I'm using Spring Security 3 and my ApplicationContext-Security.xml specifies
<form-login login-page="/genesis" default-target-url="/diagnostics/start-diagnostics"
authentication-failure-url="/genesis?authfailed=true"
authentication-success-handler-ref="customTargetUrlResolver"/>
<access-denied-handler error-page="/genesis?notauthorized=true"/>
<logout logout-success-url="/genesis"/>
<session-management session-authentication-error-url="/genesis">
<concurrency-control max-sessions="1"/>
</session-management>
However when I log into my app in a second browser, then return to my first browser as soon as I try to do anything I get a plain white screen with the message "This session has been expired (possibly due to multiple concurrent logins being attempted as the same user"
How do I configure Spring Security 3 to display my own "you've been disconnected" URL?
You can either:
force concurrency filter to throw authentication exception (and it'll be handled by <form-login>),
provide your own session-expired page.
These situations are described here in Spring Security manual:
<concurrency-control> Attributes
error-if-maximum-exceeded
If set to "true" a SessionAuthenticationException will be raised when
a user attempts to exceed the maximum allowed number of sessions. The
default behaviour is to expire the original session.
expired-url
The URL a user will be redirected to if they attempt to use a session
which has been "expired" by the concurrent session controller because
the user has exceeded the number of allowed sessions and has logged in
again elsewhere. Should be set unless exception-if-maximum-exceeded is
set. If no value is supplied, an expiry message will just be written
directly back to the response.
Also check ConcurrentSessionFilter and ConcurrentSessionControlStrategy for more details.
Answering your question: in your config you should have something like this:
<session-management session-authentication-error-url="/genesis">
<concurrency-control max-sessions="1" expired-url="/sessionExpired.jsp" />
</session-management>
Note that expired-url is not the same as session-authentication-error-url.
Related
I have a subflow that ensures an OAuth access token is current. The token value is saved in an object store that expires the entry shortly before it times out. When expired, a new token value is retrieved and placed in the object store.
I didn't find any straightforward examples of a Mule v3 methodology to refresh a token that utilizes an object store, so here's the code, if anyone's interested.
<sub-flow name="get_token">
<objectstore:retrieve config-ref="TokenStore" key="StatusToken" defaultValue-ref="#['expired']" targetProperty="StatusToken" doc:name="Get token from Object Store"/>
<choice doc:name="Expired?">
<when expression="#[flowVars.StatusToken == 'expired']">
<set-payload value="#[{'grant_type':'refresh_token', 'refresh_token':'${RefreshToken}'}]" doc:name="Set payload for token refresh"/>
<http:request config-ref="HTTP-Token" path="${tokenPath}" method="POST" doc:name="Get new token">
<http:request-builder>
<http:header headerName="Content-Type" value="application/x-www-form-urlencoded"/>
</http:request-builder>
</http:request>
<dw:transform-message doc:name="Write token to flowVar">
<dw:set-variable variableName="StatusToken">
<![CDATA[
%dw 1.0
%output application/java
---
payload.access_token
]]>
</dw:set-variable>
</dw:transform-message>
<objectstore:store config-ref="TokenStore" key="StatusToken" value-ref="#[flowVars.StatusToken]" doc:name="Put token to Object Store"/>
</when>
<otherwise>
<set-variable variableName="Useless" value="#['']" doc:name="Useless placeholder"/>
</otherwise>
</choice>
</sub-flow>
The flow works well as designed, but here's my question. A choice router checks to see if the token has expired. There is no action required otherwise, and the flow errors out if the default path is empty. What's the simplest element to minimize processing and any resource utilization on the default path?
Following Ryan Carter's comment, this could be marked as a duplicate, but not really.
Here's the link:
How do I implement IF in mulesoft
Summary
Mule 4:
The <otherwise> tag is not needed
Mule 3:
A component is needed. I tend to use Logger with the level of TRACE, since log4j2 is smart and won't substitute parameters if the level is set to DEBUG and higher. However, if you really need to debug a flow, it would be good to see that it got routed correctly.
I've an issue on this feature.
SignIn action works well with ADFS and return to AuthServices/Acs
But Logout action don't call ADFS and redirect directly to returnUrl parameters (checked it with fiddler).
