Grails Spring Security max concurrent session -

-

i have grails 2.5.1 app spring security plugin(2.0-rc5). block number of current session per user. have read blog , doesn't work.(http://www.block-consult.com/blog/2012/01/20/restricting-concurrent-user-sessions-in-grails-2-using-spring-security-core-plugin/) resources.groovy

beans = {   sessionregistry(sessionregistryimpl)      concurrencyfilter(concurrentsessionfilter,sessionregistry,'/main/index'){         logouthandlers = [ref("remembermeservices"), ref("securitycontextlogouthandler")]     }     concurrentsessioncontrolstrategy(concurrentsessioncontrolauthenticationstrategy, sessionregistry) {         exceptionifmaximumexceeded = true         maximumsessions = 1      } }

in boostrap.groovy

 def init = { servletcontext ->     springsecurityutils.clientregisterfilter('concurrencyfilter', securityfilterposition.concurrent_session_filter)   }

and config.groovy have added this:

grails.plugin.springsecurity.usehttpsessioneventpublisher = true

thanks..

to start with, let me warn if decided continue solution.

  • sessionregistryimpl not scalable. need create own scalable implementation based on scaling plan(e.g. data grid). session replication not enough.
  • currently, default logout handlers did not remove sessionregistry properly. have created sample logout handler called customsessionlogouthandler.
  • you have override grails spring-security-core login controller handle sessionauthenticationexception.
  • you can change number of users can login maximumsessions = 1 -1 unlimited sessions.

first, in resources.groovy

import org.springframework.security.core.session.sessionregistryimpl; import org.springframework.security.web.authentication.session.concurrentsessioncontrolauthenticationstrategy; import org.springframework.security.web.authentication.session.sessionfixationprotectionstrategy; import org.springframework.security.web.authentication.session.registersessionauthenticationstrategy; import org.springframework.security.web.authentication.session.compositesessionauthenticationstrategy; import com.basic.customsessionlogouthandler   // place spring dsl code here beans = {  sessionregistry(sessionregistryimpl)  customsessionlogouthandler(customsessionlogouthandler,ref('sessionregistry')    )  concurrentsessioncontrolauthenticationstrategy(concurrentsessioncontrolauthenticationstrategy,ref('sessionregistry')){     exceptionifmaximumexceeded = true     maximumsessions = 1 }  sessionfixationprotectionstrategy(sessionfixationprotectionstrategy){     migratesessionattributes = true     alwayscreatesession = true } registersessionauthenticationstrategy(registersessionauthenticationstrategy,ref('sessionregistry'))  sessionauthenticationstrategy(compositesessionauthenticationstrategy,[ref('concurrentsessioncontrolauthenticationstrategy'),ref('sessionfixationprotectionstrategy'),ref('registersessionauthenticationstrategy')])  }

in config.groovy make sure customsessionlogouthandler first before securitycontextlogouthandler:

grails.plugin.springsecurity.logout.handlernames = ['customsessionlogouthandler','securitycontextlogouthandler']

concurrentsessioncontrolauthenticationstrategy uses i18n. can have in language:

concurrentsessioncontrolauthenticationstrategy.exceededallowed = maximum sessions principal exceeded. {0}

this sample customsessionlogouthandler can save in src/groovy/com/basic/customsessionlogouthandler.groovy:

