Reputation: 20633
Can I manage multiple browser tabs with Spring Security?
I wonder if, with Spring Security, I can validate the user sessions, allowing only one browser tab open. Is it possible?
I would also like to know if I can do it, when the user closes the tab and open it again before the end of his session SessionFilter it from direct application, without going to the login screen.
I'm using JSF 1.2, RichFaces 3.3.3, Hibernate and co ...
Detail: I know the spring security, I'm just researching it.
Now thanks and excuse me for my bad English.
See ya!
Upvotes: 7
Views: 15162
Answers (3)
Reputation: 6273
I have recently implemented a solution to multiple tabs/windows using Spring Security. For successful login I use `LoginSucessHandler`` and set an unique window name in session. On the main template page I have setup a window name and on each page load verify window name with session's window name, if it is not the same then redirect to the error page.
Below are configurations and code:
@Service
public class LoginSucessHandler extends
SavedRequestAwareAuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws ServletException, IOException {
User user = (User) authentication.getPrincipal();
String windowName = user.getUsername() + new Date().getTime();
HttpSession session = request.getSession();
session.setAttribute("windowName", windowName);
session.setAttribute("windowNameToSet", windowName);
super.onAuthenticationSuccess(request, response, authentication);
}
}
Main template or header page:
<script>
<%if (session.getAttribute("windowNameToSet") != null) {
out.write("window.name = '"
+ session.getAttribute("windowNameToSet") + "';");
session.removeAttribute("windowNameToSet");
}%>
if (window.name != "<%=session.getAttribute("windowName")%>") {
window.location = "<%=request.getContextPath()%>/forms/multiwindowerror.jsp";
}
</script>
For security context:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login.hst**" access="anonymous or authenticated" />
<intercept-url pattern="/**/*.hst" access="authenticated" />
<form-login login-page="/login.hst"
authentication-failure-url="/login.hst?error=true"
authentication-success-handler-ref="loginSucessHandler" />
<logout invalidate-session="true" logout-success-url="/home.hst"
logout-url="/logout.hst" />
<remember-me key="jbcp" authentication-success-handler-ref="loginSucessHandler"/>
</http>
Just make sure that on login.jsp above JavaScript is not included.
Upvotes: 3
Reputation: 31
I figured out an easier way to accomplish the same thing. If you're already extending SimpleUrlAuthenticationSuccessHandler, similar to @Jagar, create an arraylist of logged in users, add the user to it, and add that to the session. Then each time you log in, check if the session exists and if that user is in the session arraylist attribute. If it is, then fail, if it isn't, allow the login.
That way you can have multiple users logged in with the same browser, but not the same user. That also prevents the possibility of incorrectly overwriting the windowName attribute.
Upvotes: 3
Reputation: 2171
No. Spring Security cannot tell if the request was from the original tab or from a new tab - that information is strictly client-side. From http://static.springsource.org/spring-security/site/faq.html :
2.1.
I'm using Spring Security's concurrent session control to prevent users from logging in more than once at a time. When I open another browser window after logging in, it doesn't stop me from logging in again. Why can I log in more than once?
Browsers generally maintain a single session per browser instance. You cannot have two separate sessions at once. So if you log in again in another window or tab you are just reauthenticating in the same session. The server doesn't know anything about tabs, windows or browser instances. All it sees are HTTP requests and it ties those to a particular session according to the value of the the JSESSIONID cookie that they contain. When a user authenticates during a session, Spring Security's concurrent session control checks the number of other authenticated sessions that they have. If they are already authenticated with the same session, then re-authenticating will have no effect.
Upvotes: 5
Related Questions
- How to block simultaneous user login from different tabs in the same browser
- How do you restrict a user to login from multiple browsers /tabs in spring security?
- Prevent user from opening JSF page in more than one tab/window in a browser
- One session per browser-tab JSF
- Spring MVC : Tying session attributes to each browser tab
- How to STOP browsers from sharing session amongst tabs?
- One session per tab in JSF 1.2
- Properties of bean with many tabs of browser
- Spring Security - How to disable same session sharing across multiple tabs of same browser?
- JSF/Spring multiple sessions from one page - multi-tab interface