Problem with concurrent sessions

[Kira]

Hi guys !!!

I posted a thread because I had some problems with the concurrent sessions. Most of these problems were solved but not the most important. Even if I limit the number of concurrent sessions in the configuration file, it does not work.

This is what I set into my spring security configuration:

Code:

<security:http auto-config="true" once-per-request="false">
...
   <security:concurrent-session-control 
      max-sessions="1" 
      expired-url="/login.html?concurrent=true" />
...		
</security:http>

<security:authentication-provider user-service ref="customUserDetailsService" />
    
<!-- Settings for the entry-point of the application and the login page -->
<bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
   <property name="loginFormUrl" value="/login.jsp" />
   <property name="forceHttps" value="false" />
</bean>
    
<bean id="customUserDetailsService" class="com.security.auth.CustomUserDetailsService">
   <property name="userManager" ref="userManager" />
</bean>
    
<!-- A custom filter to use our custom authentication manager -->
<bean id="customAuthenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">	    
   <security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
   <property name="authenticationManager" ref="customAuthenticationManager" />
   <property name="authenticationFailureUrl" value="/login.html?error=true" />
   <property name="defaultTargetUrl" value="/secure/index.html" />
   <property name="filterProcessesUrl" value="/j_spring_security_check.jsp" />
</bean>
  
</beans>

<!-- A custom authentication manager -->
<bean id="customAuthenticationManager" class="com.security.auth.CustomAuthenticationManager">
   <property name="providers">
      <list>
         <bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
            <property name="userDetailsService" ref="customUserDetailsService" />
            <property name="passwordEncoder" ref="passwordEncoder" />
         </bean>
      </list>
   </property>
</bean>

I wrote my own authentication manager to prevent a first bug with the concurrent sessions.

This is the java code of my custom class:

Code:

public class CustomAuthenticationManager extends ProviderManager {

   [Override]
   public Authentication doAuthentication(Authentication authRequest)
   throws AuthenticationException {
      UsernamePasswordAuthenticationToken result = UsernamePasswordAuthenticationToken) super.doAuthenticatio(authRequest);
      copyDetails(authRequest, result);
      return result;
   }

   protected void copyDetails(Authentication source, UsernamePasswordAuthenticationToken dest) {
      if (dest.getDetails() == null) {
         Object details = source.getDetails();
         dest.setDetails(details);
      }
   }
}

Does anybody know why I can log with as many session as I want, though the maximum number of session is limited to 1 ?

Thanks for your help.

[Luke Taylor]

You can't use your own AuthenticationManager if you are using namespace method or http security:

http://static.springframework.org/sp...s-auth-manager

[Kira]

Hi Luke !!!

Thanks a lot for your reply.

I had to create my own AuthenticationManager because I want to secure my Web services (I use XFire) with spring-security. But as I explain in my previous thread, when I add the concurrent-session-control element, this authentication fails with this error:
java.lang.IllegalArgumentException: Authentication.getDetails() required.

It works only if I override the method "doAuthentication". But after, like you explains, the concurrent-session-control does not do its job. I turn around, I need to secure my web services and to control the concurrent sessions.

This is the only solution I found to make it work. Maybe it is not the better way and I am interested in all suggestions:

The configuration of SpringSecurity:

Code:

<security:http auto-config="true" once-per-request="false">
...
   <security:concurrent-session-control 
      max-sessions="1" 
      expired-url="/login.html?concurrent=true" />
...		
</security:http>
		
<security:authentication-manager alias="authenticationManager" />
	
<security:authentication-provider user-service ref="customUserDetailsService">  
   <security:password-encoder ref="passwordEncoder" />
</security:authentication-provider>
    
<bean id="customUserDetailsService" class="com.security.auth.CustomUserDetailsService">
   <property name="userManager" ref="userManager" />
</bean>

<!-- A custom authentication manager -->
<bean id="customAuthenticationManager" class="com.security.auth.CustomAuthenticationManager">
   <property name="providers">
      <list>
         <bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
            <property name="userDetailsService" ref="customUserDetailsService" />
            <property name="passwordEncoder" ref="passwordEncoder" />
         </bean>
      </list>
   </property>
</bean>

<security:global-method-security>
   <security:protect-pointcut expression="execution(* com.ws.xfire.UserService.*(..))" access="ROLE_ADMIN" />
</security:global-method-security>
  
</beans>

My AuthenticationHandler will not use the default AuthenticationManager of Spring Security but mine:

Code:

<bean id="authenticationHandler" class="com.ws.xfire.impl.AuthenticationHandler">	
   <property name="authenticationManager" ref="customAuthenticationManager"/>  	
</bean>

I also don't know if it is normal that this exception "java.lang.IllegalArgumentException: Authentication.getDetails() required." is launched when I try to secure my web services with the default AuthenticationManager of spring security.

