Announcement Announcement Module
Collapse
No announcement yet.
Spring Flex and Spring Security Concurrent Session Management Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Flex and Spring Security Concurrent Session Management

    I am building an application using spring 3.0.5, spring integration 1.0.3, spring security 3.0.5 and blazeds 3.2.0.3978.

    I am trying to enable the concurrent control in the system and until now I can't find the appropriate configuration for that.

    These are the configuration:

    spring-security.xml

    Code:
    <security:http entry-point-ref="entryPoint">
    	<security:anonymous enabled="false"/>
    	<security:session-management>
    		<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
    	</security:session-management>
    	<security:logout/>
    </security:http>
    spring-remoting.xml

    Code:
    <flex:message-broker>
    	<flex:mapping pattern="messagebroker/*" />
    	<flex:secured per-client-authentication="false"/>
    </flex:message-broker>
    I debugged the code and found:

    - The concurrent filter is configured
    - The session management filter is configured
    - The concurrent strategy is configured
    - The SpringSecurityLoginCommand doAuthtntication method runs after the session management filter runs the doFilter method which cause that the session management filter doesn't feel with the authentication in the spring context

    Code:
    if (!securityContextRepository.containsContext(request)) {
                Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    
                if (authentication != null && !authenticationTrustResolver.isAnonymous(authentication)) {
                 // The user has been authenticated during the current request, so call the session strategy
                    try {
                        sessionStrategy.onAuthentication(authentication, request, response);
                    } catch (SessionAuthenticationException e) {
                        // The session strategy can reject the authentication
                        logger.debug("SessionAuthenticationStrategy rejected the authentication object", e);
                        SecurityContextHolder.clearContext();
                        failureHandler.onAuthenticationFailure(request, response, e);
    
                        return;
                    }
                    // Eagerly save the security context to make it available for any possible re-entrant
                    // requests which may occur before the current request completes. SEC-1396.
                    securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);
                }
    I had made more further investigation and found that LoginCommand is invoked from MessageBrokerServlet which is invoked after the filter chain which cause that the concurrent session strategy isn't invoked to control the concurrent session.

    Thanks a lot in advance for your help

  • #2
    This seems like a general gap in our integration due to the changes to how session management is handled in Spring Security 3. I have opened a Jira for it:
    https://jira.springframework.org/browse/FLEX-166

    In the meantime, you could consider implementing a special MessageInterceptor that implements the necessary behavior (invoking the SessionAuthenticationStrategy, etc.) when necessary.

    Comment


    • #3
      hi,

      i'm using Spring BlazeDS Integration 1.5RC1, BlazeDS 4.0.0.14931, Spring Security 3.0.3 and i'm still having problem with concurrent session management - it doesn't seem to work (despite FLEX-165 and FLEX-166 have been resolved)

      my confiuguration:
      security-config.xml
      Code:
          <http entry-point-ref="entryPoint">
              <anonymous enabled="false"/>
              <session-management>
                  <concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
              </session-management>
          </http>
      
      <beans:bean id="entryPoint" class="org.springframework.flex.security3.FlexAuthenticationEntryPoint"/>
      
          <authentication-manager alias="springAuthManager">
              <authentication-provider ref="daoAuthenticationProvider"/>
          </authentication-manager>
      <beans:bean id="passwordEncoder"
                      class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
              <beans:constructor-arg value="256"/>
          </beans:bean>
      
          <beans:bean id="saltSource"
                      class="org.springframework.security.authentication.dao.ReflectionSaltSource">
              <beans:property name="userPropertyToUse" value="accountId"/>
          </beans:bean>
      
          <beans:bean id="daoAuthenticationProvider"
                      class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
              <beans:property name="userDetailsService" ref="deUserDetailsService"/>
              <beans:property name="passwordEncoder" ref="passwordEncoder"/>
              <beans:property name="saltSource" ref="saltSource"/>
              <beans:property name="hideUserNotFoundExceptions" value="false"/>
          </beans:bean>
      dispatcher-servletx.xml:
      Code:
      <flex:message-broker>
              <flex:exception-translator ref="deExceptionTranslator"/>
              <!--		<flex:remoting-service default-channels="my-amf"/>-->
              <flex:secured per-client-authentication="false"/>
          </flex:message-broker>
      
          <flex:remoting-destination ref="configurationService"/>
          <flex:remoting-destination ref="authenticationService"/>
          <flex:remoting-destination ref="administrationService"/>
      web.xml:
      Code:
          <filter>
              <filter-name>springSecurityFilterChain</filter-name>
              <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
          </filter>
          <filter-mapping>
              <filter-name>springSecurityFilterChain</filter-name>
              <url-pattern>/*</url-pattern>
          </filter-mapping>
      
          <listener>
              <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
          </listener>
          <listener>
              <listener-class>flex.messaging.HttpFlexSession</listener-class>
          </listener>
      
          <servlet>
              <servlet-name>dispatcher</servlet-name>
              <servlet-class>pl.dataexplorer.commons.spring.DeDispatcherServlet</servlet-class>
              <load-on-startup>1</load-on-startup>
          </servlet>
          <servlet-mapping>
              <servlet-name>dispatcher</servlet-name>
              <url-pattern>/messagebroker/*</url-pattern>
          </servlet-mapping>
      do I need to add anything else in my spring configuration files or web.xml? plz. tell me what am I doing wrong..

      Thanks in advance!
      Last edited by szybki; Jun 18th, 2011, 06:49 PM.

      Comment


      • #4
        it still does not work

        The problem is still there on 1.5.0 RELEASE, is there anyone who has fixed it??????

        Comment


        • #5
          Want to get update

          Hi,

          I am also trying to integrate Flex with Spring security.
          Can you please let me whether you solved the problem?

          regards,
          Salini

          Comment


          • #6
            Hello,

            I'm facing the same problem. Do you plan to have a new version with a solution to this problem ?
            Waiting for it, how can I do the same code as following for a given sessionId ?

            protected Authentication getAuthentication() {
            SecurityContext securityContext = SecurityContextHolder.getContext();
            Authentication authentication = securityContext.getAuthentication();
            return authentication;
            }
            With such a code, I could delete a previous session when a user try to loggin a second time.

            Thanks a lot for your help

            Comment

            Working...
            X