Announcement Announcement Module
Collapse
No announcement yet.
Problem with concurrent sessions Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with concurrent sessions

    Hi guys !!!

    I posted a thread because I had some problems with the concurrent sessions. Most of these problems were solved but not the most important. Even if I limit the number of concurrent sessions in the configuration file, it does not work.

    This is what I set into my spring security configuration:

    Code:
    <security:http auto-config="true" once-per-request="false">
    ...
       <security:concurrent-session-control 
          max-sessions="1" 
          expired-url="/login.html?concurrent=true" />
    ...		
    </security:http>
    
    <security:authentication-provider user-service ref="customUserDetailsService" />
        
    <!-- Settings for the entry-point of the application and the login page -->
    <bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
       <property name="loginFormUrl" value="/login.jsp" />
       <property name="forceHttps" value="false" />
    </bean>
        
    <bean id="customUserDetailsService" class="com.security.auth.CustomUserDetailsService">
       <property name="userManager" ref="userManager" />
    </bean>
        
    <!-- A custom filter to use our custom authentication manager -->
    <bean id="customAuthenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">	    
       <security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
       <property name="authenticationManager" ref="customAuthenticationManager" />
       <property name="authenticationFailureUrl" value="/login.html?error=true" />
       <property name="defaultTargetUrl" value="/secure/index.html" />
       <property name="filterProcessesUrl" value="/j_spring_security_check.jsp" />
    </bean>
      
    </beans>
    
    <!-- A custom authentication manager -->
    <bean id="customAuthenticationManager" class="com.security.auth.CustomAuthenticationManager">
       <property name="providers">
          <list>
             <bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
                <property name="userDetailsService" ref="customUserDetailsService" />
                <property name="passwordEncoder" ref="passwordEncoder" />
             </bean>
          </list>
       </property>
    </bean>
    I wrote my own authentication manager to prevent a first bug with the concurrent sessions.

    This is the java code of my custom class:

    Code:
    public class CustomAuthenticationManager extends ProviderManager {
    
       [Override]
       public Authentication doAuthentication(Authentication authRequest)
       throws AuthenticationException {
          UsernamePasswordAuthenticationToken result = UsernamePasswordAuthenticationToken) super.doAuthenticatio(authRequest);
          copyDetails(authRequest, result);
          return result;
       }
    
       protected void copyDetails(Authentication source, UsernamePasswordAuthenticationToken dest) {
          if (dest.getDetails() == null) {
             Object details = source.getDetails();
             dest.setDetails(details);
          }
       }
    }
    Does anybody know why I can log with as many session as I want, though the maximum number of session is limited to 1 ?

    Thanks for your help.

  • #2
    You can't use your own AuthenticationManager if you are using namespace method or http security:

    http://static.springframework.org/sp...s-auth-manager

    Comment


    • #3
      Spring Security + Concurrent session control + XFire

      Hi Luke !!!

      Thanks a lot for your reply.

      I had to create my own AuthenticationManager because I want to secure my Web services (I use XFire) with spring-security. But as I explain in my previous thread, when I add the concurrent-session-control element, this authentication fails with this error:
      java.lang.IllegalArgumentException: Authentication.getDetails() required.

      It works only if I override the method "doAuthentication". But after, like you explains, the concurrent-session-control does not do its job. I turn around, I need to secure my web services and to control the concurrent sessions.

      This is the only solution I found to make it work. Maybe it is not the better way and I am interested in all suggestions:

      The configuration of SpringSecurity:
      Code:
      <security:http auto-config="true" once-per-request="false">
      ...
         <security:concurrent-session-control 
            max-sessions="1" 
            expired-url="/login.html?concurrent=true" />
      ...		
      </security:http>
      		
      <security:authentication-manager alias="authenticationManager" />
      	
      <security:authentication-provider user-service ref="customUserDetailsService">  
         <security:password-encoder ref="passwordEncoder" />
      </security:authentication-provider>
          
      <bean id="customUserDetailsService" class="com.security.auth.CustomUserDetailsService">
         <property name="userManager" ref="userManager" />
      </bean>
      
      <!-- A custom authentication manager -->
      <bean id="customAuthenticationManager" class="com.security.auth.CustomAuthenticationManager">
         <property name="providers">
            <list>
               <bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
                  <property name="userDetailsService" ref="customUserDetailsService" />
                  <property name="passwordEncoder" ref="passwordEncoder" />
               </bean>
            </list>
         </property>
      </bean>
      
      <security:global-method-security>
         <security:protect-pointcut expression="execution(* com.ws.xfire.UserService.*(..))" access="ROLE_ADMIN" />
      </security:global-method-security>
        
      </beans>
      My AuthenticationHandler will not use the default AuthenticationManager of Spring Security but mine:

      Code:
      <bean id="authenticationHandler" class="com.ws.xfire.impl.AuthenticationHandler">	
         <property name="authenticationManager" ref="customAuthenticationManager"/>  	
      </bean>
      I also don't know if it is normal that this exception "java.lang.IllegalArgumentException: Authentication.getDetails() required." is launched when I try to secure my web services with the default AuthenticationManager of spring security.