[Luke Taylor]

Can you explain why you need a custom AuthenticationManager? It's not obvious why this is the case.

[Kira]

I need a custom authentication manager because, when I use the one supplied by spring security into the AuthenticationHandler of my web services, and when I add the concurrent-session-control element, I have this exception : java.lang.IllegalArgumentException: Authentication.getDetails() required.

Everything would work very well if I did not need the element concurrent-session-control.

This is the way my handler is used into my web services:

Code:

<bean id="authenticationHandler" class="com.ws.xfire.impl.AuthenticationHandler">	
   <property name="authenticationManager" ref="authenticationManager"/>  	
</bean>

<bean name="userService" class="org.codehaus.xfire.spring.ServiceBean">
   <property name="serviceBean" ref="userWS"/>
   <property name="serviceClass" value="com.ws.xfire.UserService"/>
   <property name="inHandlers">
      <list>
         <ref bean="addressingHandler"/>	
         <ref bean="authenticationHandler"/>	        
      </list>
  </property>  
</bean>

This is the code of AuthenticationHandler that uses the AuthenticationManager:

Code:

public void invoke(MessageContext context) throws XFireFault {		
   Element header = context.getInMessage().getHeader();		
   
   if (header == null) {
      throw new XFireFault(AuthenticationConstants.MISSING_AUTH_TOKEN, XFireFault.SENDER);
   }
   
   Namespace ns = Namespace.getNamespace(TOKEN_NS);
   Element token = header.getChild(AuthenticationToken.NAME, ns);
      if (token == null) {
         throw new XFireFault(AuthenticationConstants.MISSING_AUTH_TOKEN,
XFireFault.SENDER);
      }

   String username = token.getChild(AuthenticationToken.LOGIN, ns).getText();
   String password = token.getChild(AuthenticationToken.PASSWORD, ns).getText();
		
   try {			
      UsernamePasswordAuthenticationToken authToker =
         new UsernamePasswordAuthenticationToken(username, password);
         authenticationManager.authenticate(authToker);
   } catch (Exception e) {
      log.warn(e);
      throw new XFireFault(AuthenticationConstants.AUTHENTICATION_FAILED, XFireFault.SENDER);
   }

   context.setProperty(AuthenticationConstants.LOGIN_KEY, username);

}

My custom AuthenticationManager only overrides the method doAuthentication to bypass the problem:

Code:

public class CustomAuthenticationManager extends ProviderManager {

   @Override
   public Authentication doAuthentication(Authentication authRequest)
   throws AuthenticationException {
      UsernamePasswordAuthenticationToken result = UsernamePasswordAuthenticationToken) super.doAuthenticatio(authRequest);
      copyDetails(authRequest, result);
      return result;
   }

   protected void copyDetails(Authentication source, UsernamePasswordAuthenticationToken dest) {
      if (dest.getDetails() == null) {
         Object details = source.getDetails();
         dest.setDetails(details);
      }
   }
}

Any ideas ?

[kannanMugundan]

Hi,

I am also facing similar problem, I am using Spring BlazeDs integration and have implemeted UserDetails and UserDetailsService , now authentication works fine.
I would like to use concurrent session control. when I add the code for concurrent session control, I end up with this error Authentication.getDetails() required.

I have posted my config details under Spring blazeds thread, but still no help, please help me to solve this problem.

http://forum.springsource.org/showthread.php?t=70286

Thanks in advance

PS : I know this thread is an old one, but still hoping to get some response.

[adamarmistead]

I am getting the same error when trying to use the default authentication manager exposed as a remote authentication manager for a rich client application to authenticate against and setting concurrent session control.