-
Feb 13th, 2009, 08:58 PM
#1
Spring Security and Flex
Hello,
I have just few issues in spring security and flex. Actually, I configured spring security and flex ok and working (after digging tutorials) until I found a "little problem i supposed". Here is the scenario when I login on single user the authentication and authorization works a expected. But when I login as a Admin then in separate browser I login as normal User the Admin roles was override by the User roles. Admin cannot anymore perform it should be and vice versa. The catch here is that whoever the last login his/her role was shared in the session. Now, you might say "It is a Flex problem" well I already looking at part also. But I want to make sure that spring is not a culprit or what so that I can isolate the problem. How do i know which user is accessing a particular resource?
Thanks a lot.
Cheers.
-
Feb 14th, 2009, 12:08 AM
#2
-
Feb 14th, 2009, 02:20 AM
#3
Can you elaborate a bit on the "new browser"? Is it a new tab, or really a new browser like firefox and safari for instance?
You could check the log if new sessions are created. You can even configure spring security to prevent multiple windows, although I do not think this works for different user accounts.
It should of course not be possible to steal someone's session, I'll try some experiments myself as well, with this.
succes, Jettro
-
Feb 14th, 2009, 02:39 AM
#4
A new firefox browser window or new tab. I already added some filters in services-config.xml give me some info. I have already detected that every time i login the client ID is created and i can invalidate the client during logout using this code:
public void logOut()
{
log.info("Logging out client id = "+FlexContext.getFlexClient().getId());
FlexContext.getFlexClient().invalidate();
//SecurityContextHolder.getContext().setAuthenticati on(null);
}
Im looking forward to your experiments. Anyway, Im using daoAuthenticationprovider.
Thanks a lot.
Cheers.
-
Feb 15th, 2009, 01:18 AM
#5
I did run some tests, I think it has to do with the session. When does your browser create a new session? I do not really know a way on the mac to run a new instance of firefox. I know what I used to do on windows with Internet explorer. But I do not have that anymore :-)
I tried with a new tab in firefox as well as safari, they both use the same session on the server. Therefore you can log in as another user and steel the session. I made some bigger changes in the sample. I created a service to check if a user already has a session and if that session contains a logged in user. If so, I do not present the login form. Now you need to explicitly log out before you can login as another user.
You can find the sources of the sample here:
http://code.google.com/p/gridshore/s...books-overview
As for logging out, I use a bit more code, I think this helps cleaning up the mess you leave when logging out:
public void logoutPrincipal() {
String username = "unknown";
try {
username = SecurityContextHolder.getContext().getAuthenticati on().getName();
FlexContext.setUserPrincipal(null);
FlexContext.getHttpRequest().getSession().invalida te();
FlexContext.getFlexSession().invalidate();
SecurityContextHolder.clearContext();
log.debug("logout request is executed for user : " + username);
} catch (RuntimeException e) {
log.warn("Problem while logging out the current user : " + username);
}
}
Hope that helps
Jettro
-
Feb 15th, 2009, 05:37 AM
#6
Im looking at your code and apply some modifications. And surely I will give feedback after. Thanks.Thanks.
Thanks a lot.
Cheers.
-
Feb 15th, 2009, 03:46 PM
#7
Hello,
Before I did some modification in my code. I did manage to test my app in windows (because i use linux most of the time) I open Internet Explorer login as ADMIN and I open firefox login a USER. Two session were created and all goes fine, no session stealing. But when I open two firefox browser in the same PC again only one session created and session stealing occurs.Btw, with different PC it goes fine, bcoz again different session created. I really have to manage flex session. Thanks for the insight.
Thank you for your help.
Cheers.
-
Feb 15th, 2009, 11:42 PM
#8
Hello jettro,
I already made some modification in my code. and the result was awesome. when the user already login, i redirect it to welcome screen. I just need to prevent the user overriding current user session when logging in different user in the same browser/tab in firefox.
Thanks a lot.
Cheers.
-
Mar 31st, 2009, 11:17 AM
#9
Hi freak182,
how did you solve the issue of session being shared in 2 firefox windows?
-
Apr 1st, 2009, 06:46 PM
#10
Hi,
just follow the advice of jettro..
Cheers.
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
