Announcement Announcement Module
Collapse
No announcement yet.
Concurrent Session Conterol and Session Fixation Protection not working Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Concurrent Session Conterol and Session Fixation Protection not working

    Hi all,
    I'm configuring Concurrent Session Control and Session Fixation Protection, but these don't work. JSESSIONID value doesn't change value when logging in, and I can't to limit session to one. Can anyone help with this question?

    web.xml :
    Code:
    ...
      <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      </filter>
      <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>
      <listener>
        <listener-class>
    		org.springframework.security.web.session.HttpSessionEventPublisher
        </listener-class>
      </listener>
    ...
    spring-security.xml :
    Code:
    <?xml version="1.0" encoding="ISO-8859-1"?>
    
    <beans xmlns="http://www.springframework.org/schema/beans" 
    		xmlns:sec ="http://www.springframework.org/schema/security"		
    		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    		xsi:schemaLocation="http://www.springframework.org/schema/beans
    		http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    	    http://www.springframework.org/schema/security
    	    http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    	
    	<sec:http access-denied-page="/failed.xhtml" use-expressions="true" >
    		<sec:form-login login-page="/fLogin.xhtml" 
    			default-target-url="/pages/page01.xhtml"/>
    		<sec:intercept-url pattern="/maint/**" access="isAuthenticated()" requires-channel="https"/>
    		<sec:intercept-url pattern="/pages/**" access="isAuthenticated()" requires-channel="https"/>
    		
    		<sec:logout invalidate-session="true" logout-success-url="/fLogin.xhtml" delete-cookies="JSESSIONID"/>
    		
    		<sec:session-management invalid-session-url="/fLogin.xhtml" session-fixation-protection="newSession">
    			<sec:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" 
    										session-registry-ref="sessionRegistry"	expired-url="/fLogin.xhtml"/>
    		</sec:session-management>
    		
    		<sec:port-mappings>
    			<sec:port-mapping http="8090" https="8443"/>
    		</sec:port-mappings>
    	</sec:http>
    	
    	<bean id="sessionRegistry"
        	class="org.springframework.security.core.session.SessionRegistryImpl" />
    
        <sec:global-method-security pre-post-annotations="enabled">
            
        </sec:global-method-security>
    
    	<sec:authentication-manager alias="authenticationManager">
    		<sec:authentication-provider
    			user-service-ref="userDetailsService" >
    			<sec:password-encoder ref="passwordEncoder">
    				<sec:salt-source ref="saltSource"/>
    			</sec:password-encoder>
    		</sec:authentication-provider>
    	</sec:authentication-manager>
    	
    	<bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" id="passwordEncoder">	
    	</bean>
    	
    	<bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="saltSource">
    		<property name="userPropertyToUse" value="username"></property>	
    	</bean>
    	
    	<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
    	    <property name="rolePrefix" value="" />
    	</bean>
    	
    </beans>
    AuthenticationServiceImp :
    Code:
    @Service("authenticationService")
    public class AuthenticationServiceImp implements AuthenticationService{
    
    	@Resource(name = "authenticationManager")
    	private AuthenticationManager authenticationManager;
    	
    	@Override
    	public boolean login(String username, String password) {
    		// TODO Auto-generated method stub
    		try {
    			Authentication authenticate = authenticationManager
    					.authenticate(new UsernamePasswordAuthenticationToken(
    							username, password));
    			if (authenticate.isAuthenticated()) {
    				SecurityContextHolder.getContext().setAuthentication(
    						authenticate);		
    				
    				return true;
    			}
    		} catch (AuthenticationException e) {		
    			FacesContext.getCurrentInstance().addMessage(null, 
    					new FacesMessage(FacesMessage.SEVERITY_ERROR, e.getMessage(), e.getMessage()));
    		}
    		return false;
    	}
    
    	@Override
    	public void logout() {
    		// TODO Auto-generated method stub
    		SecurityContextHolder.getContext().setAuthentication(null);		
    	}
    
