I have been developing a web app consisting of a login page and users database maintenance and i am using tomcat authentication to verify users credentials. I have configured the tomcat in such a way that when the url of certain servlet is called the authentication pops up. But i can use that authentication only once and after logging in if i come back to the same page there is no authentication from the server.
Yeah i found the answer. Just include the Session.Invalidate() code in your corresponding sign out page and it terminates the session. But you have to change the authentication from to FORM.
Related
I have multiple web applications running in different domains. Okta is the identity/auth provider for all these applications. After integrating with Okta in one of the application (following the Java example provided in Okta documentation), a new cookie (sid) is being created in Okta domain (https://developer.okta.com/docs/reference/api/sessions/).
How do I use this to SSO into other web application. What is the best approach to allow access to other application without prompting login credentials again?
Do I need to invoke getCurrentSession API in every application and redirect to login page only if the API response is 404 (as per doc, getCurrentSession will retrieve the current active session based on the Okta cookie).
Please share thoughts.
It all depends on how you integrate your apps: redirect to Okta or using Okta widget. If you do redirect it's pretty much guaranteed to have zero issues authenticating in your second app, as your redirect for second app will send sid cookie back to Okta, which was set while authenticating with your first app.
With widget things may become bit complicated, as it depends on 3rd party cookies. okta-auth-js GitHub repo has some examples on how you can check if session exists with okta, when you trying to authenticate a user. Check https://github.com/okta/okta-auth-js#third-party-cookies
I have implemented a simple java web application with tomcat realm authentication(Custom FORM authentication). Now, I'm trying to add a second authentication page for the user(two-factor authentication, I'm using Google authenticator). As far as I have referred the Tomcat documentation, we can specify only one login-config.
I tried adding a filter and also tried managing whether the user has finished the Two-Factor authentication manually with session and tokens.
Is there a way to add the second authentication in the web.xml or the server.xml. So, tomcat should handle whether the user has finished both the authentication.
Thanks in advance.
Tomcat only starts one login process. That process may decide to ask the user for more than one credential but tomcat is not aware of it.
So, you should create a filter and/or login servlet that handles authentication for the tomcat container. That filter/servlet (combination) must prompt for all desired credentials.
If you do not use a framework for your application that already has an authentication layer, you are essentially writing your own 2FA implementation.
I created an angular application that exposes a RESTful API and uses spring security (with LDAP) by using this post as reference and I managed to get it to work. The only problem is that if the server application (where the spring security is configured) is restarted all users are logged-out, but if the user leaves their browser page open they can navigate through the screens without a problem until they do something that would require access to the server.
So my question is: is there a way to automatically log-out the user or re-authenticate them when a server restart is detected (and how would one go about detecting such an event)?
to re-authenticate the user
you need stateless/sessionless API, consider using token based authentication, spring security OAuth has this. If you really need session, save it on the database not on your application server, spring session has this.
to automatically log-out
the easy way is that if you angular try to access the server and it receive 401 forbidden from the server, then redirect the user to login page or popup window login. The user is automatically logout when the server is restarted, is just the client/angular doesn't aware of it.
I managed to tackle this issue by implementing an interceptor as described in this post. I also implemented an $interval to detect that the user is unauthorised as soon as possible.
I am using J2EE authentication for my application, and mine is single-page web application, which uses '#bookmark' to refresh different sections using Ajax. I wanted to make these links bookmarkable. But the '#bookmark' part is getting removed after authentication.
For example I've a page, which is authenticated, with URL 'http://mydomain/my-page' and if '#my-section' is added to it, page will refresh the section using Ajax, and URL looks like 'http://mydomain/my-page#my-section'. If I book mark this link, and use it before logging-in, J2EE authentication redirects me to login page, after I provide my credentials, it redirects me to 'http://mydomain/my-page'.
How can I make it to redirect to the URL with '#my-section' part intact?
I can think of a solution using Valve implementation, but is there any other way of doing it?
Using J2EE Form based authentication on Tomcat7, and UserDatabaseRealm as security realm.
After some reading, I understood that URL hash is never sent to server, and it is not possible automatically.
we might've to implement solution to store the URL hash locally, and use it to add the same to the URL after successful login redirection.
I have a simple webapp on Tomcat with form authentication, and notice that there is a "pre-login" JSESSIONID that's being set whenever a user just goes to the login page, before any login attempt even occurs.
Is this default behavior in Tomcat? Why does Tomcat generate a JSESSIONID just for loading a login page? Shouldn't it generate any session id's only after an actual login? (Not because someone just loads the login page!)
Note: I should mention that my entire webapp (login page and all) is hosted over https; no part of it is exposed via http. Also I am not using JSP. After login, Tomcat generates a second JSESSIONID, different from the first. And that's the one the user uses for the remainder of their session.
But why does it set a "pre-login" JSESSIONID in the first place?
If you use Tomcat means of form auth, it has to store the initial request somewhere to perform the stateless redirect for the auth. After that, it will re-evaluate the request. The SavedRequest is saved in the session. You should disable the changeSessionIdOnAuthentication flag.