I have tried the spring session samples and it is really interesting.
i am trying to do the following , i am trying to plug spring session in the restful service where i want to different TTL for the session id's based on the request
For example, Client Consuming my restful service may have remember me Option On/OFF.
When remember me on i want to provide TTL as 90 days where as for the remember me off i want to set the TTL to 5 mins , how do we achieve this in spring session.
Also how do we manage(limiting) concurrent session for an user , is the concurrent session can be achieved by integrating with spring security or is the same capabilities provided in spring session.
Please suggest, any help is highly appreciated
This can be done by setting the HttpSession.setMaxInactiveInterval(int timeInSeconds). For example, after authenticating the user, you could do the following:
int someTime = getExpireBasedOnMyCriteria();
httpServletRequest.getSession().setMaxInactiveInterval(someTime);
Related
Spring Session uses a different format for its session cookies than Tomcat does. So if you implement Spring Session, even if you would name the session cookie JSESSIONID, all the users have to login again.
This is a point where you potentially lose users, because nobody likes to login. Perhaps this is an edge case, and certainly it's not worth a huge amount of trouble, but I'm curious if it's possible for existing users to use their already stored Tomcat session cookies?
You can implement your own org.springframework.session.web.http.CookieSerializer that matches Tomcat's default cookie serialization and register it as a bean.
Spring Session configuration will then pick it up and use it - see org.springframework.session.config.annotation.web.http.SpringHttpSessionConfiguration#setCookieSerializer for more details.
I am newbie using Spring Session.
My intend is to use Spring Session on REST API. I followed an example, however have some unclear points.
The flow I tried to make is:
1. Request to login, providing in the http header user and password.
As I've seen, the information about session saved to the Redis.
2. Request to any resource of REST API providing sessionID. It throws an exception saying, a full authentication should be given.
I thought that if I provide sessionID in the header it would be enough? But it's not so.
Is it possible to achieve the mentioned afore flow using Spring Session?
Thanks in advance.
Researching I found how to change the life of a token by using the powershell command
set-ADFSRelyingPartyTrust-TargetName "your app display name Relying party in ADFS trust"-
TokenLifetime "value in minutes"
My problem is that once time passes I need to log out,I do not know if this is possible, thank you for your help.
The token lifetime and your session lifetime are two different things. If you want automatic log out you can do it by configuring the session cookie lifetime at your relying party:
Windows Identity Foundation - relying party session security token lifetime
Good overview here:
ADFS 2.0 time out and relation between Freshness Value,TokenLifetime and WebSSOLifetime parameters.
Essentially, there are two parameters:
WebSSOLifetime:
This is a server wide setting which applies to all the RP’s (Relying Party).
TokenLifetime:
This is a RP level setting which applies to a particular RP. It will not affect other RP’s configured in the ADFS server.
Key point:
In order to prompt a user to re-authenticate, we require WebSSOLifetime to be lower than the TokenLifetime.
This almost sounds like a duplicate of my question
How to set the timeout properly when federating with the ADFS 2.0
What I had to do was to have a local event handler that deletes the cookie but also make sure that ADFS doesn't automatically renew thr session.
In my grails application I'm using the spring security core plugin.
Is there any method that returns me a jsessionid for a given user simply by providing username and password
Something like this jsessionid:
def myjsessionid = getJessessionidFromUser("username1", "password1")
I'm not familiar with grails, but Spring Security itself provides Concurrent Session Control that can maintain a SessionRegistry. This registry will contain info about all user sessions that you can query e.g. for getting the sessoin id(s) of a given principal.
Use SessionRegistry.getAllSessions() to obtain a list of SessionInformations related to a given principal/user, and then getSessionId() on those objects.
The concurrency control feature is normally used to limit the number of sessions a user may have, but it can be configured not to enforce such restrictions (just maintain the registry). See more about that in the Session Management chapter.
I'm working on a Grails application and want to integrate with a custom single-sign-on service (not CAS, but similar). I'm struggling to find all the pieces that I need to customize to make this happen. Can someone explain to me a general outline as to what I need to use to accomplish this? I've read the documentation on the plugin, but it assumes I know which beans to override and where to put all the needed files.
I've block-quoted what I think needs to be done based on my research below each point.
Order of Operations
1- The user requests secure content (everything is secure in the application for now)
I believe this setting is in the Config.groovy file:
grails.plugins.springsecurity.rejectIfNoRule = true
grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugins.springsecurity.interceptUrlMap = [
'/**':['ROLE_ADMIN']
]
2- Spring Security checks to see if the user has a specific value set in a cookie provided by the authentication service
I'm guessing I need to create an authentication filter, but I don't know where to put it or what it should look like.
If they don't, the user is redirected to this custom SSO service, they login, once authenticated, the user is redirected back to my application (with a new cookie set)
3- Spring security checks for the cookie value and validates it against the custom service (via HTTP POST)
From some research, I think that I need to use PreAuthenticatedProcessingFilter, but I haven't been able to find any examples of how to do this.
4- The custom service returns a series of name/value pairs, a user then needs to be created in the local application database (or the timestamp of "lastLoggedIn" is updated if they user's data is already in the database)
I believe this is done in the same PreAuthenticatedProcessingFilter as number 3 or in a GrailsUserDetailsService
5- The user's authentication is cached in the session for a period of time (6-8 hours) so that re-validation against the SSO service doesn't need to occur every time the user requests a new resource.
I'm not sure if this is something that's done inherently or if I need to add code to do this (and also set the session timeout)