    }
    UserDetailServiceImp :
    Code:
    @Service("userDetailsService")
    public class UserDetailServiceImp implements UserDetailsService {
    
    	@Resource
    	private UsuarioRemote jUsuarioService;
    	
    	@Autowired
    	private PasswordEncoder encoder;
    	@Autowired
    	private SaltSource saltSource;
    
    	@Override
    	public UserDetails loadUserByUsername(String username)
    			throws UsernameNotFoundException {
    		try {
    			
    			/*
    			 * provisional authorities
    			 * */
    			Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
    			authorities.add(new GrantedAuthorityImpl("BD.SETTI.CTM.COUNT"));
    			authorities.add(new GrantedAuthorityImpl("BS.SETTI.CTM.COUNT"));
     
    			boolean enabled = true;
    			boolean accountNonExpired = true;
    			boolean credentialsNonExpired = true;
                            boolean accountNonLocked = true;
    
                            Usuario user = jUsuarioService.findById(username);
    			
    			
    			User userSs = new User(user.getUsername(), user.getPassword(), enabled,
    					accountNonExpired, credentialsNonExpired,
    					accountNonLocked, user.getAttempts(), 
    					user.getMaxAttempts(), user.isRequiresChangePw(), authorities);	
    			return userSs;
    			
    		} catch (Exception e) {
    			// TODO: handle exception
    			return null;
    		}
           }
    }
    User.java
    Code:
    public class User implements Serializable,
    		org.springframework.security.core.userdetails.UserDetails,
    		CredentialsContainer {
    
    	private static final long serialVersionUID = 1L;
    
    	private String password;
    	private final String username;
    	private final Set<GrantedAuthority> authorities;
    	private final boolean accountNonExpired;
    	private final boolean accountNonLocked;
    	private final boolean credentialsNonExpired;
    	private final boolean enabled;
    
    	private short MAX_FAILED_LOGIN_ATTEMPTS;
    
    	private int failedLoginAttempts;
    	private boolean requiresChangePw;
    
            public User(String username, String password,
    			Collection<? extends GrantedAuthority> authorities) {
    		this(username, password, true, true, true, true, 3, (short) 5, false,
    				authorities);
    	}
    
    	public User(String username, String password, boolean enabled,
    			boolean accountNonExpired, boolean credentialsNonExpired,
    			boolean accountNonLocked, int failedLoginAttempts,
    			short maxfailedAttempts, boolean requiresChangePw,
    			Collection<? extends GrantedAuthority> authorities) {
    
    		if (((username == null) || "".equals(username)) || (password == null)) {
    			throw new IllegalArgumentException(
    					"Cannot pass null or empty values to constructor");
    		}
    
    		this.username = username;
    		this.password = password;
    		this.enabled = enabled;
    		this.accountNonExpired = accountNonExpired;
    		this.credentialsNonExpired = credentialsNonExpired;
    		this.accountNonLocked = accountNonLocked;
    		this.failedLoginAttempts = failedLoginAttempts;
    		this.MAX_FAILED_LOGIN_ATTEMPTS = maxfailedAttempts;
    		this.requiresChangePw = requiresChangePw;
    		this.authorities = Collections
    				.unmodifiableSet(sortAuthorities(authorities));
    
    	}
    
    ... 
    /* getter and setter and other methods */
    ...
    
            @Override
    	public int hashCode() {
    		final int prime = 31;
    		int result = 1;
    		result = prime * result
    				+ ((username == null) ? 0 : username.hashCode());
    		return result;
    	}
    
    	@Override
    	public boolean equals(Object obj) {
    		if (this == obj)
    			return true;
    		if (obj == null)
    			return false;
    		if (!(obj instanceof User))
    			return false;
    		User other = (User) obj;
    		if (username == null) {
    			if (other.username != null)
    				return false;
    		} else if (!username.equals(other.username))
    			return false;
    		return true;
    
    	}
    }
Working...
X