ive created a grails app and used Apache Shire plugin http://shiro.apache.org/ for security and logging in purposes.
I wanted to find out if anyone knows how I can get a list of the users who are currently logged in to the web application?
Where would this information be stored / on the servers side in a cookie or a session?
Basically i want a widget showing all the current users whom are logged in to my web application currently.
You would probably have to make a table in your app with currently logged in users (or alternatively a shared hashmap)
When your users log in you write the name to the table / hashmap. The tricky part is to figure out, when the user logs out. If the user logs out by clicking "logout" - no problem. If the users session expires you have to listen to the events fired by Shiro.
According to the Shiro website there are several events you can hook into.
Related
I've got a Java Spring Security project that's linked to an Azure AD via a registered Application. This way I can redirect users to Microsoft to login with their Azure account before being able to view certain pages or use certain endpoints. This is all working great.
The problem is, I have another AD (and possibly more in the future) that I also want to be able to have users log into. However as far as I can see Spring Security only allows for 1 AD to be configured, so when a user wants to log in they always have to be a part of the currently linked AD.
I've tried looking into different solutions for this, for example syncing all the users from the external AD into the active AD. For this I was able to retrieve a list of users, but when I wanted to add them to the AD, the only API endpoints I could find were to create new accounts instead of link them from an external AD. Another idea was to configure Spring Security to simply authenticate against more than 1 AD. But as far as I've seen, that's not possible.
In the end I just want to have a situation where users from both AD's can log into my application, using their existing credentials without me having to manually invite each and every one. What is the best practice when dealing with a situation like this? I'd very much appreciate some help pointing me in the right direction. Thanks in advance!
I have been testing a web application with Spring MVC, and I'm currently developing a editor page for accounts. This JSP page is able to edit one or more accounts, serving for different purposes. For example, a common user can edit account data on this page. On the other hand, administrator users can edit multiple accounts on this page. In terms of logic (for me), the edition of multiple accounts to an administrator user works like this:
The user selects a list of accounts.
The list reaches the controller.
The controller stores the list of accounts.
The controller directs the user to the edit page.
The user fills out the editing form.
The form is sent to the controller.
The controller retrieves the list of accounts previously saved.
Editing form data is reflected in the list of records.
The list is deleted from storage.
My problem appears when the user does not perform step 5, and decides to do something else. Without the removal of the list from storage, the server will suffer from memory leak. It would be very important to detect the user's exit, which would cause the system to remove the list automatically.
I'm choosing to save the list of accounts to be edited on the server side to prevent it from being saved on the user side, where the user could well tamper the data.
I might as well use JavaScript to detect when a user leaves a page, but he/she may well turn off Javascript, which results in the same problem. Therefore, this is an impractical solution.
I have not yet developed the implementation of it, so I'm just projecting right now. Can anyone help me with this? Am I doing something wrong?
Is there an error in my logic, or am I leaving something of use?
OBS: I'm using Tomcat 8.0, and Spring MVC 4.1.1, with the Java JDK 8.
That's the whole purpose of session management. Your web server does it for you.
When you use Java EE or any other session technology, the server is supposed to deal with timeouts, cleaning the session objects. This happens based on user idle time. How does the server know users are idle? Because for every request sent by the browser, his session id is sent in a cookie.
Usually, the timeout threshold is a changeable period of time (usually defined at web.xml). This value may need to be tuned, based on the available network/memory resources and expected simultaneous users.
In fact, sessions+cookies are the only flexible and secure way to deal with the stateless nature of HTTP.
There are variations of this, namely, conversation or view scopes, where the user may have a session per tab. But the principle is the same: put stuff in session and get them later by session id (a cookie at client side).
Finally, you should not rely on the browser to do server stuff. This would not be reliable.
RESOLVED. This question can be deleted by moderators
I have a very simple site written using Java EE (JSPs, Java, Tomcat server). I want to implement a simple login system. I thought I got the registration and login working; however, there is a huge problem with the way I'm doing it.
