Grails Spring Security max concurrent session -

-

i have grails 2.5.1 app spring security plugin(2.0-rc5). block number of current session per user. have read blog , doesn't work.(http://www.block-consult.com/blog/2012/01/20/restricting-concurrent-user-sessions-in-grails-2-using-spring-security-core-plugin/) resources.groovy

beans = {   sessionregistry(sessionregistryimpl)      concurrencyfilter(concurrentsessionfilter,sessionregistry,'/main/index'){         logouthandlers = [ref("remembermeservices"), ref("securitycontextlogouthandler")]     }     concurrentsessioncontrolstrategy(concurrentsessioncontrolauthenticationstrategy, sessionregistry) {         exceptionifmaximumexceeded = true         maximumsessions = 1      } }

in boostrap.groovy

 def init = { servletcontext ->     springsecurityutils.clientregisterfilter('concurrencyfilter', securityfilterposition.concurrent_session_filter)   }

and config.groovy have added this:

grails.plugin.springsecurity.usehttpsessioneventpublisher = true

thanks..

to start with, let me warn if decided continue solution.

  • sessionregistryimpl not scalable. need create own scalable implementation based on scaling plan(e.g. data grid). session replication not enough.
  • currently, default logout handlers did not remove sessionregistry properly. have created sample logout handler called customsessionlogouthandler.
  • you have override grails spring-security-core login controller handle sessionauthenticationexception.
  • you can change number of users can login maximumsessions = 1 -1 unlimited sessions.

first, in resources.groovy

import org.springframework.security.core.session.sessionregistryimpl; import org.springframework.security.web.authentication.session.concurrentsessioncontrolauthenticationstrategy; import org.springframework.security.web.authentication.session.sessionfixationprotectionstrategy; import org.springframework.security.web.authentication.session.registersessionauthenticationstrategy; import org.springframework.security.web.authentication.session.compositesessionauthenticationstrategy; import com.basic.customsessionlogouthandler   // place spring dsl code here beans = {  sessionregistry(sessionregistryimpl)  customsessionlogouthandler(customsessionlogouthandler,ref('sessionregistry')    )  concurrentsessioncontrolauthenticationstrategy(concurrentsessioncontrolauthenticationstrategy,ref('sessionregistry')){     exceptionifmaximumexceeded = true     maximumsessions = 1 }  sessionfixationprotectionstrategy(sessionfixationprotectionstrategy){     migratesessionattributes = true     alwayscreatesession = true } registersessionauthenticationstrategy(registersessionauthenticationstrategy,ref('sessionregistry'))  sessionauthenticationstrategy(compositesessionauthenticationstrategy,[ref('concurrentsessioncontrolauthenticationstrategy'),ref('sessionfixationprotectionstrategy'),ref('registersessionauthenticationstrategy')])  }

in config.groovy make sure customsessionlogouthandler first before securitycontextlogouthandler:

grails.plugin.springsecurity.logout.handlernames = ['customsessionlogouthandler','securitycontextlogouthandler']

concurrentsessioncontrolauthenticationstrategy uses i18n. can have in language:

concurrentsessioncontrolauthenticationstrategy.exceededallowed = maximum sessions principal exceeded. {0}

this sample customsessionlogouthandler can save in src/groovy/com/basic/customsessionlogouthandler.groovy:

