the Principal:
https://github.com/apache/tomcat/blob/master/java/org/apache/catalina/session/StandardSession.java#L1559
https://github.com/apache/tomcat/blob/master/java/org/apache/catalina/session/StandardSession.java#L234
Related
I've a Grails application which is deployed on two servers, and the requests to those servers are controlled by AWS load balancer using sticky session.
A user can have concurrent sessions, so the user might be logged in and having a session on Server A, similarly the user might have a session on Server B.
If a user changes their password, I want to invalidate all the sessions of that user. I'm able to do that on one server using SessionRegistry. How do I kill the same user's session on the other server.
If you're site is API-driven and you are using a token, all you would have to do is invalidate their token; everytime they are requesting anything via an api or that requires checking their roles, it will check the token in your DB (or the DB of the Identity Management SAAS you use) and removing that would make the very next refresh of the page ask them to log back in.
I would like to know internals of tomcat. I configured my web application in 'BASIC' authentication mode. When I logged in for first time, browser asks for credentials. Till this it is fine, may be at the time of login, tomcat reading 'tomcat-users.xml' and set the role. But I am wondering, how tomcat knows the role of the user in subsequent requests. How it keep tracking of the role? Internally is it maintaining some data structure (or) is it keeping this information in session?
I created an angular application that exposes a RESTful API and uses spring security (with LDAP) by using this post as reference and I managed to get it to work. The only problem is that if the server application (where the spring security is configured) is restarted all users are logged-out, but if the user leaves their browser page open they can navigate through the screens without a problem until they do something that would require access to the server.
So my question is: is there a way to automatically log-out the user or re-authenticate them when a server restart is detected (and how would one go about detecting such an event)?
to re-authenticate the user
you need stateless/sessionless API, consider using token based authentication, spring security OAuth has this. If you really need session, save it on the database not on your application server, spring session has this.
to automatically log-out
the easy way is that if you angular try to access the server and it receive 401 forbidden from the server, then redirect the user to login page or popup window login. The user is automatically logout when the server is restarted, is just the client/angular doesn't aware of it.
I managed to tackle this issue by implementing an interceptor as described in this post. I also implemented an $interval to detect that the user is unauthorised as soon as possible.
ive created a grails app and used Apache Shire plugin http://shiro.apache.org/ for security and logging in purposes.
I wanted to find out if anyone knows how I can get a list of the users who are currently logged in to the web application?
Where would this information be stored / on the servers side in a cookie or a session?
Basically i want a widget showing all the current users whom are logged in to my web application currently.
You would probably have to make a table in your app with currently logged in users (or alternatively a shared hashmap)
When your users log in you write the name to the table / hashmap. The tricky part is to figure out, when the user logs out. If the user logs out by clicking "logout" - no problem. If the users session expires you have to listen to the events fired by Shiro.
According to the Shiro website there are several events you can hook into.
I hope my question on the title make sense, if not, let say: machine A, via the web browser I log in as admin, I go to machine B, and log in as admin, the web browser in machine A should force a logout on user admin. I gave this some thought, and I think it will be ugly if I try to manual implement this. I have a feeling that this can be done in Glassfish.
I use Java EE 6 + Glassfish v3.0.1. Authentication and authorization are implemented via jdbcRealm set up in Glassfish
create and map (using <listener>..</listener> in web.xml) a HttpSessionListener
on sessionCreated(..) store a reference to the session in the ServletContext, in a Map<String, Session>
when the user logs-in, get the Map from the ServletContext and see if any session there has the same user / userId as a session attribute.
if there is, session.invalidate() it.
if you want to use this in a cluster, you can either use a database to store the information so that it is accessible from everywhere, or use a distributed cache (JBoss Cache, Ehcache)