Announcement Announcement Module
Collapse
No announcement yet.
Using Spring Security to manage iOS Homescreen web app sessions Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using Spring Security to manage iOS Homescreen web app sessions

    I recently ran into an issue where I'm being authenticated every time I launch or bring my web app to the foreground when launching it from the homescreen on iOS (I added it to the homescreen from Safari originally). This does not happen when I'm in Safari directly.

    My research has shown that this can be overcome in php by creating/restarting the session and then adding a session cookie as follows:

    Code:
    // Start or resume session
    session_start(); 
    
    // Extend cookie life time by an amount of your liking
    $cookieLifetime = 365 * 24 * 60 * 60; // A year in seconds
    setcookie(session_name(),session_id(),time()+$cookieLifetime);
    Rather than do this programatically, I was wondering if there is a way to do this through the XML configuration. Here is what I currently use:

    Code:
    <beans xmlns="http://www.springframework.org/schema/beans"
           xmlns:sec="http://www.springframework.org/schema/security"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://www.springframework.org/schema/beans
              http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
              http://www.springframework.org/schema/security
              http://www.springframework.org/schema/security/spring-security-3.1.xsd">
        
        <bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
        </bean>
    
        <sec:http auto-config="false" entry-point-ref="http403EntryPoint">
            <sec:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
        </sec:http>
    
        <bean id="siteminderFilter" class=
                "org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
            <property name="principalRequestHeader" value="x-paas-uid"/>
            <property name="authenticationManager" ref="authenticationManager"/>
        </bean>
    
        <bean id="preauthAuthProvider"
              class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
            <property name="preAuthenticatedUserDetailsService">
                <bean id="userDetailsServiceWrapper"
                      class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
                    <property name="userDetailsService" ref="ldapUserDetailsService"/>
                </bean>
            </property>
        </bean>
    
        <sec:authentication-manager alias="authenticationManager">
            <sec:authentication-provider ref="preauthAuthProvider"/>
        </sec:authentication-manager>
    
        <!-- Example using LDAP, but will ultimately use database service -->
        <sec:ldap-server id="ldapServer" port="636" root="o=home"
                              url="ldaps://ldap.home.com"/>
    
    
        <sec:ldap-user-service id="ldapUserDetailsService" server-ref="ldapServer"
                               group-search-base="ou=groups,o=home"
                               role-prefix="ROLE_" group-role-attribute="cn"
                               user-search-base="ou=people,o=home" user-search-filter="uid={0}"/>
    </beans>

  • #2
    I'm not sure how you are using PHP in your application to destroy the session, but you can use the <logout> element to provide a URL that a user can navigate to in order to logout. For example the following would allow one to navigate to the URL /logout (i.e. https//example.com/contextroot/logout) and that would trigger a logout which destroys the sesssion for you:

    Code:
    <sec:http auto-config="false" entry-point-ref="http403EntryPoint">
            <sec:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
            <sec:logout logout-url="/logout" />
    </sec:http>
    Last edited by Rob Winch; Mar 21st, 2013, 11:24 AM. Reason: code formatting

    Comment

    Working...
    X