Announcement Announcement Module
Collapse
No announcement yet.
Spring Security and Flex Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security and Flex

    Hello,

    I have just few issues in spring security and flex. Actually, I configured spring security and flex ok and working (after digging tutorials) until I found a "little problem i supposed". Here is the scenario when I login on single user the authentication and authorization works a expected. But when I login as a Admin then in separate browser I login as normal User the Admin roles was override by the User roles. Admin cannot anymore perform it should be and vice versa. The catch here is that whoever the last login his/her role was shared in the session. Now, you might say "It is a Flex problem" well I already looking at part also. But I want to make sure that spring is not a culprit or what so that I can isolate the problem. How do i know which user is accessing a particular resource?

    Thanks a lot.
    Cheers.

  • #2
    I used this tutorials to configure my spring flex application:

    http://www.gridshore.nl/2008/07/14/i...-3-the-sequel/

    http://www.gridshore.nl/2008/05/11/i...nown-as-acegi/

    http://forum.springframework.org/showthread.php?t=54197

    Comment


    • #3
      Can you elaborate a bit on the "new browser"? Is it a new tab, or really a new browser like firefox and safari for instance?

      You could check the log if new sessions are created. You can even configure spring security to prevent multiple windows, although I do not think this works for different user accounts.

      It should of course not be possible to steal someone's session, I'll try some experiments myself as well, with this.

      succes, Jettro

      Comment


      • #4
        A new firefox browser window or new tab. I already added some filters in services-config.xml give me some info. I have already detected that every time i login the client ID is created and i can invalidate the client during logout using this code:

        public void logOut()
        {
        log.info("Logging out client id = "+FlexContext.getFlexClient().getId());
        FlexContext.getFlexClient().invalidate();
        //SecurityContextHolder.getContext().setAuthenticati on(null);
        }

        Im looking forward to your experiments. Anyway, Im using daoAuthenticationprovider.

        Thanks a lot.
        Cheers.

        Comment


        • #5
          I did run some tests, I think it has to do with the session. When does your browser create a new session? I do not really know a way on the mac to run a new instance of firefox. I know what I used to do on windows with Internet explorer. But I do not have that anymore :-)

          I tried with a new tab in firefox as well as safari, they both use the same session on the server. Therefore you can log in as another user and steel the session. I made some bigger changes in the sample. I created a service to check if a user already has a session and if that session contains a logged in user. If so, I do not present the login form. Now you need to explicitly log out before you can login as another user.

          You can find the sources of the sample here:
          http://code.google.com/p/gridshore/s...books-overview

          As for logging out, I use a bit more code, I think this helps cleaning up the mess you leave when logging out:

          public void logoutPrincipal() {
          String username = "unknown";
          try {
          username = SecurityContextHolder.getContext().getAuthenticati on().getName();
          FlexContext.setUserPrincipal(null);
          FlexContext.getHttpRequest().getSession().invalida te();
          FlexContext.getFlexSession().invalidate();
          SecurityContextHolder.clearContext();
          log.debug("logout request is executed for user : " + username);
          } catch (RuntimeException e) {
          log.warn("Problem while logging out the current user : " + username);
          }
          }

          Hope that helps

          Jettro

          Comment


          • #6
            Im looking at your code and apply some modifications. And surely I will give feedback after. Thanks.Thanks.

            Thanks a lot.
            Cheers.

            Comment


            • #7
              Hello,
              Before I did some modification in my code. I did manage to test my app in windows (because i use linux most of the time) I open Internet Explorer login as ADMIN and I open firefox login a USER. Two session were created and all goes fine, no session stealing. But when I open two firefox browser in the same PC again only one session created and session stealing occurs.Btw, with different PC it goes fine, bcoz again different session created. I really have to manage flex session. Thanks for the insight.

              Thank you for your help.
              Cheers.

              Comment


              • #8
                Hello jettro,

                I already made some modification in my code. and the result was awesome. when the user already login, i redirect it to welcome screen. I just need to prevent the user overriding current user session when logging in different user in the same browser/tab in firefox.

                Thanks a lot.
                Cheers.

                Comment


                • #9
                  Hi freak182,

                  how did you solve the issue of session being shared in 2 firefox windows?

                  Comment


                  • #10
                    Hi,

                    just follow the advice of jettro..

                    Cheers.

                    Comment

                    Working...
                    X