dealing with concurrent session in acegi and grails
Locked
dealing with concurrent session in acegi and grails
 
|
I am trying to implement Concurrent Session Handling according to the following documentation:
http://www.acegisecurity.org/guide/springsecurity.html#concurrent-sessions It mentions FilterChainProxy which i can not find to add a listener. Any ideas on how to implement this on grails thanks |
Re: dealing with concurrent session in acegi and grails
|
Those docs are old, they're for 1.0.7. The Acegi plugin uses Spring Security 2
now, http://static.springframework.org/spring-security/site/reference/html/springsecurity.html - specifically http://static.springframework.org/spring-security/site/reference/html/authentication-common-auth-services.html#concurrent-sessions I haven't tried this, but it looks like you'll need to add the lister to web.xml as described, and override the 'authenticationManager' bean in resources.groovy: import org.springframework.security.concurrent.ConcurrentSessionControllerImpl import org.springframework.security.concurrent.SessionRegistryImpl import org.springframework.security.providers.ProviderManager beans = { concurrentSessionController(ConcurrentSessionControllerImpl) { maximumSessions = 1 sessionRegistry = new SessionRegistryImpl() } authenticationManager(ProviderManager) { providers = [ref('daoAuthenticationProvider'), ref('anonymousAuthenticationProvider'), ref('rememberMeAuthenticationProvider')] sessionController = concurrentSessionController } } A cleaner way to do this (since the sessionController setter doesn't do any more work than just set the field value) would be to set the sessionController in Bootstrap. The advantage of this is that you don't need to override the authenticationManager, which might result in problems later if the plugin's definition changes: beans = { concurrentSessionController(ConcurrentSessionControllerImpl) { maximumSessions = 1 sessionRegistry = new SessionRegistryImpl() } } class BootStrap { def authenticationManager def concurrentSessionController def init = { servletContext -> authenticationManager.sessionController = concurrentSessionController } def destroy = {} } Burt On Thursday 14 August 2008 2:22:20 pm carlos orrego wrote: > I am trying to implement Concurrent Session Handling according to the > following documentation: > http://www.acegisecurity.org/guide/springsecurity.html#concurrent-sessions > > It mentions FilterChainProxy which i can not find to add a listener. > > Any ideas on how to implement this on grails > > thanks --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email |
Re: dealing with concurrent session in acegi and grails
|
|
I did as you said. And it is not preventing me to login two sessions concurrently.
I am using acegi plugin 0.2.1 do you think i shoud upgrade for this? thanks for your reply c
|
Re: dealing with concurrent session in acegi and grails
|
|
I'm surprised that you were able to even start the app - the class names are
for Spring Security 2 and you're using old 1.0.x jars. The steps would be fairly different for the 0.2.1 plugin - you should upgrade. Burt On Thursday 14 August 2008 5:55:04 pm carlos orrego wrote: > I did as you said. And it is not preventing me to login two sessions > concurrently. > > I am using acegi plugin 0.2.1 > > do you think i shoud upgrade for this? > > thanks for your reply > c > > burtbeckwith wrote: > > Those docs are old, they're for 1.0.7. The Acegi plugin uses Spring > > Security 2 > > now, > > http://static.springframework.org/spring-security/site/reference/html/spr > >ingsecurity.html - > > specifically > > http://static.springframework.org/spring-security/site/reference/html/aut > >hentication-common-auth-services.html#concurrent-sessions > > > > I haven't tried this, but it looks like you'll need to add the lister to > > web.xml as described, and override the 'authenticationManager' bean in > > resources.groovy: > > > > import > > org.springframework.security.concurrent.ConcurrentSessionControllerImpl > > import org.springframework.security.concurrent.SessionRegistryImpl > > import org.springframework.security.providers.ProviderManager > > > > beans = { > > > > concurrentSessionController(ConcurrentSessionControllerImpl) { > > maximumSessions = 1 > > sessionRegistry = new SessionRegistryImpl() > > } > > > > authenticationManager(ProviderManager) { > > providers = [ref('daoAuthenticationProvider'), > > ref('anonymousAuthenticationProvider'), > > ref('rememberMeAuthenticationProvider')] > > sessionController = concurrentSessionController > > } > > } > > > > A cleaner way to do this (since the sessionController setter doesn't do > > any > > more work than just set the field value) would be to set the > > sessionController in Bootstrap. The advantage of this is that you don't > > need > > to override the authenticationManager, which might result in problems > > later > > if the plugin's definition changes: > > > > beans = { > > > > concurrentSessionController(ConcurrentSessionControllerImpl) { > > maximumSessions = 1 > > sessionRegistry = new SessionRegistryImpl() > > } > > } > > > > class BootStrap { > > > > def authenticationManager > > def concurrentSessionController > > > > def init = { servletContext -> > > authenticationManager.sessionController = > > concurrentSessionController > > } > > > > def destroy = {} > > } > > > > Burt > > > > On Thursday 14 August 2008 2:22:20 pm carlos orrego wrote: > >> I am trying to implement Concurrent Session Handling according to the > >> following documentation: > >> http://www.acegisecurity.org/guide/springsecurity.html#concurrent-sessio > >>ns > >> > >> It mentions FilterChainProxy which i can not find to add a listener. > >> > >> Any ideas on how to implement this on grails > >> > >> thanks > > > > --------------------------------------------------------------------- > > To unsubscribe from this list, please visit: > > > > http://xircles.codehaus.org/manage_email --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email |
Re: dealing with concurrent session in acegi and grails
|
|
I did change the class names and it run. Actually the app runs very well with acegi security 0.2.1 except for this new functionality. The porblem to upgrade is that i have done plenty of changes to the register controller and other cusom controllers. And it is working fine.
I guess i need to upgrade to 0.3 anyways. thanks man c
|
Re: dealing with concurrent session in acegi and grails
|
|
In reply to this post by burtbeckwith
I did the upgrade, but still i am allowed to have concurrent sessions following your advice.
I wonder if we are missing this aspect that is in the documentation: In addition, you will need to add the org.acegisecurity.concurrent.ConcurrentSessionFilter to your FilterChainProxy. The ConcurrentSessionFilter requires two properties, sessionRegistry, which generally points to an instance of SessionRegistryImpl, and expiredUrl, which points to the page to display when a session has expired. It seems we are not configuring this anywhere. Where do i find the FilterChainProxy ? greetings c
|
Re: dealing with concurrent session in acegi and grails
|
|
You're still using the old 1.0.7 docs.
On Thursday 14 August 2008 7:21:29 pm carlos orrego wrote: > I did the upgrade, but still i am allowed to have concurrent sessions > following your advice. > > I wonder if we are missing this aspect that is in the documentation: > > In addition, you will need to add the > org.acegisecurity.concurrent.ConcurrentSessionFilter to your > FilterChainProxy. The ConcurrentSessionFilter requires two properties, > sessionRegistry, which generally points to an instance of > SessionRegistryImpl, and expiredUrl, which points to the page to display > when a session has expired. > > It seems we are not configuring this anywhere. Where do i find the > FilterChainProxy ? > > greetings > > c > > burtbeckwith wrote: > > I'm surprised that you were able to even start the app - the class names > > are > > for Spring Security 2 and you're using old 1.0.x jars. The steps would be > > fairly different for the 0.2.1 plugin - you should upgrade. > > > > Burt > > > > On Thursday 14 August 2008 5:55:04 pm carlos orrego wrote: > >> I did as you said. And it is not preventing me to login two sessions > >> concurrently. > >> > >> I am using acegi plugin 0.2.1 > >> > >> do you think i shoud upgrade for this? > >> > >> thanks for your reply > >> c > >> > >> burtbeckwith wrote: > >> > Those docs are old, they're for 1.0.7. The Acegi plugin uses Spring > >> > Security 2 > >> > now, > >> > >> http://static.springframework.org/spring-security/site/reference/html/sp > >>r > >> > >> >ingsecurity.html - > >> > specifically > >> > >> http://static.springframework.org/spring-security/site/reference/html/au > >>t > >> > >> >hentication-common-auth-services.html#concurrent-sessions > >> > > >> > I haven't tried this, but it looks like you'll need to add the lister > >> > >> to > >> > >> > web.xml as described, and override the 'authenticationManager' bean in > >> > resources.groovy: > >> > > >> > import > >> > org.springframework.security.concurrent.ConcurrentSessionControllerImp > >> >l import org.springframework.security.concurrent.SessionRegistryImpl > >> > import org.springframework.security.providers.ProviderManager > >> > > >> > beans = { > >> > > >> > concurrentSessionController(ConcurrentSessionControllerImpl) { > >> > maximumSessions = 1 > >> > sessionRegistry = new SessionRegistryImpl() > >> > } > >> > > >> > authenticationManager(ProviderManager) { > >> > providers = [ref('daoAuthenticationProvider'), > >> > ref('anonymousAuthenticationProvider'), > >> > ref('rememberMeAuthenticationProvider')] > >> > sessionController = concurrentSessionController > >> > } > >> > } > >> > > >> > A cleaner way to do this (since the sessionController setter doesn't > >> > do any > >> > more work than just set the field value) would be to set the > >> > sessionController in Bootstrap. The advantage of this is that you > >> > don't need > >> > to override the authenticationManager, which might result in problems > >> > later > >> > if the plugin's definition changes: > >> > > >> > beans = { > >> > > >> > concurrentSessionController(ConcurrentSessionControllerImpl) { > >> > maximumSessions = 1 > >> > sessionRegistry = new SessionRegistryImpl() > >> > } > >> > } > >> > > >> > class BootStrap { > >> > > >> > def authenticationManager > >> > def concurrentSessionController > >> > > >> > def init = { servletContext -> > >> > authenticationManager.sessionController = > >> > concurrentSessionController > >> > } > >> > > >> > def destroy = {} > >> > } > >> > > >> > Burt > >> > > >> > On Thursday 14 August 2008 2:22:20 pm carlos orrego wrote: > >> >> I am trying to implement Concurrent Session Handling according to the > >> >> following documentation: > >> > >> http://www.acegisecurity.org/guide/springsecurity.html#concurrent-sessio > >> > >> >>ns > >> >> > >> >> It mentions FilterChainProxy which i can not find to add a listener. > >> >> > >> >> Any ideas on how to implement this on grails > >> >> > >> >> thanks > >> > > >> > --------------------------------------------------------------------- > >> > To unsubscribe from this list, please visit: > >> > > >> > http://xircles.codehaus.org/manage_email > > > > --------------------------------------------------------------------- > > To unsubscribe from this list, please visit: > > > > http://xircles.codehaus.org/manage_email --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email |
Re: dealing with concurrent session in acegi and grails
|
|
Sorry, you're right - hang on, I'll try implementing this in an app.
Burt On Thursday 14 August 2008 7:28:42 pm Burt Beckwith wrote: > You're still using the old 1.0.7 docs. > > On Thursday 14 August 2008 7:21:29 pm carlos orrego wrote: > > I did the upgrade, but still i am allowed to have concurrent sessions > > following your advice. > > > > I wonder if we are missing this aspect that is in the documentation: > > > > In addition, you will need to add the > > org.acegisecurity.concurrent.ConcurrentSessionFilter to your > > FilterChainProxy. The ConcurrentSessionFilter requires two properties, > > sessionRegistry, which generally points to an instance of > > SessionRegistryImpl, and expiredUrl, which points to the page to display > > when a session has expired. > > > > It seems we are not configuring this anywhere. Where do i find the > > FilterChainProxy ? > > > > greetings > > > > c > > > > burtbeckwith wrote: > > > I'm surprised that you were able to even start the app - the class > > > names are > > > for Spring