Let's say Alice logs in. She is able to view her profile with her information, everything looks normal so far for Alice.
Then Eve comes around and wants to log on. She does and is taken to her profile, everything looks normal for Eve.
Then Alice reloads her profile to find that the site now has her logged in as Eve!
So to reiterate: after one person is logged in, anyone is able to go to the site and be logged on to that account. And the most recent person to log on is the active account.
How do you keep track of session information like this so that multiple different accounts can be logged on using the site at the same time?
Thanks!
EDIT:
This ended up being a very simple fix.. I just need to use setAttribute("EMAIL", userId); rather than the stupid way I did it which was just using a global String variable
Rather than try to roll your own security, use an existing framework, like Spring Security. Out of the box, it gives you basic login capabilities and handles securing pages using a role-based authentication scheme.
Reading your problem, I think that you store the last logged user's credentials in an instance variable of one of your servlets. This causes the last person to log in to overwrite everyone's credentials...
If you want a simple authentication, you can use Java EE's provided system :
http://docs.oracle.com/javaee/5/tutorial/doc/bncbx.html
Once a user logs in, put his own credentials in his Http session (request.getSession().put(username, )). Then, everyone will have a distinct profile.
I have a simple requirement. I have an web application which has a login page, a dashboard and few other pages.
If the user wants to open the application in multiple browser window from a single computer, then I want the user to login only once in first browser window. From next time onwards, whenever user hits the application URL in another different browser window(or tab) in the same Computer, then the application should redirect the user to dashboard without a fresh login. So that user does not have to login each time he opens the application in another browser window.
Is this complete scenario possible in Java/J2EE using JSP and Struts. Here I am using container managed login in Struts for the authentication(login). I need to maintain different HTTP sessions for each window(this is inherent requirement of the application).
Plz guys, waiting for a quick reply as I am stuck with this very urgent requirement from my Client.
Thanks in advance.
Avijit
In the same browser (IE, Firefox, Chrome etc), this is easily achieved with (session) cookies etc.
After login, just set a cookie that subsequent page loads will read from.
Read this question for some good additional related information:
Managing webapp session data/controller flow for multiple tabs
As #Edwin Buck has already mentioned, have a look at OpenID (or a similar single-sign-on framework):
OpenID
You've also got the option of using the client's IP address, but this is hideously insecure.
Look at the single sign-on architecture, or other solutions (like OpenId) which do authentication without end user interaction.
I am trying to secure my Flex application within my Java web application. Currently my Java web application, handles logging and managing user accounts and the like. I was wondering if there is a way to essentially share that user credentials with the Flash movie in a secure mechanism? For instance, if you log in, we want you to be able to save items in the Flex application for that user, only if that user is logged in of course. Any ideas? Any help is greatly appreciated.
Update:
I apologize for the vagueness. I'm running Tomcat 5.5, Java 6 doing portlet development inside a Vignette Portal. All data communication is via Blaze DS. In our environment, we have data services and the portal handles logins, user management and the like. Currently we are simply passing down the username to the flash movie, which I don't feel is very secure.
You can pass data to a flash movie using flashVars which can be generated in a JSP. The data can be a one-time key generated on the server and associated with a user id. The Flex application can then take the key and use it to log in via a webservice call. The server will then validate the key and allow access to the user's account.
It is a very general question and it's hard to provide a good answer without knowing what is your current architecture. The Flex application is using the same web server as your web application? What are you using in order to discuss with the backend (web services, sockets, rtmp sockets)? If you are sharing the same web server you can access the same HTTP session and you can check if the user is logged in or not.
If you need to be aware in your Flex application that the user has just logged off from the HTML application or the session has expired you have several options, again depending on your architecture. Assuming that the HTML application was already was notified you can call through ExternalInterface a method from the Flex application. If not (session expired while you are using the Flex application) you will know when trying to save your data.