Concurrent User lockout with Spring Security -


i thought had issue resolved post. however, found new use case causing issues, please pardon duplication. have spring-boot application uses spring-security 4.0.2. not allow concurrent logins, , can confirm cannot login twice in separate browsers. see browser apparently shares session can login 2 different tabs of same browser (chrome, safari, firefox, ie11 tested).

what seeing when attempt third browser tab login, authentication fails. expected , desired behavior, not acceptable user account locked out , server restart required. examine database records , user account still has enabled.

i set breakpoints , stepped thru org.springframework.security.core.sessionsessionregistryimpl , org.springframework.security.web.authenticationsimpleurlauthenticationfailurehandler , cannot see anywhere user being blocked. have debug levels:

logging.level.org.springframework:info logging.level.org.springframework.web: info logging.level.org.springframework.security:info logging.level.org.springframework.security.web.authentication:info

and cannot see exceptions or error messages being thrown. here primary config:

@configuration @enablewebsecurity public class websecurityconfig extends websecurityconfigureradapter {      @autowired     private customuserdetailsservice customuserdetailsservice;      @autowired     private sessionregistry sessionregistry;      @autowired     servletcontext servletcontext;      @autowired     private customlogouthandler logouthandler;      @autowired     public void configureglobal(authenticationmanagerbuilder auth)                     throws exception {         auth                         .userdetailsservice(customuserdetailsservice)                         .passwordencoder(passwordencoder());         return;     }      @override     protected void configure(httpsecurity http) throws exception {         http                         .addfilterafter(new csrftokengeneratorfilter(), csrffilter.class)                         .authorizerequests()                         .antmatchers("/", ).permitall().anyrequest().authenticated()                          .and()                          .formlogin()                         .loginpage("/loginpage")                         .permitall()                         .loginprocessingurl("/login")                         .defaultsuccessurl("/?tab=success").failureurl("/")                         .and()                         .logout().addlogouthandler(logouthandler).logoutrequestmatcher( new antpathrequestmatcher("/logout"))                         .deletecookies("jsessionid")                         .invalidatehttpsession(true).permitall().and().csrf()                          .and()  // instructs spring security use servlet 3.1 changesessionid method protecting against session fixation attacks,                                         // set maximum session 1                         .sessionmanagement().sessionauthenticationstrategy(                         concurrentsessioncontrolauthenticationstrategy()).sessionfixation().changesessionid().maximumsessions(1)                         .maxsessionspreventslogin( true).expiredurl("/login?expired" ).sessionregistry(sessionregistry )                         .and()                         .sessioncreationpolicy(sessioncreationpolicy.if_required)                         .invalidsessionurl("/")                         .and().authorizerequests().anyrequest().authenticated();          // here protect site from:         // 1. x-content-type-options         http.headers().contenttypeoptions();         // 2. web browser xss protection         http.headers().xssprotection();          http.headers().cachecontrol();         http.headers().httpstricttransportsecurity();         // 3. x-frame-options         http.headers().frameoptions();          // inject servlet context , set http (for increased security should customize http true)         servletcontext.getsessioncookieconfig().sethttponly(true);     }      // cors protection     @bean     public webmvcconfigurer corsconfigurer() {         return new webmvcconfigureradapter() {             @override             public void addcorsmappings(corsregistry registry) {                 registry.addmapping( "/**" ).allowedorigins( "*" )                                 .allowedheaders( "access-control-allow-origin", "*" )                                 .allowedheaders( "access-control-allow-headers", "x-requested-with" )                                 .allowedmethods( "get", "post", "put", "delete" )                                 .maxage( 3600 );             }         };     }       @bean     public passwordencoder passwordencoder() {         // default strength = 10         return new bcryptpasswordencoder();     }      @bean     public static servletlistenerregistrationbean httpsessioneventpublisher() {         return new servletlistenerregistrationbean(new httpsessioneventpublisher());     }       @bean     public concurrentsessioncontrolauthenticationstrategy concurrentsessioncontrolauthenticationstrategy() {          concurrentsessioncontrolauthenticationstrategy strategy = new concurrentsessioncontrolauthenticationstrategy(sessionregistry());         strategy.setexceptionifmaximumexceeded(true);         strategy.setmessagesource(messagesource);          return strategy;     } }

i have logouthandler handle sessions (i think quchie referring to?):