I'm calling this link : /AuthServices/Logout?ReturnUrl=~/&Status=LoggedOut
web.config is set up as this :
<kentor.authServices entityId="https://localhost:2181/AuthServices" returnUrl="https://localhost:2181/">
<identityProviders>
<add
entityId="https://ADFS DOMAIN/adfs/services/trust"
signOnUrl="https://ADFS DOMAIN/adfs/ls"
logoutUrl="https://ADFS DOMAIN/adfs/ls/?wa=wsignout1.0"
binding="HttpPost"
allowUnsolicitedAuthnResponse="true"
metadataLocation="https://ADFS DOMAIN/FederationMetadata/2007-06/FederationMetadata.xml"
wantAuthnRequestsSigned="true">
<signingCertificate fileName="~/App_Data/*****.cer" />
</add>
</identityProviders>
</kentor.authServices>
If I launch https://ADFS DOMAIN/adfs/ls/?wa=wsignout1.0 on another tabs, it is working, I return on signin page from my website.
So it seems to be an internal issue to retrieve logouturl and send it ?
Thanks for helps.
There are a number of requirements that need to be met before logout request will be issued:
You need to have a http://kentor.se/AuthServices/LogoutNameIdentifier claim and its issuer has to match the IDP that you're trying to logout from.
You need to have http://kentor.se/AuthServices/SessionIndex claim.
Your AuthServices IDP configuration needs a logoutUrl (I see you've specified this but probably it's easier to let AuthServices read it from the metadata)
You have specified a ServiceCertificate with either Signing or Both usage (i.e. not just Encryption)
Your AuthServices IDP configuration has DisableOutboundLogoutRequests =
false (this is the default)
Missing claims (first two points) is the most likely issue if you have some claims transformation happening during login or you are not retaining the original ClaimsIdentity. See also the documentation regarding ClaimsAuthenticationManager, e.g. https://github.com/KentorIT/authservices/blob/master/doc/ClaimsAuthenticationManager.md
You can turn on logging and see which of these points are failing:
https://github.com/KentorIT/authservices/blob/v0.21.2/Kentor.AuthServices/WebSSO/LogOutCommand.cs#L155-L170
I'm facing a problem related to the users' session. I'm using Adapter Based Authentication which I user to authenticate the user to have secret data from the web service.
For example when the user1 login, he gets his own data. Now when the user2 login , he gets his own data. But the user1 , also , get the user2's data. So all the users are getting the data of last login user.
I tried to put this connectAs="endUser" but I'm still facing the same problem.
Any idea to solve this problem.
Practically I have the opposite behaviour of this question:
IBM Worklight 6.0 - Adapter with basic auth doesn't update auth header if client logs out/in
this is the authenticationConfig.xml :
<securityTests>
<customSecurityTest name="AdapterSecurityTest">
<test isInternalUserID="true" realm="AdapterAuthRealm" />
</customSecurityTest>
<mobileSecurityTest name="PushSecurityTest">
<testUser realm="AdapterAuthRealm"/>
<testDeviceId provisioningType="none"/>
</mobileSecurityTest>
</securityTests>
<realms>
<realm name="AdapterAuthRealm" loginModule="AdapterLoginModule">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="MyAdapter.onAuthRequired" />
<parameter name="logout-function" value="MyAdapter.onLogout" />
</realm>
</realms>
<loginModules>
<loginModule name="AdapterLoginModule">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>
</loginModules>
connectas enduser should be set on getsecretdata, not on authenticate.
What I am doing is I set both alfresco and share to session time out time 60 minutes in their web.xml file.
My scenario is
When I want to start a workflow in Start Workflow page, I fill all
necessary data but do not click "Start Workflow" button.
After session time out, I click this "Start Workflow" button.
At the first time, authentication box opens and request for username
and password.
I filled user name and password of another user.
It starts a workflow with the authenticated another user.
Other times for session timeout, it does not request authentication
box, but acts for previously requested authenticated user.
So I think Why does it happen??? Is it because of cookie??