/* * copyright 2002-2013 original author or authors.  *  * licensed under apache license, version 2.0 (the "license");  * may not use file except in compliance license.  * may obtain copy of license @  *  *      http://www.apache.org/licenses/license-2.0  *  * unless required applicable law or agreed in writing, software  * distributed under license distributed on "as is" basis,  * without warranties or conditions of kind, either express or implied.  * see license specific language governing permissions ,  * limitations under license.  */ package com.basic;  import javax.servlet.http.httpservletrequest; import javax.servlet.http.httpservletresponse;  import org.springframework.security.core.authentication; import org.springframework.security.web.authentication.logout.logouthandler; import org.springframework.util.assert; import org.springframework.security.core.session.sessionregistry;  /**  * {@link customsessionlogouthandler} in charge of removing {@link sessionregistry} upon logout.  * new {@link sessionregistry} generated framework upon next request.  *  * @author mohd qusyairi  * @since 0.1  */ public final class customsessionlogouthandler implements logouthandler {     private final sessionregistry sessionregistry;      /**      * creates new instance      * @param sessionregistry {@link sessionregistry} use      */     public customsessionlogouthandler(sessionregistry sessionregistry) {         assert.notnull(sessionregistry, "sessionregistry cannot null");         this.sessionregistry = sessionregistry;     }      /**      * clears {@link sessionregistry}      *      * @see org.springframework.security.web.authentication.logout.logouthandler#logout(javax.servlet.http.httpservletrequest,      * javax.servlet.http.httpservletresponse,      * org.springframework.security.core.authentication)      */     public void logout(httpservletrequest request, httpservletresponse response,             authentication authentication) {         this.sessionregistry.removesessioninformation(request.getsession().getid());     } }

my sample login controller (i copied source) if need too. save normal controller in project override default. see line 115 below handle sessionauthenticationexception:

/* copyright 2013-2016 original author or authors.  *  * licensed under apache license, version 2.0 (the "license");  * may not use file except in compliance license.  * may obtain copy of license @  *  *      http://www.apache.org/licenses/license-2.0  *  * unless required applicable law or agreed in writing, software  * distributed under license distributed on "as is" basis,  * without warranties or conditions of kind, either express or implied.  * see license specific language governing permissions ,  * limitations under license.  */ package com.basic  import grails.converters.json import org.springframework.security.access.annotation.secured import org.springframework.security.authentication.accountexpiredexception import org.springframework.security.authentication.authenticationtrustresolver import org.springframework.security.authentication.credentialsexpiredexception import org.springframework.security.authentication.disabledexception import org.springframework.security.authentication.lockedexception import org.springframework.security.core.authentication import org.springframework.security.core.context.securitycontextholder import org.springframework.security.web.webattributes import org.springframework.security.web.authentication.session.sessionauthenticationexception import javax.servlet.http.httpservletresponse import grails.plugin.springsecurity.springsecurityutils  @secured('permitall') class logincontroller {      /** dependency injection authenticationtrustresolver. */     authenticationtrustresolver authenticationtrustresolver      /** dependency injection springsecurityservice. */     def springsecurityservice      /** default action; redirects 'defaulttargeturl' if logged in, /login/auth otherwise. */     def index() {         if (springsecurityservice.isloggedin()) {             redirect uri: conf.successhandler.defaulttargeturl         }         else {             redirect action: 'auth', params: params         }     }      /** show login page. */     def auth() {          def conf = getconf()          if (springsecurityservice.isloggedin()) {             redirect uri: conf.successhandler.defaulttargeturl             return         }          string posturl = request.contextpath + conf.apf.filterprocessesurl         render view: 'auth', model: [posturl: posturl,                                      remembermeparameter: conf.rememberme.parameter,                                      usernameparameter: conf.apf.usernameparameter,                                      passwordparameter: conf.apf.passwordparameter,                                      gsplayout: conf.gsp.layoutauth]     }      /** redirect action ajax requests. */     def authajax() {         response.setheader 'location', conf.auth.ajaxloginformurl         render(status: httpservletresponse.sc_unauthorized, text: 'unauthorized')     }      /** show denied page. */     def denied() {         if (springsecurityservice.isloggedin() && authenticationtrustresolver.isrememberme(authentication)) {             // have cookie page guarded is_authenticated_fully (or equivalent expression)             redirect action: 'full', params: params             return         }          [gsplayout: conf.gsp.layoutdenied]     }      /** login page users remember-me cookie accessing is_authenticated_fully page. */     def full() {         def conf = getconf()         render view: 'auth', params: params,                model: [hascookie: authenticationtrustresolver.isrememberme(authentication),                        posturl: request.contextpath + conf.apf.filterprocessesurl,                        remembermeparameter: conf.rememberme.parameter,                        usernameparameter: conf.apf.usernameparameter,                        passwordparameter: conf.apf.passwordparameter,                        gsplayout: conf.gsp.layoutauth]     }      /** callback after failed login. redirects auth page warning message. */     def authfail() {          string msg = ''         def exception = session[webattributes.authentication_exception]         if (exception) {             if (exception instanceof accountexpiredexception) {                 msg = message(code: 'springsecurity.errors.login.expired')             }             else if (exception instanceof credentialsexpiredexception) {                 msg = message(code: 'springsecurity.errors.login.passwordexpired')             }             else if (exception instanceof disabledexception) {                 msg = message(code: 'springsecurity.errors.login.disabled')             }             else if (exception instanceof lockedexception) {                 msg = message(code: 'springsecurity.errors.login.locked')             }             else if (exception instanceof sessionauthenticationexception){                 msg = exception.getmessage()             }             else {                 msg = message(code: 'springsecurity.errors.login.fail')             }         }          if (springsecurityservice.isajax(request)) {             render([error: msg] json)         }         else {             flash.message = msg             redirect action: 'auth', params: params         }     }      /** ajax success redirect url. */     def ajaxsuccess() {         render([success: true, username: authentication.name] json)     }      /** ajax denied redirect url. */     def ajaxdenied() {         render([error: 'access denied'] json)     }      protected authentication getauthentication() {         securitycontextholder.context?.authentication     }      protected configobject getconf() {         springsecurityutils.securityconfig     } }

