Announcement Announcement Module
Collapse
No announcement yet.
How do I properly configure <session-management> to work. Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How do I properly configure <session-management> to work.

    Hi team,

    Would you mind pointing me in the right direction please.

    I am trying to implement the <session-management> so that a user can have one and only one current session @ a time.

    I am using:
    CAS 3.3.5 - Authentication
    SSec3.0.1 - Authorization

    I have added the
    Code:
    	<listener>
    		<listener-class>
    			org.springframework.security.web.session.HttpSessionEventPublisher
    		</listener-class>
    	</listener>
    to the list of listeners on my Web.xml

    and my applicationContext.xml file looks like this:
    Code:
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans
               http://www.springframework.org/schem...-beans-3.0.xsd
               http://www.springframework.org/schema/security
               http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
    	<http entry-point-ref="casProcessingFilterEntryPoint" >
    		<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
    		<intercept-url pattern="/registration/**" filters="none" />
    		<intercept-url pattern="/**" access="ROLE_ACTIVE" />
    		<custom-filter position="CAS_FILTER" ref="casProcessingFilter" />
    	</http>
    
    	<authentication-manager alias="authenticationManager">
    		<authentication-provider ref="casAuthenticationProvider" />
    	</authentication-manager>
    
    	<beans:bean id="concurrencyFilter"
    		class="org.springframework.security.web.session.ConcurrentSessionFilter">
    		<beans:property name="sessionRegistry" ref="sessionRegistry" />
    		<beans:property name="expiredUrl" value="/session-expired.htm" />
    	</beans:bean>
    
    	<beans:bean id="sessionRegistry"
    		class="org.springframework.security.core.session.SessionRegistryImpl" />
    
    	<beans:bean id="serviceProperties"
    		class="org.springframework.security.cas.ServiceProperties">
    		<beans:property name="service"
    			value="https://my.app.URL/j_spring_cas_security_check" />
    		<beans:property name="sendRenew" value="false" />
    	</beans:bean>
    
    	<beans:bean id="casProcessingFilter"
    		class="org.springframework.security.cas.web.CasAuthenticationFilter">
    		<beans:property name="authenticationManager" ref="authenticationManager" />
    	</beans:bean>
    
    	<beans:bean id="casProcessingFilterEntryPoint"
    		class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
    		<beans:property name="loginUrl"
    			value="https://my.cas.URL/CAS/login" />
    		<beans:property name="serviceProperties" ref="serviceProperties" />
    	</beans:bean>
    
    	<beans:bean id="casAuthenticationProvider"
    		class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
    		<beans:property name="userDetailsService" ref="userService" />
    		<beans:property name="serviceProperties" ref="serviceProperties" />
    		<beans:property name="ticketValidator">
    			<beans:bean
    				class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
    				<beans:constructor-arg index="0"
    					value="https://my.cas.URL/CAS" />
    			</beans:bean>
    		</beans:property>
    		<beans:property name="key"
    			value="an_id_for_this_auth_provider_only" />
    	</beans:bean>
    
    	<beans:bean id="sas"
    		class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    		<beans:constructor-arg name="sessionRegistry"
    			ref="sessionRegistry" />
    		<beans:property name="maximumSessions" value="1" />
    	</beans:bean>
    	
    	<beans:bean id="userService" class="my.package.UserDetailsDao">
    		<beans:property name="dataSource" ref="dataSource"></beans:property>
    	</beans:bean>	
    
    	<beans:bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
    		<beans:property name="driverClassName">
    			<beans:value>oracle.jdbc.OracleDriver</beans:value>
    		</beans:property>
    		<beans:property name="url">
    			<beans:value>jdbc:oracle:thin:@database:1521:myDatabase</beans:value>
    		</beans:property>
    		<beans:property name="username">
    			<beans:value>********</beans:value>
    		</beans:property>
    		<beans:property name="password">
    			<beans:value>*************</beans:value>
    		</beans:property>
    	</beans:bean>
    
    </beans:beans>
    All the processing works...that is it is allowing me access to my app (GOOD) but it is not limiting me to a single process @ a time,

    The docs state:
    Authentication by mechanisms which perform a redirect after authenticating (such as form-login) will not be detected by
    SessionManagementFilter, as the filter will not be invoked during the authenticating request. Session-management
    functionality has to be handled separately in these cases. pg - 62

    How would something like the above be implemented.
    Any needed information let me know.
    Thanks for the help,

  • #2
    Have you tried following the configuration example in the session management chapter?