/* * copyright 2002-2013 original author or authors.  *  * licensed under apache license, version 2.0 (the "license");  * may not use file except in compliance license.  * may obtain copy of license @  *  *      http://www.apache.org/licenses/license-2.0  *  * unless required applicable law or agreed in writing, software  * distributed under license distributed on "as is" basis,  * without warranties or conditions of kind, either express or implied.  * see license specific language governing permissions ,  * limitations under license.  */ package com.basic;  import javax.servlet.http.httpservletrequest; import javax.servlet.http.httpservletresponse;  import org.springframework.security.core.authentication; import org.springframework.security.web.authentication.logout.logouthandler; import org.springframework.util.assert; import org.springframework.security.core.session.sessionregistry;  /**  * {@link customsessionlogouthandler} in charge of removing {@link sessionregistry} upon logout.  * new {@link sessionregistry} generated framework upon next request.  *  * @author mohd qusyairi  * @since 0.1  */ public final class customsessionlogouthandler implements logouthandler {     private final sessionregistry sessionregistry;      /**      * creates new instance      * @param sessionregistry {@link sessionregistry} use      */     public customsessionlogouthandler(sessionregistry sessionregistry) {         assert.notnull(sessionregistry, "sessionregistry cannot null");         this.sessionregistry = sessionregistry;     }      /**      * clears {@link sessionregistry}      *      * @see org.springframework.security.web.authentication.logout.logouthandler#logout(javax.servlet.http.httpservletrequest,      * javax.servlet.http.httpservletresponse,      * org.springframework.security.core.authentication)      */     public void logout(httpservletrequest request, httpservletresponse response,             authentication authentication) {         this.sessionregistry.removesessioninformation(request.getsession().getid());     } }

my sample login controller (i copied source) if need too. save normal controller in project override default. see line 115 below handle sessionauthenticationexception:

/* copyright 2013-2016 original author or authors.  *  * licensed under apache license, version 2.0 (the "license");  * may not use file except in compliance license.  * may obtain copy of license @  *  *      http://www.apache.org/licenses/license-2.0  *  * unless required applicable law or agreed in writing, software  * distributed under license distributed on "as is" basis,  * without warranties or conditions of kind, either express or implied.  * see license specific language governing permissions ,  * limitations under license.  */ package com.basic  import grails.converters.json import org.springframework.security.access.annotation.secured import org.springframework.security.authentication.accountexpiredexception import org.springframework.security.authentication.authenticationtrustresolver import org.springframework.security.authentication.credentialsexpiredexception import org.springframework.security.authentication.disabledexception import org.springframework.security.authentication.lockedexception import org.springframework.security.core.authentication import org.springframework.security.core.context.securitycontextholder import org.springframework.security.web.webattributes import org.springframework.security.web.authentication.session.sessionauthenticationexception import javax.servlet.http.httpservletresponse import grails.plugin.springsecurity.springsecurityutils  @secured('permitall') class logincontroller {      /** dependency injection authenticationtrustresolver. */     authenticationtrustresolver authenticationtrustresolver      /** dependency injection springsecurityservice. */     def springsecurityservice      /** default action; redirects 'defaulttargeturl' if logged in, /login/auth otherwise. */     def index() {         if (springsecurityservice.isloggedin()) {             redirect uri: conf.successhandler.defaulttargeturl         }         else {             redirect action: 'auth', params: params         }     }      /** show login page. */     def auth() {          def conf = getconf()          if (springsecurityservice.isloggedin()) {             redirect uri: conf.successhandler.defaulttargeturl             return         }          string posturl = request.contextpath + conf.apf.filterprocessesurl         render view: 'auth', model: [posturl: posturl,                                      remembermeparameter: conf.rememberme.parameter,                                      usernameparameter: conf.apf.usernameparameter,                                      passwordparameter: conf.apf.passwordparameter,                                      gsplayout: conf.gsp.layoutauth]     }      /** redirect action ajax requests. */     def authajax() {         response.setheader 'location', conf.auth.ajaxloginformurl         render(status: httpservletresponse.sc_unauthorized, text: 'unauthorized')     }      /** show denied page. */     def denied() {         if (springsecurityservice.isloggedin() && authenticationtrustresolver.isrememberme(authentication)) {             // have cookie page guarded is_authenticated_fully (or equivalent expression)             redirect action: 'full', params: params             return         }          [gsplayout: conf.gsp.layoutdenied]     }      /** login page users remember-me cookie accessing is_authenticated_fully page. */     def full() {         def conf = getconf()         render view: 'auth', params: params,                model: [hascookie: authenticationtrustresolver.isrememberme(authentication),                        posturl: request.contextpath + conf.apf.filterprocessesurl,                        remembermeparameter: conf.rememberme.parameter,                        usernameparameter: conf.apf.usernameparameter,                        passwordparameter: conf.apf.passwordparameter,                        gsplayout: conf.gsp.layoutauth]     }      /** callback after failed login. redirects auth page warning message. */     def authfail() {          string msg = ''         def exception = session[webattributes.authentication_exception]         if (exception) {             if (exception instanceof accountexpiredexception) {                 msg = message(code: 'springsecurity.errors.login.expired')             }             else if (exception instanceof credentialsexpiredexception) {                 msg = message(code: 'springsecurity.errors.login.passwordexpired')             }             else if (exception instanceof disabledexception) {                 msg = message(code: 'springsecurity.errors.login.disabled')             }             else if (exception instanceof lockedexception) {                 msg = message(code: 'springsecurity.errors.login.locked')             }             else if (exception instanceof sessionauthenticationexception){                 msg = exception.getmessage()             }             else {                 msg = message(code: 'springsecurity.errors.login.fail')             }         }          if (springsecurityservice.isajax(request)) {             render([error: msg] json)         }         else {             flash.message = msg             redirect action: 'auth', params: params         }     }      /** ajax success redirect url. */     def ajaxsuccess() {         render([success: true, username: authentication.name] json)     }      /** ajax denied redirect url. */     def ajaxdenied() {         render([error: 'access denied'] json)     }      protected authentication getauthentication() {         securitycontextholder.context?.authentication     }      protected configobject getconf() {         springsecurityutils.securityconfig     } }