Currently there are four cookies used, namely alfLogin, alfUsername2, JSSESSIONID, _alfTest. Only when user is logged out, alfUsername2 cookie is deleted and others are remained.alfLogin and alfUsername2 cookies' expire time is 7 days and other cookie are depends on session.
Can alfresco web script still be used after session timeout? If so, how can I avoid this condition?
Although I have to answer my own question, I just want to share my result. I have to trace much. But answer is so simple.
Firstly, it is not because of cookie.
This answer is not only just for clicking "Start Workflow" button but also calling alfresco webscript after session time out in share.
All calling to alfresco webscript is done by EndPointProxyController specifically org.springframework.extensions.webscripts.servlet.mvc.EndPointProxyController in spring-webscripts-1.0.0-sources.jar.
In handleRequestInternal method if there is no session and basicHttpAuthChallenge is true, basic authentication box is shown as below.
else if (this.basicHttpAuthChallenge || descriptor.getBasicAuth())
{
// check for HTTP authorisation request (i.e. RSS feeds, direct links etc.)
String authorization = req.getHeader("Authorization");
if (authorization == null || authorization.length() == 0)
{
res.setStatus(HttpServletResponse.SC_UNAUTHORIZED,
"No USER_ID found in session and requested endpoint requires authentication.");
res.setHeader("WWW-Authenticate", "Basic realm=\"Alfresco\"");
// no further processing as authentication is required but not provided
// the browser will now prompt the user for appropriate credentials
return null;
}
else
{
// other coding
}
We can avoid this condition as
in endpointController of slingshot-application-context.xml, change
basicHttpAuthChallenge to false.
Like
<!-- Override EndPointProxyController to enable Basic HTTP auth challenge on 401 response -->
<bean id="endpointController" class="org.springframework.extensions.webscripts.servlet.mvc.EndPointProxyController">
<property name="cacheSeconds" value="-1" />
<property name="useExpiresHeader"><value>true</value></property>
<property name="useCacheControlHeader"><value>true</value></property>
<property name="configService" ref="web.config" />
<property name="connectorService" ref="connector.service" />
<property name="supportedMethods"><null/></property>
<property name="basicHttpAuthChallenge"><value>false</value></property>
</bean>
What is the exact use of this bellow entry in WAS6.1 server.xml. Can you please tell me why we need this "defaultCookieSettings" and his attribut "secure=false".
defaultCookieSettings xmi:id="Cookie_1282579260990" domain="" maximumAge="-1" secure="false"
<components xmi:type="applicationserver.webcontainer:WebContainer" xmi:id="WebContainer_1282579260990" enableServletCaching="false" disablePooling="false">
<stateManagement xmi:id="StateManageable_1282579260993" initialState="START"/>
<services xmi:type="applicationserver.webcontainer:SessionManager" xmi:id="SessionManager_1282579260990" enable="true" enableUrlRewriting="false" enableCookies="true" enableSSLTracking="false" enableProtocolSwitchRewriting="false" sessionPersistenceMode="NONE" enableSecurityIntegration="false" allowSerializedSessionAccess="false" maxWaitTime="5" accessSessionOnTimeout="true">
<defaultCookieSettings xmi:id="Cookie_1282579260990" domain="" maximumAge="-1" secure="false"/>
<sessionDatabasePersistence xmi:id="SessionDatabasePersistence_1282579260990" datasourceJNDIName="jdbc/Sessions" userId="db2admin" password="{xor}Oz1tPjsyNjE=" db2RowSize="ROW_SIZE_4KB" tableSpaceName=""/>
<tuningParams xmi:id="TuningParams_1282579260990" usingMultiRowSchema="false" maxInMemorySessionCount="1000" allowOverflow="true" scheduleInvalidation="false" writeFrequency="TIME_BASED_WRITE" writeInterval="10" writeContents="ONLY_UPDATED_ATTRIBUTES" invalidationTimeout="30">
<invalidationSchedule xmi:id="InvalidationSchedule_1282579260990" firstHour="14" secondHour="2"/>
</tuningParams>
</services>
</components>
If I change into from secure="true" then what will be the impact
The setting will specify that the session cookies include the secure field. Enabling the feature restricts the exchange of cookies to HTTPS sessions only.