    Comment


    • #3
      Hey Luke...thanks for your help.
      I started to go down that path, but
      Code:
          <custom-filter position="AUTHENTICATION_PROCESSING_FILTER" ref="myAuthFilter" />
      AUTHENTICATION_PROCESSING_FILTER is not one of the options in the drop down, so I got a list of errors.

      Is there a new/updated set of files that I should use instead?

      Comment


      • #4
        Hmm. That looks like a doc error. It is now called "FORM_LOGIN_FILTER". However, there's also a "CAS_FILTER" which is probably what you want.

        In practice it doesn't matter too much as the positions just provide a relative ordering.

        Comment


        • #5
          Code:
          	<http entry-point-ref="casProcessingFilterEntryPoint" >
          		<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
          		<intercept-url pattern="/registration/**" filters="none" />
          		<intercept-url pattern="/**" access="ROLE_ACTIVE" />
          		<custom-filter position="CAS_FILTER" ref="casProcessingFilter" />
          		<session-management session-authentication-strategy-ref="sas"/>		
          	</http>
          This is what the HTTP section looks like now, and am still able to have multi-logins by the same user.

          This is the log from the console.

          Code:
           DEBUG [org.springframework.security.web.FilterChainProxy] - </images/footerlines.gif at position 1 of 9 in additional filter chain; firing Filter: '[email protected]1952be0'>
           DEBUG [org.springframework.security.web.FilterChainProxy] - </images/widebg.gif at position 9 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor@1d17f01'>
           DEBUG [org.springframework.security.web.FilterChainProxy] - </images/footerlines.gif at position 2 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@739474'>
           DEBUG [org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource] - <Converted URL to lowercase, from: '/images/widebg.gif'; to: '/images/widebg.gif'>
           DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: '[email protected]01484: Authentication: org.springframework.security.cas.authentication.CasAuthenticationToken@71601484: Principal: org.springframework.security.core.userdetails.User@0: Username: MYUSER; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ACTIVE; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffe21a: RemoteIpAddress: 192.168.4.115; SessionId: null; Granted Authorities: ROLE_ACTIVE Assertion: org.jasig.cas.client.validation.AssertionImpl@91ea7d Credentials (Service/Proxy Ticket): ST-86-VepZXEizolzIze0pFfyu-cas'>
           DEBUG [org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource] - <Candidate is: '/images/widebg.gif'; pattern is /**; matched=true>
           DEBUG [org.springframework.security.web.FilterChainProxy] - </images/footerlines.gif at position 3 of 9 in additional filter chain; firing Filter: '[email protected]85'>
           DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - <Secure object: FilterInvocation: URL: /images/widebg.gif; Attributes: [ROLE_ACTIVE]>
           DEBUG [org.springframework.security.web.FilterChainProxy] - </images/footerlines.gif at position 4 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@24cdc7'>
           DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - <Previously Authenticated: org.springframework.security.cas.authentication.CasAuthenticationToken@71601484: Principal: org.springframework.security.core.userdetails.User@0: Username: MYUSER; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ACTIVE; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffe21a: RemoteIpAddress: 192.168.4.115; SessionId: null; Granted Authorities: ROLE_ACTIVE Assertion: org.jasig.cas.client.validation.AssertionImpl@91ea7d Credentials (Service/Proxy Ticket): ST-86-VepZXEizolzIze0pFfyu-cas>
           DEBUG [org.springframework.security.web.FilterChainProxy] - </images/footerlines.gif at position 5 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@41e2aa'>
           DEBUG [org.springframework.security.access.vote.AffirmativeBased] - <Voter: org.springframework.security.access.vote.RoleVoter@e9581b, returned: 1>
           DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - <Authorization successful>
           DEBUG [org.springframework.security.web.FilterChainProxy] - </images/footerlines.gif at position 6 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2709da'>
           DEBUG [org.springframework.web.context.support.XmlWebApplicationContext] - <Publishing event in Root WebApplicationContext: org.springframework.security.access.event.AuthorizedEvent[source=FilterInvocation: URL: /images/widebg.gif]>
           DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.cas.authentication.CasAuthenticationToken@71601484: Principal: org.springframework.security.core.userdetails.User@0: Username: MYUSER; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ACTIVE; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffe21a: RemoteIpAddress: 192.168.4.115; SessionId: null; Granted Authorities: ROLE_ACTIVE Assertion: org.jasig.cas.client.validation.AssertionImpl@91ea7d Credentials (Service/Proxy Ticket): ST-86-VepZXEizolzIze0pFfyu-cas'>
           DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - <RunAsManager did not change Authentication object>
           DEBUG [org.springframework.security.web.FilterChainProxy] - </images/widebg.gif reached end of additional filter chain; proceeding with original chain>
           DEBUG [org.springframework.security.web.FilterChainProxy] - </images/footerlines.gif at position 7 of 9 in additional filter chain; firing Filter: '[email protected]f7d5a6'>
           DEBUG [org.springframework.security.web.FilterChainProxy] - </images/footerlines.gif at position 8 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter@eba9b0'>
           DEBUG [org.springframework.security.web.FilterChainProxy] - </images/footerlines.gif at position 9 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor@1d17f01'>