Comments

Post a Comment

Popular posts from this blog

c++ - llvm function pass ReplaceInstWithInst malloc -

-
#include "llvm/pass.h" #include "llvm/ir/module.h" #include "llvm/ir/function.h" #include "llvm/support/raw_ostream.h" #include "llvm/ir/legacypassmanager.h" #include "llvm/ir/instrtypes.h" #include "llvm/transforms/ipo/passmanagerbuilder.h" #include "llvm/ir/irbuilder.h" #include "llvm/transforms/utils/basicblockutils.h" using namespace llvm; namespace { struct replacepass : public functionpass { static char id; replacepass() : functionpass(id) {} virtual bool runonfunction(function &f) { allocainst* insttoreplace = ??? basicblock::iterator ii(insttoreplace); replaceinstwithinst(insttoreplace->getparent()->getinstlist(), ii, new allocainst(type::int32ty, 0, insttoreplace)); return true; } }; } char replacepass::id = 0; static void registerreplacepass(const passmanagerbuilder &, legacy::passmanagerbase &pm) { pm.add(new re
Read more

java.lang.NoClassDefFoundError When Creating New Android Project -

-
i've tried installing (and re-installing) android studio several times now, , each time, studio isn't able create new android project. when attempt initial android studio window (ie. basic 'create', 'open', 'import' etc options), i'm asked of questions in wizard, brief progress dialog, followed nothing @ all. if open incomplete project process creates choosing 'open' list, can try choosing create new android project menu. this has same issue, error message in output console time... java.lang.noclassdeffounderror: com/sun/xml/internal/bind/v2/model/annotation/annotationreader (wrong name: com/sun/xml/internal/bind/v0/model/qnnotation/annotationreader) note: when installed android studio, installed incompatible jdk (1.8, not 1.7). have had go default project settings change jdk uses 1.8. does know how can avoid this? there place should downloading jxb classes? missing in java paths? this appears have been caused cor
Read more

Decoding a Python 2 `tempfile` with python-future -

-
i'm attempting write python 2/3 compatible routine fetch csv file, decode latin_1 unicode , feed csv.dictreader in robust, scalable manner. for python 2/3 support, i'm using python-future including imporing open builtins , , importing unicode_literals consistent behaviour i'm hoping handle exceptionally large files spilling disk, using tempfile.spooledtemporaryfile i'm using io.textiowrapper handle decoding latin_1 encoding before feeding dictreader this works fine under python 3. the problem textiowrapper expects wrap stream conforms bufferediobase . unfortunately under python 2, although have imported python 3-style open , vanilla python 2 tempfile.spooledtemporaryfile still of course returns python 2 cstringio.stringo , instead of python 3 io.bytesio required textiowrapper . i can think of these possible approaches: wrap python 2 cstringio.stringo python 3-style io.bytesio . i'm not sure how approach - need write such wrapper or 1 ex
Read more