I am using spring security 3.1 and I want to implement a session override feature. If a user logs into the application and if he tries to login again (say a different browser), then he should be redirected to a page which asks him if he wants to kill his previous session and continue. This should come because the max number of sessions allowed would be 1 per user.
I am not sure how to hook this functionality in ConcurrentSessionControlStrategy.
Related
This is my first heavy task as a junior Rails dev so it might be a trivial. All the described applications work as microservices and my application can also be considered so
Rails app explanation
Rails 7
Ruby 3.1.2
Devise (API and web)
I've got Rails 7 app which is a single page dashboard with Devise to register/login users and show data from 3rd party API (let's call it main PHP microservice). User registration takes place outside the user's control via POST request from main PHP microservice to my Rails app. To login to the Rails app user needs to provide received SMS code each time. I need to implement that peace of login flow.
Problem explanation
The logging mechanism must include two factor authentication (2FA) which is handled by the main PHP microservice that sends an SMS (text message) with a code to login.
From a Rails side, when credentials (login/password) are correct a POST request is sent to the main PHP microservice to trigger 2FA. The main PHP microservice sends an SMS code (text message) to the user's phone which he later has to enter inside my Rails application.
So in a bullet points, the login flow inside my Rails app will be:
User provides login/password
If authentication credentials are correct, redirect to new window where the user must enter the SMS code they received on their phone
Login to the app when provided SMS (text message) is correct
3a. Trigger new 2FA process via POST request to the main PHP microservice and allow user to enter new code
What I was trying to use here is gem devise-two-factor but it use database to mark if 2FA is correct or not which I cannot use because one of the requirements of my ticket is not to use a database to determine whether 2FA is correct or not:
the gist is, username / password, and be able to set a cookie or add it to the session with the 2fa status for that session
Because a lack of knowledge, I cannot argue with this requirement and believe me, I tried.
Questions
From what I have read, to meet these requirements the safest way is to use an encrypted cookies. How to inject that to make it work with described devise login flow?
We have created an Identity server 4 application for single sign-on in Asp.net core 2.0. We use the Microsft Identity framework for login and account related pages.
The client applications are created using .net FW 4.7.1 in MVC 5 which are then connect to identity server for single sign-on purposes (used Identity server 3 in client application).
We have a requirement wherein allow users to log in to the application only from a single device at a time. To achieve this, on user login, we create a unique LoginSessionId and store it in DB. On logout, we just make this session-id null.
If someone else tries to login with the same user on another device, we just check if the LoginSessionId has value. If yes, then we give a message informing the user that he's already logged in on another device and if he wants to kill the other session. If he says yes, we let him login and reset the LoginSessionId with a new one. As for the first device login, we have a check-in place to log out that user if his current LoginSessionId does not match the one in DB, so he gets logged out.
We have also set the AccessTokenLifetime and IdentityTokenLifetime of the identity server-client application to 24 hours. Here is the problem we're facing:
When the 24 hours are up after user login, the user gets logged out since the Token must have expired. But the LoginSessionId mentioned earlier is not reset. Thus when a user tries to log back in, we end up showing the message of another user logged in, which is not really the case. Question is,
Is there is any way to raise the token expiry event so that we can clear the LoginSessionId there?
Is there any common place where we can identify the various reasons due to which user gets logged out. Like was it due to token expiry, or because he was idle for a long time (sliding expiry I think), or if he clicked logout himself etc.
What is the max value that we can set for AccessTokenLifetime and IdentityTokenLifetime.
One needs to implement IEventService and IEventSink in Identity Server 4 to get those evnts.
for more details, you can refer to this link.
link
I am involved in development of a portal style application. The diagram above shows the core UI wireframe of the application. There is one main application mainApp which acts as the portal application. It contains a sidebar menu which provides "entry points" to launch various other web applications (App1, App2... AppN) which are independent, separately packaged and deployed war files, running in same Tomcat server as mainApp.
All applications are Spring (3.2.x) based and have spring-security (3.2.x) integrated. User only logs into mainApp using spring security's standard login form mechanism. Obvious expectation is that the user does not have to login to each individual application they launch from sidebar menu. Same user should be logged into each of the launched application automatically.
App1, App2,... AppN are loaded via their respective URLs in an iFrame within the mainApp's page as illustrated in the diagram as well.
As a very rudimentary first iteration, I have implemented a filter extending Spring's AbstractPreAuthenticatedProcessingFilter in each of the portal applications. The filter looks for a URL parameter authToken and automatically logs the user in, if the parameter is found and is Base64 (I know, very weak!) decoded to be the user name. If token is not found, user might see a spring security login screen inside iFrame (ugly).
Questions:
Is there a better, more secure way compared to query parameter, to pass the authentication token or ticket to the application being launched inside the iFrame? I presume I can not use request headers as there is no way to pass them when main portal app sets the URL in iFrame? Or is there a way? Or any other mechanism?
When the user logs out of the mainApp, how do I log the user out of each of the App1, App2...AppN that user has launched and got pre-authenticated into? Programatically hit the spring security /logout endpoint in each application when logout occurs in main portal app?
Thanks!
I have an idea:
You can set spring security login page to another page which redirect parent to login page:
spring security config:
formLogin().loginPage("/redirect_login.jsp")
redirect_login.jsp:
window.parent.location.href="./login.jsp"
I am trying to implement 'remember me' feature in my grails application using spring security core. The idea is to login user directly without asking for username and password if the user has logged in earlier. So, I added these codes in my config.groovy file
grails.plugins.springsecurity.rememberMe.cookieName='sptest_remember_me'
grails.plugins.springsecurity.rememberMe.alwaysRemember=true
grails.plugins.springsecurity.rememberMe.tokenValiditySeconds=5*60
grails.plugins.springsecurity.rememberMe.parameter='_spring_security_remember_me'
grails.plugins.springsecurity.rememberMe.key='sptest_test'
grails.plugins.springsecurity.rememberMe.useSecureCookie=false
grails.plugins.springsecurity.rememberMe.persistent=false
But I am prompted with login screen after the session has expired, I want the application to remember user's login for a month or so. How do I do it ?
I'm using DotNetOpenAuth. I configured my application with Custom form authentication with Gmail OpenID through (DotNetOpenAuth). I can successfully login to my app. But say for eg. i logged out from application and click login (with in 10 to 15 Sec) its not redirecting to gmail login. It generated authentication token by itself without asked from user.(I hope something is cached OpenID)
I used PAPE
request.AddExtension(new PolicyRequest()
{
MaximumAuthenticationAge = TimeSpan.Zero
});
And also tried to configure in web.config.
<openid cacheDiscovery="false">
Is there any workaround for the same.
NOTE : Once i logged out i used to clear ALL Session and call FormAuthentication.SignOut()
With OpenID, you as the relying party cannot force the login policy for the user at their Provider. You can request that the provider relogin the user as you have with the PAPE extension, but the Provider may still ignore that.
The cacheDiscovery setting is irrelevant to pass-through login, so I suggest you remove that entry as it will simply slow down all logins.
I think you're mistaken when you say it's not redirecting to Google. If you look at the logs, or what your browser's URL bar, Google.com should be redirected to, but at that point Google decides the user has a login session and avoids prompting them to login again, and redirects the user immediately back to your site.