Security 2 and you're using old 1.0.x jars. The steps would > > > be fairly different for the 0.2.1 plugin - you should upgrade. > > > > > > Burt > > > > > > On Thursday 14 August 2008 5:55:04 pm carlos orrego wrote: > > >> I did as you said. And it is not preventing me to login two sessions > > >> concurrently. > > >> > > >> I am using acegi plugin 0.2.1 > > >> > > >> do you think i shoud upgrade for this? > > >> > > >> thanks for your reply > > >> c > > >> > > >> burtbeckwith wrote: > > >> > Those docs are old, they're for 1.0.7. The Acegi plugin uses Spring > > >> > Security 2 > > >> > now, > > >> > > >> http://static.springframework.org/spring-security/site/reference/html/ > > >>sp r > > >> > > >> >ingsecurity.html - > > >> > specifically > > >> > > >> http://static.springframework.org/spring-security/site/reference/html/ > > >>au t > > >> > > >> >hentication-common-auth-services.html#concurrent-sessions > > >> > > > >> > I haven't tried this, but it looks like you'll need to add the > > >> > lister > > >> > > >> to > > >> > > >> > web.xml as described, and override the 'authenticationManager' bean > > >> > in resources.groovy: > > >> > > > >> > import > > >> > org.springframework.security.concurrent.ConcurrentSessionControllerI > > >> >mp l import > > >> > org.springframework.security.concurrent.SessionRegistryImpl import > > >> > org.springframework.security.providers.ProviderManager > > >> > > > >> > beans = { > > >> > > > >> > concurrentSessionController(ConcurrentSessionControllerImpl) { > > >> > maximumSessions = 1 > > >> > sessionRegistry = new SessionRegistryImpl() > > >> > } > > >> > > > >> > authenticationManager(ProviderManager) { > > >> > providers = [ref('daoAuthenticationProvider'), > > >> > ref('anonymousAuthenticationProvider'), > > >> > ref('rememberMeAuthenticationProvider')] > > >> > sessionController = concurrentSessionController > > >> > } > > >> > } > > >> > > > >> > A cleaner way to do this (since the sessionController setter doesn't > > >> > do any > > >> > more work than just set the field value) would be to set the > > >> > sessionController in Bootstrap. The advantage of this is that you > > >> > don't need > > >> > to override the authenticationManager, which might result in > > >> > problems later > > >> > if the plugin's definition changes: > > >> > > > >> > beans = { > > >> > > > >> > concurrentSessionController(ConcurrentSessionControllerImpl) { > > >> > maximumSessions = 1 > > >> > sessionRegistry = new SessionRegistryImpl() > > >> > } > > >> > } > > >> > > > >> > class BootStrap { > > >> > > > >> > def authenticationManager > > >> > def concurrentSessionController > > >> > > > >> > def init = { servletContext -> > > >> > authenticationManager.sessionController = > > >> > concurrentSessionController > > >> > } > > >> > > > >> > def destroy = {} > > >> > } > > >> > > > >> > Burt > > >> > > > >> > On Thursday 14 August 2008 2:22:20 pm carlos orrego wrote: > > >> >> I am trying to implement Concurrent Session Handling according to > > >> >> the following documentation: > > >> > > >> http://www.acegisecurity.org/guide/springsecurity.html#concurrent-sess > > >>io > > >> > > >> >>ns > > >> >> > > >> >> It mentions FilterChainProxy which i can not find to add a > > >> >> listener. > > >> >> > > >> >> Any ideas on how to implement this on grails > > >> >> > > >> >> thanks > > >> > > > >> > -------------------------------------------------------------------- > > >> >- To unsubscribe from this list, please visit: > > >> > > > >> > http://xircles.codehaus.org/manage_email > > > > > > --------------------------------------------------------------------- > > > To unsubscribe from this list, please visit: > > > > > > http://xircles.codehaus.org/manage_email --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email |
Re: dealing with concurrent session in acegi and grails
|
|
In reply to this post by burtbeckwith
No, i got that from the link to the docs you send me:
http://static.springframework.org/spring-security/site/reference/html/authentication-common-auth-services.html#concurrent-sessions Clearly we are not setting this parameter: expiredUrl So i wonder if this is a problem. thanks again, i will keep investigating c