      Comment


      • #4
        Can you explain why you need a custom AuthenticationManager? It's not obvious why this is the case.

        Comment


        • #5
          I need a custom authentication manager because, when I use the one supplied by spring security into the AuthenticationHandler of my web services, and when I add the concurrent-session-control element, I have this exception : java.lang.IllegalArgumentException: Authentication.getDetails() required.

          Everything would work very well if I did not need the element concurrent-session-control.

          This is the way my handler is used into my web services:

          Code:
          <bean id="authenticationHandler" class="com.ws.xfire.impl.AuthenticationHandler">	
             <property name="authenticationManager" ref="authenticationManager"/>  	
          </bean>
          
          <bean name="userService" class="org.codehaus.xfire.spring.ServiceBean">
             <property name="serviceBean" ref="userWS"/>
             <property name="serviceClass" value="com.ws.xfire.UserService"/>
             <property name="inHandlers">
                <list>
                   <ref bean="addressingHandler"/>	
                   <ref bean="authenticationHandler"/>	        
                </list>
            </property>  
          </bean>
          This is the code of AuthenticationHandler that uses the AuthenticationManager:

          Code:
          public void invoke(MessageContext context) throws XFireFault {		
             Element header = context.getInMessage().getHeader();		
             
             if (header == null) {
                throw new XFireFault(AuthenticationConstants.MISSING_AUTH_TOKEN, XFireFault.SENDER);
             }
             
             Namespace ns = Namespace.getNamespace(TOKEN_NS);
             Element token = header.getChild(AuthenticationToken.NAME, ns);
                if (token == null) {
                   throw new XFireFault(AuthenticationConstants.MISSING_AUTH_TOKEN,
          XFireFault.SENDER);
                }
          
             String username = token.getChild(AuthenticationToken.LOGIN, ns).getText();
             String password = token.getChild(AuthenticationToken.PASSWORD, ns).getText();
          		
             try {			
                UsernamePasswordAuthenticationToken authToker =
                   new UsernamePasswordAuthenticationToken(username, password);
                   authenticationManager.authenticate(authToker);
             } catch (Exception e) {
                log.warn(e);
                throw new XFireFault(AuthenticationConstants.AUTHENTICATION_FAILED, XFireFault.SENDER);
             }
          
             context.setProperty(AuthenticationConstants.LOGIN_KEY, username);
          
          }
          My custom AuthenticationManager only overrides the method doAuthentication to bypass the problem:

          Code:
          public class CustomAuthenticationManager extends ProviderManager {
          
             @Override
             public Authentication doAuthentication(Authentication authRequest)
             throws AuthenticationException {
                UsernamePasswordAuthenticationToken result = UsernamePasswordAuthenticationToken) super.doAuthenticatio(authRequest);
                copyDetails(authRequest, result);
                return result;
             }
          
             protected void copyDetails(Authentication source, UsernamePasswordAuthenticationToken dest) {
                if (dest.getDetails() == null) {
                   Object details = source.getDetails();
                   dest.setDetails(details);
                }
             }
          }
          Any ideas ?
          Last edited by Kira; Oct 2nd, 2008, 08:43 AM.

          Comment


          • #6
            Authentication.getDetails() required

            Hi,

            I am also facing similar problem, I am using Spring BlazeDs integration and have implemeted UserDetails and UserDetailsService , now authentication works fine.
            I would like to use concurrent session control. when I add the code for concurrent session control, I end up with this error Authentication.getDetails() required.

            I have posted my config details under Spring blazeds thread, but still no help, please help me to solve this problem.

            http://forum.springsource.org/showthread.php?t=70286

            Thanks in advance

            PS : I know this thread is an old one, but still hoping to get some response.
            Last edited by kannanMugundan; Apr 13th, 2009, 01:25 AM. Reason: PS

            Comment


            • #7
              I am getting the same error when trying to use the default authentication manager exposed as a remote authentication manager for a rich client application to authenticate against and setting concurrent session control.

              Comment

              Working...
              X