I am using Spring framework 4.0 Release version, along with Spring Security 3.2 Release version. I came across a situation where it is required to use feature to restrict number of active session of a same user id. By reading Spring Security document, I learned that Spring Security provides this type of feature. I've tried implementing it that way. It is working fine (on single system). I've used custom UserDetailsService class with custom UserDetails class.
Now a question arise is that, how can I achieve this behavior in clustered environment? I am having a cluster environment with sticky session mechanism.
You will need to implement a Custom SessonRegistry. You will need a way(pref: database) to share the sessions between the clustered nodes.
So when a user's successful authentication.. check if already there is a sessionId already assigned to the user (in the database). Then, invalidate the earlier one and save the new session Id.
Also, for authenticating the request, you will need to validate it using the Database.
Related
I am using successfully Spring OAuth2 with Google in a Spring Boot application and now the time has come to make the application high available (for start to have more than 1 instance). Spring OAuth by default creates a session so not to work against the framework the sensible think is to use clustered sessions.
For a first proof of concept i choosed Redis as a key value store to persist the session.
The setup is done but i now have an issue: the Spring OAuth creates a very heavy session with OAuthRestTemplate, Resources and even the Request which is hard to serialize.
Has anybody found a solution for this ?
I want to implement aerospike on my Spring MVC website to cache user sessions.
I could implement Redis caching, but it as it does not support distributed cache, I want to start to use aerospike, but I cannot find any lib or examples on how to implement Spring Session in aerospike, allowing me to turn off one of my machines and keep all active users still logged in.
The closest I could get to any implementation was this github repository, but it seems it was abandoned:
https://github.com/vlad-aleksandrov/spring-session-aerospike
This was the tutorial I've followed to implement User Session with redis:
http://docs.spring.io/spring-session/docs/current/reference/html5/guides/httpsession.html
You should take a look at Aerospike play plugin. At the heart of it is the session store. The play plugin is a wrapper on top of it. The session store is available as an independent repo under mvn/gradle. It is an official one. So, you should be able to report issues and get help. You can reuse the session store component or write your own based on it.
I am working on a java application having Database authentication using spring-security.
It is very usual that, this application is used with other applications on similar domain.
Requirement: The need is that all such partner apps should be able to share common authentication with my application.
Also it is required to continue supporting DB authentication as well.
One way I found is to embed LDAP server like ApacheDS in my application so that other partner apps can use it to get authenticated.
In this case, I need to load ApacheDS with related Database records and keep it in sync programmatically.
But disadvantage on this is to have redundant copy of authentication data - one at DB and another at ApacheDS LDAP.
Question: Is there any way to avoid such duplication. By googling, I found option of having virtual directory server Penrose or Oracle Virtual Directory. But unfortunately they cannot be embedded in application. Is there any way to provide embedded LDAP support on top of existing Database authentication?
Disclaimer: I know very little about Spring Framework and even less of Spring Security
Having said that. I did face a similar situation, in my case, it was Apache DS as my app authentication source and client AD as the other.
My deployment environment was Tomcat and I used Tomcat Combined realm, which nests more than one realm for authentication. My app realm was configured to be one and client's AD was configured to be another.
Users could authenticate from any one of the realm, it worked. However, I did have to replicate client's AD users every night (including AD tombstones to mark them inactive), for authentication is one thing but other client information was also required, e.g. email, roles etc. and inclusion of new users.
I am kind of sure that Spring Security will also have the concept of Combined Realm.
I understand that this answer is not really an answer and more of design approach and many years too late at that; however, I wished to share my experience.
I am currently trying to implement a single sign on solution across multiple JVM based (Grails, Servlets) web applications currently all deployed in the same servlet container (currently Tomcat, but don't want to limit my solution to just Tomcat). All web applications share a common database.
I've looked at various options from using CAS or other third party libraries to creating a new web service to handle Single Sign On, but none seem to really satisfy the business. My current implementation involves creating a new jar library which has a common implementation of AuthenticationProviders, and Pre-Authentication Filters based on Spring Security.
In this approach I have multiple AuthenticationProviders (currently Active Directory, and Database) for the application to authenticate against. Upon successful authentication a row would be inserted in a session table that contains the user, an expiration time, and a token. The token would be also stored as a cookie on the user's machine and that would be used to validate they have a current session in the Pre-Authentication Filters.
Having never done this before I want to make sure I'm not creating a huge security problem, and I'd also like to know what I would need to create the token? At this point a simple GUID seems to be sufficent?
Currently we are working on Spring Security 3.0.x, and haven't upgraded to 3.1 yet.
Thanks in advance.
I ended up solving this problem by doing the following:
I created a AuthenticationSuccessHandler which would add a cookie to the user's session which had identifying information as well as the hostname to try to secure it as much as possible. (The application was running internally at most customer sites so the risks here were determined to be minimal, but be careful about cookie jacking.)
Then on each application that needed to have SSO I implemented a AbstractPreAuthenticatedProcessingFilter, and placed in before the authentication filter which would pull the cookie out and create an Authentication object. Lastly I created an AuthenticationProvider which validated the information from the cookie.
Hopefully that helps someone else in the future for this type of request.
There are extensions available for KERBEROS, OAuth and SAML available on the Spring Security Extensions website. Here is the blog entry which provides an example: SpringSource Blog
If you are using NTLM as your SSO Provider, take a look at the jespa-spring project.
Or you might want to look at the Java Open Single Sign-On Project
Here is my specific question:
There is a project which contains a lot of pages which uses Spring Framework on Java.
There is some kind of Admin users and department users.
The problem is that an admin user should see all kind of users(all information).
Sometimes an admin might delete some users: This method should be accomplished.
My project leader told me to look at the session properties access and search if there is a framework for that which should work with Spring.
How could I manage that?
Is there a framework for that? If not what is the best way ?
You can by using Acegi security framework, it integrates with Spring framework. To solve your issue, you have to set current user into Http Session (Spring-Acegi has a specified class for this) and read current user whenever needed.
Spring + Acegi has more features like :
Multiple level security by multiple level filters
Concurrent session support, which limits the number of simultaneous logins permitted by a principal.
Support ACL (Access Control List) and Object Domain Security.
Support authentication&Authorization.
and a lot more
It has a lot of useful utilities and structures.
You can see more information at the following links:
http://en.wikipedia.org/wiki/Spring_Security
http://www.tfo-eservices.eu/wb_tutorials/media/SpringAcegiTutorial/HTML/SpringAcegiTutorial-1_1-html.html
To add Spring Security to existing Spring app follow next example:
http://www.mkyong.com/spring-security/spring-security-hello-world-example/
And I recommend you to read their documentation. Spring have really good documentation.
Another example