          thanks

          Comment


          • #6
            are you testing with the same browser but on different tabs ? I have the same problem. But it works if I use different browsers to access with the same account.

            Comment


            • #7
              Thanks for asking about this. I am working on 2 separate machines hitting the same app server. I have eliminated the "same browser diff tab" thing all-together this way.

              I am still able to have multiple log-gins with the same user, not what I want. Any suggestions??

              Comment


              • #8
                Originally posted by canal View Post
                are you testing with the same browser but on different tabs ? I have the same problem. But it works if I use different browsers to access with the same account.
                Are you using CAS and SSec3.0.1?

                I would love to see "http" paragraph of your applicationContext*.xml file.

                Can you post that please? (even better the entire file would really be of help)

                thanks,

                Comment


                • #9
                  Well... assuming everything is wired correctly (which I can't verify), you need to set the "exceptionIfMaximumExceeded" property on the ConcurrentSessionControlStrategy bean to true (it is false by default if you are wiring it yourself). Otherwise, the behavior is that the least-recently-used session will be expired, which you may not notice.

                  Comment


                  • #10
                    Originally posted by pmularien View Post
                    Well... assuming everything is wired correctly (which I can't verify), you need to set the "exceptionIfMaximumExceeded" property on the ConcurrentSessionControlStrategy bean to true (it is false by default if you are wiring it yourself). Otherwise, the behavior is that the least-recently-used session will be expired, which you may not notice.
                    pmularien...thank you for commenting...I will implement your suggestion as soon as I get to the office.

                    What other information would you need to verify that "...everything is wired correctly" ? I will be happy to post any additional information.

                    thanks,
                    Last edited by SecurityUser; Feb 19th, 2010, 10:39 AM.

                    Comment


                    • #11
                      Team,

                      I was able to fix this thing. I was having tunnel vision. Thanks for a great product.

                      Luke, pmularien and canal -- thank you for your suggestions...all were very helpful.

                      I needed to insert a line in the casProcessingFilter section.
                      from:
                      Code:
                      	<beans:bean id="casProcessingFilter"
                      		class="org.springframework.security.cas.web.CasAuthenticationFilter">
                      		<beans:property name="authenticationManager" ref="authenticationManager" />
                      	</beans:bean>
                      to:
                      Code:
                      	<beans:bean id="casProcessingFilter"
                      		class="org.springframework.security.cas.web.CasAuthenticationFilter">
                      		<beans:property name="authenticationManager" ref="authenticationManager" />
                      		<beans:property name="sessionAuthenticationStrategy" ref="sas" />
                      	</beans:bean>
                      If there is a simpler/different way to do this, I would love to see it.

                      Thanks again

                      Comment

                      Working...
                      X