I need to implement SSO between a windows domain and a J2EE web appliction.
I've been thinking what the impact of this would be on the web application's session timeout. We have a 2 hour time out.
If we implement a seemless SSO, then I think it might become confusing for the user.
The SSO will make it appear that the web application is immediately available.
I'm worried that they will start filling in forms then go for lunch (or something) and come back after their session has timed out. However, it might not be immediately apparent that this has happened, since the SSO will just sign them on again (but now with a new session).
Has anyone any experience with anything like this and how to handle it? Do we just need to implement some form of extra messaging to tell the user that their previous session has timed out and their work has been lost?
I think you definitely need to pop-up an Alert box of some kind if the user's session is reset. Get them to click OK on the message and redirect them to the home page.
Also, I think a 2 hour timeout sounds like a bad idea if you're doing it how I think you are. Do you mean the user has 2 hours from when log in to work before their session times out? Wouldn't it make more sense to have something like 10 minute timeout but with the timer getting reset whenever the user sends a new request within that session.
The timeout is not a static fixed time measured from login but rather a dynamic measure of inactivity.
On sites we hav buit with this functionality after 10 minutes or so the web page goes back to the login page (JS used) and the user can start again if they want.
If they are busy with a long process where they are reviewing results or something then check the mouse move or some sublte key like that indicating they are still busy.
Old question, but in case anyone runs across it:
Try really hard to store no state in the server session. Client, fine; back-end server persistence (like a database), fine. Just nothing in between that would get lost. When the user is seamlessly re-authenticated, they don't notice the switch. Duration of timeout becomes irrelevant.
This answer is actually more feasible now, six years later, as there are several front-end frameworks that will store your data for you. You can still use Spring Security (say) on the server, as the authentication is still there with the new session; it should regenerate your security info (SecurityContext, UserDetails, etc.) on the fly. Whatever request gets or sends data should then "just work."
Related
I know I don't have any code to show you guys, I am stuck at some point and I dont know where to start. I hope someone will help me.
I am developing a Spring MVC application, and I need to send a message to all active session users to execute a script which is available to all the clients as it is defined in a js file and included for every user.
I have looked around and found some frameworks which offers these type of functionalities like Atmosphere but I don't think it should be used in my situation as it is a big framework and the functionality required is very little. I have also gone thorough WebSockets but I cant find anything which would help me in invoking the script on client side for all the clients.
If someone can help me go to a right path or direct me to a similar example. I will be grateful
****Update****
I can also use polling if there is way that: if the controller gets a request the session should be considered idle during that, for instance, there is controller which is called every 5 minutes and in the session out time is 30 minutes. The session won't expire in this time if the controller used for polling is called every 5 minutes, I need to exclude the particular controller from calculating the idle time
No Polling Solution:
From what I gather, you need a Remote Procedure Call mechanism.
I would go with https://github.com/eriksank/rpc-websocket.
The general idea:
Your clients register themselves to your server process as "consumers".
When a message is ready, your server then goes through every registered "consumer" and sends the message which rpc-websocket can handle .
Polling Solution:
Here is a general idea, works if you have registered, logged on users.
Have a database table that stores messages, lets call it "messages".
Have a database table that keeps track of messages and users, lets call it "message_tracker". if a user has seen a message, there will be a row in this table for the messageId and UserID.
Have a javascript script poll a server url for new messages. What is a new message can be decided based on the database tables above.
If a new message is found, process it and then call another server url which inserts into the message_tracker database table
I have been testing a web application with Spring MVC, and I'm currently developing a editor page for accounts. This JSP page is able to edit one or more accounts, serving for different purposes. For example, a common user can edit account data on this page. On the other hand, administrator users can edit multiple accounts on this page. In terms of logic (for me), the edition of multiple accounts to an administrator user works like this:
The user selects a list of accounts.
The list reaches the controller.
The controller stores the list of accounts.
The controller directs the user to the edit page.
The user fills out the editing form.
The form is sent to the controller.
The controller retrieves the list of accounts previously saved.
Editing form data is reflected in the list of records.
The list is deleted from storage.
My problem appears when the user does not perform step 5, and decides to do something else. Without the removal of the list from storage, the server will suffer from memory leak. It would be very important to detect the user's exit, which would cause the system to remove the list automatically.
