Is it possible to setup session concurrency programmatically?
It is easy to do that using XML configuration like
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
but what I need is that base on some property in database I want to allow/prohibit concurrent session.
You may use Spring 3.1 java configuration for spring security enabling you own concurrency control implementation instead of ConcurrentSessionControlStrategy. See this SO answer for java config example.
Related
I'm in the process of moving my application from Spring Security's CAS client to JASIG's Java CAS client. This was due to our security group adding some custom functionality to the JASIG version.
I've seen on JASIG's website the examples of how to configure the CAS client using Spring's configuration. I've used this example:
https://wiki.jasig.org/display/CASC/Using+the+CAS+Client+3.1+with+Spring+Security
I'm using STS and it complains about numerous lines being incorrect or deprecated. Also, when using the spring security CAS client I configured my roles as part of the <sec:http> block using intercept-url tags like this:
<sec:intercept-url pattern="/api/**" access="hasAnyRole('ROLE_OPERATOR', 'ROLE_ADMINISTRATOR')" method="GET" />
However, in the example the roles are configured in the FilterSecurityInterceptor bean and while it uses the sec:intercept-url tags the expressions don't work.
I believe the issue is that the example is from an earlier version of spring security but I'm using a newer version.
Does anyone know of an updated version of the configuration for the above sample? I know I need to upgrade my config from what the example shows but I'm not a full time security guy, just a developer tasked with doing this move, so I don't live an breath this stuff every day. Any help would be greatly appreciated.
My env:
Spring Source Framework v3.2.2
Spring Security v3.1.4
JASIG CAS Client v3.2.1
-Richard Ward
Is it possible to bind the login-processing-url to POST requests only?
I would like to use GET to show the login formular and trigger the login process with POST only, something like
<security:form-login login-page="/login" login-processing-url="/login" />
Spring Security 3.2's Java Configuration does this by default. See http://docs.spring.io/spring-security/site/docs/3.2.x-SNAPSHOT/reference/htmlsingle/#jc-form
If you want to do this with XML configuration or versions prior to Spring Security 3.2 then, as Luke mentions, it is quite a bit more complicated.
NOTE: Right now Spring Security 3.2 is only available in a release candidate versions, but a GA version is scheduled for release later this month.
I am using spring security 3.1 with Hibernate and used a Custom UserdetailsService class and a custom login page for authentication.
Question is how can I get rid of using the standard spring security naming conventions in login form,
j_spring_security_check,
j_spring_security_logout,
j_username – Username,
j_password – Password
and use alternatives.
Spring security docs says that it is not a good practice to reveal these details.But I couldn't find any example on how to use custom urls for this purpose.
It will be greatly appreciated if someone could provide an example implementation.
They are configured in <form-login> and <logout> attributes:
<form-login username-parameter="" password-parameter="" login-processing-url="" />
<logout logout-url="" />
See the documentation: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#nsa-http-children.
I have configured two authentication providers in my Spring Security config:
<security:authentication-manager>
<security:authentication-provider ref="XProvider" />
<security:authentication-provider ref="YProvider" />
</security:authentication-manager>
Does spring security evaluate both providers? Or does it stop to evaluate if one of them fails? If not, How to make it stop?
Thanks.
You can specify as many providers as you want. They will be checked in the same order you declared them inside the authentication-manager tag.
Once a successful authentication is made, it will stop polling the providers. If any provider throws an AccountStatusException it will also break the polling.
I have 2 web applications running under 2 tomcats. Both these applications use the same UserDetailsService for authentication and same database. I am kinda of confused on how would I be able to autologin the user to the other application running in the same browser or cross browser once he has authenticated himself in one of the application.
Will this help ?
<session-management session-fixation-protection="none">
<concurrency-control max-sessions="2" />
</session-management>
The snippet posted above will not work. All it tells spring security is to allow two sessions for the specified user at a time.
What you need is a single sign on for both the applications. You may want to explore spring security's CAS support.