@component public class customlogouthandler implements logouthandler {      private static final logger logger = loggerfactory.getlogger( customlogouthandler.class );      @autowired     private auditservice auditservice;      @autowired     private sessionregistry sessionregistry;      @override     public void logout(httpservletrequest httpservletrequest, httpservletresponse httpservletresponse,                        authentication authentication) {          if (authentication != null && authentication.getdetails() != null) {             try {                  user user = (user)authentication.getprincipal();                  auditservice.logoutuser(user.getoffice());                 httpservletrequest.getsession().invalidate();                   httpservletresponse.setstatus(httpservletresponse.sc_ok);                 //redirect login                 httpservletresponse.sendredirect(urls.root);                  list<sessioninformation> usersessions =  sessionregistry.getallsessions(user, true);                  (sessioninformation session: usersessions) {                   sessionregistry.removesessioninformation(session.getsessionid());                  }                  list<object> principals = sessionregistry.getallprincipals();                  if (principals.contains(user)) {                     throw new exception("user not removed session!");                 }                 logger.debug( "user logged out" );              } catch (exception e) {                 e.printstacktrace();                 e = null;             }         }      } }

can me find out how prevent user account being locked on failed concurrent login attempt? or @ least make have time unlocks have time amount?

edit: cannot understand why locks out extended periods of time (days) if storing in session. database records never set bad state, yet user account locked out until restart tomcat.


Comments

Post a Comment

Popular posts from this blog

authentication - Mongodb revoke acccess to connect test database -

i have ec2 instance mongodb 3.2.0 installed. have user admin access. can connect user , perform operation remotely. 1 can connect database test remote if knows ip mongo 11.11.11.11. although not able make operations, want restrict access user credentials can connect server. first need create users , grant roles users, example: use admin db.createuser( { user: "myuseradmin", pwd: "abc123", roles: [ { role: "useradminanydatabase", db: "admin" } ] } ) then need start server --auth parameter mongod --auth more information here
Read more

r - Update two sets of radiobuttons reactively - shiny -

i have read ( how make choices in radiobuttons reactive in shiny? ) shows me how update radiobutton s in reactive way. however, when try , update 2 sets of buttons same data, 1 set renders. example: server: # create example data wafer <- rep(c(1:3), each=3) length <- c(1,1,2,1,1,1,3,5,1) width <- c(3,1,6,1,1,1,1,1,6) dd <- data.frame(wafer, length, width) shinyserver(function(input, output, session){ # create reactive dataframe store data values <- reactivevalues() values$df <- data.frame() # lengths , widths of wafer user input <- eventreactive(input$do, { subset(dd, wafer %in% input$wafer, select = length:width) }) # update reactive data frame lengths , widths have been selected user input observe({ if(!is.null(a())) { values$df <- rbind(isolate(values$df), a()) } }) output$wl <- renderdatatable({ a() }) # update radio buttons unique length , widths stored in values$df # ever "observe" put first in co...
Read more

ios - Realm over CoreData should I use NSFetchedResultController or a Dictionary? -

i'm working on app using core data , nsfetchedresultcontroller many reasons switch use realm. saw there "realm version" of nsfetchedresultcontroller on github wouldn't compatible current code using core data. the view controller displaying list of people same school, address book. list sublist of people studied in same city. so thinking make 1 unique request database retrieve list of people , filter locally list within 1 dictionary per school [string: anyobject] string section name within tableview , anyobject array of people. first solution, make nsfetchedresultcontroller each school predicate filtering location. delete actions etc.. handled delegates -> not compatible realm create dictionaries , update them each actions... -> works realm it's annoying code. any better solution? edit: i need clarify request: i'd write class inherit uitableviewcontroller. this class has list of people sorted in alphabetical order the tableview has ...
Read more