I'm choosing to save the list of accounts to be edited on the server side to prevent it from being saved on the user side, where the user could well tamper the data.
I might as well use JavaScript to detect when a user leaves a page, but he/she may well turn off Javascript, which results in the same problem. Therefore, this is an impractical solution.
I have not yet developed the implementation of it, so I'm just projecting right now. Can anyone help me with this? Am I doing something wrong?
Is there an error in my logic, or am I leaving something of use?
OBS: I'm using Tomcat 8.0, and Spring MVC 4.1.1, with the Java JDK 8.
That's the whole purpose of session management. Your web server does it for you.
When you use Java EE or any other session technology, the server is supposed to deal with timeouts, cleaning the session objects. This happens based on user idle time. How does the server know users are idle? Because for every request sent by the browser, his session id is sent in a cookie.
Usually, the timeout threshold is a changeable period of time (usually defined at web.xml). This value may need to be tuned, based on the available network/memory resources and expected simultaneous users.
In fact, sessions+cookies are the only flexible and secure way to deal with the stateless nature of HTTP.
There are variations of this, namely, conversation or view scopes, where the user may have a session per tab. But the principle is the same: put stuff in session and get them later by session id (a cookie at client side).
Finally, you should not rely on the browser to do server stuff. This would not be reliable.
I am working on web based applications.
Server : Tomcat
Technology : Simple Jsp/Servlet/JQuery
I need to restart my server as an when new updates are there. And these changes are frequent almost every 1 or 2 day. I think to create some mechanism like I can say to every logged in user to save their changes and server will start in few minutes. (Timer will be there). Popup should be open though user is ideal.
Is there any direct way to do this so? Or I need to implement ajax call on every few seconds to server on every jsp page to check if any message is there on server???
Any idea will be appreciated.
Thanks in advance.
For the approach you are taking, I would suggest you to use Async Serlvets(Req. min Servlet API 3.0) or Apache Tomcat's comet technology(Kind of Async Servlet).
You will make ajax call on every page when it(page) loads(ajax onload() for eg.) to Async Servlet and will idle until response from server comes. This Async servlet should send Server Restart notification to all connected clients- whenever you trigger notification manually. Once ajax client gets notification, it will display the Warning(or user friendly message).
This will remove the need to make unnecessary polling to server after fixed internal - A big plus resource wise.
Personally I wont suggest this way, better get agreed on specific timeframe for deployment everyday(every two days) with clients and perform deployments in this time.
If you are from India- You must be aware about IRCTC website- Which is not available for train reservation every night for 1 hour.
I am using mysql InnoDB and struts2 for developing my website. When a user want to use a product, he will be send an invoice to his inbox and with that link he can pay the money.
The problem I have to solve is: when a user opens the link in two sessions and tries to pay for both, I have to allow only one transaction. And if allowed transaction gets a problem like browser closure or some other issue, things will go into deadlock condition. I have to avoid this and allow the next transactions.
Please suggest me how to achieve this?
I think you will have to add a life time for each session to prevent deadlocks (just like in the one being used by bank's sites) and you can do that using unique sessionids. All the sessions have fix life time. Once the time is over the session is expired.
In that case if one session is active you can deny all the attempts to that session. If browser closes in between the session, session will automatically expire after its life time. Now if the payment was not done due to any reason i.e. session expire or browser closed, User can simply re-click on the link and restart the process.
Hope it helps,
I have a live spring web app running on amazon and I have recently found login attacks from various IPs. So far nothing has been compromised as the login system is secure enough, with complex passowrds, and encoding with salt etc..
However, I would like to prevent this.
One thing that the logs revealed was that the attackers are somehow able to reach my service classes (only the authenticaltion manager) circumventing my login page. I dont have a special url for login, but how is it possible to call the authentication manager/service etc without going via the login jsp ? I can see logging from loadUserByUsername() method of my authentication service class (which implements UserDetailsService).
Any help will be much appreciated.
Why do you need login.jsp, you can simulate a person posting the login form just by performing HTTP post with all the parameters right?
If all the request coming from the same IP, you can configure your firewall to block it. Other mechanism is to put a delay after a number of failures (eg 30min delay after 5 subsequent failures).
If you want to go further, two form authentication will increase security, eg perform sms confirmation if user is logging in from unknown IP / computer