Java – Invalidate session spring security

javajsf-2spring-security

My web application uses spring security to authenticate user on login. I also have concurrency control to avoid user to login twice on different machine. This is working fine but my problem is that:
If user is login on a machine, then close the browser. And he reopen the web app , try to login again he gets the following msg 'Maximum sessions of 1 for this principal exceeded' . I want to invalidate the session on browser closed. How can I do this?

Spring-security.xml

       <?xml version="1.0" encoding="UTF-8"?>
          <beans xmlns="http://.   www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/.    XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
                       http://www.springframework.org/schema/beans/spring-beans.xsd
                       http://www.springframework.org/schema/security
                       http://www.springframework.org/schema/security/.  spring-security-3.1.xsd">

  <security:global-method-security
        secured-annotations="enabled" />

  <security:http auto-config="false"
        authentication-manager-ref="authenticationManager" use-expressions="true">
        <!-- Override default login and logout pages -->
        <security:form-login
              authentication-failure-handler-ref="fail"
              authentication-success-handler-ref="success" login-page="/car/login.xhtml"
              default-target-url="/jsf/car/home.xhtml" />
        <security:logout invalidate-session="true"
              logout-url="/j_spring_security_logout" success-handler-ref="customLogoutHandler" delete-cookies="JSESSIONID"/>
        <security:session-management>
              <security:concurrency-control
                    max-sessions="1" error-if-maximum-exceeded="true" />
        </security:session-management>
        <security:intercept-url pattern="/jsf/**"
              access="isAuthenticated()" />
        <security:intercept-url pattern="/run**"
              access="isAuthenticated()" />
        <security:intercept-url pattern="/pages/login.xhtml"
              access="permitAll" />
  </security:http>

  <bean id="success" class="com.car.LoginSuccess" />

  <bean id="fail" class="com.car.LoginFailed">
        <property name="defaultFailureUrl" value="/?login_error=true" />
  </bean>
  <bean id="passwordEncoder"
        class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />

  <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider
              user-service-ref="userDetailsService">
              <security:password-encoder ref="passwordEncoder"
                    hash="sha" />
        </security:authentication-provider>
  </security:authentication-manager>

    public class FilterToGetTimeOut extends OncePerRequestFilter {

@Override
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException {
    try {
        if(request.getRequestURI().equals("/") || request.getRequestURI().equals("/car/login.xhtml")){
            if(request.getSession().getAttribute("login") != null && (Boolean)request.getSession().getAttribute("login") == true){
                response.sendRedirect("/jsf/car/home.xhtml");     //After login page
            }
        } else if(request.getSession().getAttribute("login") == null && !request.getRequestURI().equals("/j_spring_security_logout")){
            response.sendRedirect(request.getContextPath()+"/?timeout=true");   //If timeout is true send session timeout error message to JSP
        }
        filterChain.doFilter(request, response);
    } catch (Exception e) {
        //Log Exception

    }
}

Best Answer

Add below code for "/"(first page) request and logout request.

@Controller
public class LoginController {

    @RequestMapping(value = "/", method = RequestMethod.GET)
    public ModelAndView loadApp(HttpServletRequest request) {
        HttpSession session= request.getSession(false);
        SecurityContextHolder.clearContext();
        if(session != null) {
            session.invalidate();
        }

        return new ModelAndView("/car/login");
    }
}

Use this filter How to get session time out message using Spring security

Related Solutions

Java – What’s the difference between @Component, @Repository & @Service annotations in Spring

From Spring Documentation:

The @Repository annotation is a marker for any class that fulfils the role or stereotype of a repository (also known as Data Access Object or DAO). Among the uses of this marker is the automatic translation of exceptions, as described in Exception Translation.

Spring provides further stereotype annotations: @Component, @Service, and @Controller. @Component is a generic stereotype for any Spring-managed component. @Repository, @Service, and @Controller are specializations of @Component for more specific use cases (in the persistence, service, and presentation layers, respectively). Therefore, you can annotate your component classes with @Component, but, by annotating them with @Repository, @Service, or @Controller instead, your classes are more properly suited for processing by tools or associating with aspects.

For example, these stereotype annotations make ideal targets for pointcuts. @Repository, @Service, and @Controller can also carry additional semantics in future releases of the Spring Framework. Thus, if you are choosing between using @Component or @Service for your service layer, @Service is clearly the better choice. Similarly, as stated earlier, @Repository is already supported as a marker for automatic exception translation in your persistence layer.

Annotation	Meaning
`@Component`	generic stereotype for any Spring-managed component
`@Repository`	stereotype for persistence layer
`@Service`	stereotype for service layer
`@Controller`	stereotype for presentation layer (spring-mvc)

Spring Security with Openid and Database Integration

As I see that question text itself contains the answer. I am just pulling it out and posting it as the answer for the sake of clarity to other developers with the same problem. It took me a while to figure out that question has the answer!

To access user email & name, you need to add below configuration in the security xml file.

<security:attribute-exchange identifier-match="https://www.google.com/.*">
    <security:openid-attribute name="email" type="http://schema.openid.net/contact/email" required="true" />
    <security:openid-attribute name="firstName" type="http://axschema.org/namePerson/first" required="true" />
    <security:openid-attribute name="lastName" type="http://axschema.org/namePerson/last" required="true" />
</security:attribute-exchange>
<security:attribute-exchange identifier-match=".*yahoo.com.*">
    <security:openid-attribute name="email" type="http://axschema.org/contact/email" required="true"/>
    <security:openid-attribute name="fullname" type="http://axschema.org/namePerson" required="true" />
</security:attribute-exchange>

Thereafter, it will be accessible in the AuthenticationUserDetailsService class, as shown below.

public UserDetails loadUserDetails(OpenIDAuthenticationToken token) {
    String id = token.getIdentityUrl();
        :
        :
    List attributes = token.getAttributes();
    for (OpenIDAttribute attribute : attributes) {
        if (attribute.getName().equals("email")) {
            email = attribute.getValues().get(0);
        }
        if (attribute.getName().equals("firstName")) {
            firstName = attribute.getValues().get(0);
        }
        if (attribute.getName().equals("lastName")) {
            lastName = attribute.getValues().get(0);
        }
        if (attribute.getName().equals("fullname")) {
            fullName = attribute.getValues().get(0);
        }
    }
        :
        :
    // form and return user object
}

Considering that we use more of Java-based configuration/beans now, translating these XML configuration to Java-based configuration shouldn't be a problem.

Hope it helps.

Best Answer

Related Solutions

Java – What’s the difference between @Component, @Repository & @Service annotations in Spring

Spring Security with Openid and Database Integration

Related Topic