Comments

Post a Comment

Popular posts from this blog

c - How to retrieve a variable from the Apache configuration inside the module? -

-
i'm building custom apache module. how retrieve variable apache configuration inside module? see variable "some_var_config_from_apache_or_htaacess" inside apache module: /* source: http://people.apache.org/~humbedooh/mods/examples/mod_example_1.c */ /* include required headers httpd */ #include "httpd.h" #include "http_core.h" #include "http_protocol.h" #include "http_request.h" static void register_hooks(apr_pool_t *pool); static int example_handler(request_rec *r); /* define our module entity , assign function registering hooks */ module ap_module_declare_data example_module = { standard20_module_stuff, null, // per-directory configuration handler null, // merge handler per-directory configurations null, // per-server configuration handler null, // merge handler per-server configurations null, // directives may have httpd register_hoo
Read more

c# - Constructor arguments cannot be passed for interface mocks -

-
when debug code , read line mocklessonplannerafactory creation error: constructor arguments cannot passed interface mocks. var mockschoolclasscodeservice = new mock<ischoolclasscodeservice>(); var mockdateservice = new mock<idateservice>(); var mocklessonplannerafactory = new mock<ilessonplannerafactory>(mockdateservice.object); var mocklessonplannerbfactory = new mock<ilessonplannerbfactory>(mockdateservice.object); var service = new timetableservice(mockunitofwork.object, mocklessonplannerafactory.object, mocklessonplannerbfactory.object, mockschoolclasscodeservice.object); my timetableservice accepts instances of interface type only. mocklessonplannerafactory , bfactory... want in constructor idateservice passed. what wrong code? the clue in error message "constructor arguments cannot passed interface mocks." the mock created interface have default constructor because interfaces don't have constructor. remember mockin
Read more

python - malformed header from script index.py Bad header -

-
i want run python code in apache2(ubuntu 14.04) server. have followed these steps , getting error: step 1: configuration 1: have created directory , file under /var/www/cgi-bin configuration 2 : have edited /etc/apache2/sites-available/000-default.conf alias /cgi-bin /var/www/cgi-bin <directory "/var/www/cgi-bin"> options indexes followsymlinks execcgi addhandler cgi-script .cgi .py allow </directory> <directory /var/www/cgi-bin> options </directory> step 2: and python script is: index.py #!/usr/bin/env python import cgi; import cgitb;cgitb.enable() print "content-type: text/plain\n" print "<b>hello python</b>" step 3: when ran through chrome browser using: url : http://localhost/cgi-bin/index.py step 4: i getting error in error-log malformed header script 'index.py': bad header: hello python you should end header \r\n, must print out yet \r\n signal body coming. (i
Read more