|
Re: dealing with concurrent session in acegi and grails
|
|
In reply to this post by burtbeckwith
Ok, I figured it out. I took the 2nd approach, setting the
concurrentSessionController in Bootstrap: class BootStrap { def authenticationManager def concurrentSessionController def init = { servletContext -> authenticationManager.sessionController = concurrentSessionController } def destroy = {} } then in resources.groovy I configured the missing concurrentSessionFilter: import org.springframework.security.concurrent.ConcurrentSessionControllerImpl import org.springframework.security.concurrent.ConcurrentSessionFilter import org.springframework.security.concurrent.SessionRegistryImpl import org.springframework.security.providers.ProviderManager beans = { sessionRegistry(SessionRegistryImpl) concurrentSessionController(ConcurrentSessionControllerImpl) { maximumSessions = 1 sessionRegistry = sessionRegistry } concurrentSessionFilter(ConcurrentSessionFilter) { sessionRegistry = sessionRegistry expiredUrl = '/login/concurrentSession' } } and took advantage of a new feature in the 0.3 version of the plugin, being able to specify the FilterChainProxy filter list as a list of strings in SecurityConfig.groovy: filterNames = ['concurrentSessionFilter', 'httpSessionContextIntegrationFilter', 'logoutFilter', 'authenticationProcessingFilter', 'securityContextHolderAwareRequestFilter', 'rememberMeProcessingFilter', 'anonymousProcessingFilter', 'exceptionTranslationFilter', 'filterInvocationInterceptor'] Once I configured this, I logged in twice, and one was invalidated. Burt On Thursday 14 August 2008 7:37:00 pm Burt Beckwith wrote: > Sorry, you're right - hang on, I'll try implementing this in an app. > > Burt > > On Thursday 14 August 2008 7:28:42 pm Burt Beckwith wrote: > > You're still using the old 1.0.7 docs. > > > > On Thursday 14 August 2008 7:21:29 pm carlos orrego wrote: > > > I did the upgrade, but still i am allowed to have concurrent sessions > > > following your advice. > > > > > > I wonder if we are missing this aspect that is in the documentation: > > > > > > In addition, you will need to add the > > > org.acegisecurity.concurrent.ConcurrentSessionFilter to your > > > FilterChainProxy. The ConcurrentSessionFilter requires two properties, > > > sessionRegistry, which generally points to an instance of > > > SessionRegistryImpl, and expiredUrl, which points to the page to > > > display when a session has expired. > > > > > > It seems we are not configuring this anywhere. Where do i find the > > > FilterChainProxy ? > > > > > > greetings > > > > > > c > > > > > > burtbeckwith wrote: > > > > I'm surprised that you were able to even start the app - the class > > > > names are > > > > for Spring Security 2 and you're using old 1.0.x jars. The steps > > > > would be fairly different for the 0.2.1 plugin - you should upgrade. > > > > > > > > Burt > > > > > > > > On Thursday 14 August 2008 5:55:04 pm carlos orrego wrote: > > > >> I did as you said. And it is not preventing me to login two sessions > > > >> concurrently. > > > >> > > > >> I am using acegi plugin 0.2.1 > > > >> > > > >> do you think i shoud upgrade for this? > > > >> > > > >> thanks for your reply > > > >> c > > > >> > > > >> burtbeckwith wrote: > > > >> > Those docs are old, they're for 1.0.7. The Acegi plugin uses > > > >> > Spring Security 2 > > > >> > now, > > > >> > > > >> http://static.springframework.org/spring-security/site/reference/htm > > > >>l/ sp r > > > >> > > > >> >ingsecurity.html - > > > >> > specifically > > > >> > > > >> http://static.springframework.org/spring-security/site/reference/htm > > > >>l/ au t > > > >> > > > >> >hentication-common-auth-services.html#concurrent-sessions > > > >> > > > > >> > I haven't tried this, but it looks like you'll need to add the > > > >> > lister > > > >> > > > >> to > > > >> > > > >> > web.xml as described, and override the 'authenticationManager' > > > >> > bean in resources.groovy: > > > >> > > > > >> > import > > > >> > org.springframework.security.concurrent.ConcurrentSessionControlle > > > >> >rI mp l import > > > >> > org.springframework.security.concurrent.SessionRegistryImpl import > > > >> > org.springframework.security.providers.ProviderManager > > > >> > > > > >> > beans = { > > > >> > > > > >> > concurrentSessionController(ConcurrentSessionControllerImpl) { > > > >> > maximumSessions = 1 > > > >> > sessionRegistry = new SessionRegistryImpl() > > > >> > } > > > >> > > > > >> > authenticationManager(ProviderManager) { > > > >> > providers = [ref('daoAuthenticationProvider'), > > > >> > ref('anonymousAuthenticationProvider'), > > > >> > ref('rememberMeAuthenticationProvider')] > > > >> > sessionController = concurrentSessionController > > > >> > } > > > >> > } > > > >> > > > > >> > A cleaner way to do this (since the sessionController setter > > > >> > doesn't do any > > > >> > more work than just set the field value) would be to set the > > > >> > sessionController in Bootstrap. The advantage of this is that you > > > >> > don't need > > > >> > to override the authenticationManager, which might result in > > > >> > problems later > > > >> > if the plugin's definition changes: > > > >> > > > > >> > beans = { > > > >> > > > > >> > concurrentSessionController(ConcurrentSessionControllerImpl) { > > > >> > maximumSessions = 1 > > > >> > sessionRegistry = new SessionRegistryImpl() > > > >> > } > > > >> > } > > > >> > > > > >> > class BootStrap { > > > >> > > > > >> > def authenticationManager > > > >> > def concurrentSessionController > > > >> > > > > >> > def init = { servletContext -> > > > >> > authenticationManager.sessionController = > > > >> > concurrentSessionController > > > >> > } > > > >> > > > > >> > def destroy = {} > > > >> > } > > > >> > > > > >> > Burt > > > >> > > > > >> > On Thursday 14 August 2008 2:22:20 pm carlos orrego wrote: > > > >> >> I am trying to implement Concurrent Session Handling according to > > > >> >> the following documentation: > > > >> > > > >> http://www.acegisecurity.org/guide/springsecurity.html#concurrent-se > > > >>ss io > > > >> > > > >> >>ns > > > >> >> > > > >> >> It mentions FilterChainProxy which i can not find to add a > > > >> >> listener. > > > >> >> > > > >> >> Any ideas on how to implement this on grails > > > >> >> > > > >> >> thanks > > > >> > > > > >> > ------------------------------------------------------------------ > > > >> >-- - To unsubscribe from this list, please visit: > > > >> > > > > >> > http://xircles.codehaus.org/manage_email > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe from this list, please visit: > > > > > > > > http://xircles.codehaus.org/manage_email > > --------------------------------------------------------------------- > To unsubscribe from this list, please visit: > > http://xircles.codehaus.org/manage_email --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email |
Re: dealing with concurrent session in acegi and grails
|
|
Hey Burt
i followed this instructions step by step and still i can get two sessions of the same user running from diferent computers. I can't figure out the error i am making. I wonder if i need to modify anything on the login controller. are you using acegi 0.3 plugin ? greetings c
|
Re: dealing with concurrent session in acegi and grails
|
|
Never mind... IT WORKS !!!
it lets me login in another pc, then the original account gets disable and will not work. Is this th right behavior? thanks man c
|
Re: dealing with concurrent session in acegi and grails
|
|
Cool, glad you got it going.
ConcurrentSessionControllerImpl sorts all logins with the same username and expires the least recently used. This allows the newer login to invalidate the first login, which seems backwards. But it covers the case where a browser has crashed and the user logs back in. In any case, the behavior is configurable since the method that decides which session to invalidate (allowableSessionsExceeded()) is protected, so you could subclass and override. Burt On Wednesday 20 August 2008 7:50:45 pm carlos orrego wrote: > Never mind... IT WORKS !!! > > it lets me login in another pc, then the original account gets disable and > will not work. Is this th right behavior? > > thanks man > > c > > carlos orrego wrote: > > Hey Burt > > > > i followed this instructions step by step and still i can get two > > sessions of the same user running from diferent computers. I can't figure > > out the error i am making. > > > > I wonder if i need to modify anything on the login controller. > > > > > > are you using acegi 0.3 plugin ? > > > > greetings > > > > c > > > > burtbeckwith wrote: > >> Ok, I figured it out. I took the 2nd approach, setting the > >> concurrentSessionController in Bootstrap: > >> > >> class BootStrap { > >> > >> def authenticationManager > >> def concurrentSessionController > >> > >> def init = { servletContext -> > >> authenticationManager.sessionController = > >> concurrentSessionController > >> } > >> > >> def destroy = {} > >> } > >> > >> then in resources.groovy I configured the missing > >> concurrentSessionFilter: > >> > >> import > >> org.springframework.security.concurrent.ConcurrentSessionControllerImpl > >> import org.springframework.security.concurrent.ConcurrentSessionFilter > >> import org.springframework.security.concurrent.SessionRegistryImpl > >> import org.springframework.security.providers.ProviderManager > >> > >> beans = { > >> > >> sessionRegistry(SessionRegistryImpl) > >> > >> concurrentSessionController(ConcurrentSessionControllerImpl) { > >> maximumSessions = 1 > >> sessionRegistry = sessionRegistry > >> } > >> > >> concurrentSessionFilter(ConcurrentSessionFilter) { > >> sessionRegistry = sessionRegistry > >> expiredUrl = '/login/concurrentSession' > >> } > >> } > >> > >> and took advantage of a new feature in the 0.3 version of the plugin, > >> being > >> able to specify the FilterChainProxy filter list as a list of strings in > >> SecurityConfig.groovy: > >> > >> filterNames = ['concurrentSessionFilter', > >> 'httpSessionContextIntegrationFilter', > >> 'logoutFilter', > >> 'authenticationProcessingFilter', > >> 'securityContextHolderAwareRequestFilter', > >> 'rememberMeProcessingFilter', > >> 'anonymousProcessingFilter', > >> 'exceptionTranslationFilter', > >> 'filterInvocationInterceptor'] > >> > >> Once I configured this, I logged in twice, and one was invalidated. > >> > >> Burt > >> > >> On Thursday 14 August 2008 7:37:00 pm Burt Beckwith wrote: > >>> Sorry, you're right - hang on, I'll try implementing this in an app. > >>> > >>> Burt > >>> > >>> On Thursday 14 August 2008 7:28:42 pm Burt Beckwith wrote: > >>> > You're still using the old 1.0.7 docs. > >>> > > >>> > On Thursday 14 August 2008 7:21:29 pm carlos orrego wrote: > >>> > > I did the upgrade, but still i am allowed to have concurrent > >>> > >>> sessions > >>> > >>> > > following your advice. > >>> > > > >>> > > I wonder if we are missing this aspect that is in the > >>> > > documentation: > >>> > > > >>> > > In addition, you will need to add the > >>> > > org.acegisecurity.concurrent.ConcurrentSessionFilter to your > >>> > > FilterChainProxy. The ConcurrentSessionFilter requires two > >>> > >>> properties, > >>> > >>> > > sessionRegistry, which generally points to an instance of > >>> > > SessionRegistryImpl, and expiredUrl, which points to the page to > >>> > > display when a session has expired. > >>> > > > >>> > > It seems we are not configuring this anywhere. Where do i find the > >>> > > FilterChainProxy ? > >>> > > > >>> > > greetings > >>> > > > >>> > > c > >>> > > > >>> > > burtbeckwith wrote: > >>> > > > I'm surprised that you were able to even start the app - the > >>> > > > class names are > >>> > > > for Spring Security 2 and you're using old 1.0.x jars. The steps > >>> > > > would be fairly different for the 0.2.1 plugin - you should > >>> > >>> upgrade. > >>> > >>> > > > Burt > >>> > > > > >>> > > > On Thursday 14 August 2008 5:55:04 pm carlos orrego wrote: > >>> > > >> I did as you said. And it is not preventing me to login two > >>> > >>> sessions > >>> > >>> > > >> concurrently. > >>> > > >> > >>> > > >> I am using acegi plugin 0.2.1 > >>> > > >> > >>> > > >> do you think i shoud upgrade for this? > >>> > > >> > >>> > > >> thanks for your reply > >>> > > >> c > >>> > > >> > >>> > > >> burtbeckwith wrote: > >>> > > >> > Those docs are old, they're for 1.0.7. The Acegi plugin uses > >>> > > >> > Spring Security 2 > >>> > > >> > now, > >>> > >>> http://static.springframework.org/spring-security/site/reference/htm > >>> > >>> > > >>l/ sp r > >>> > > >> > >>> > > >> >ingsecurity.html - > >>> > > >> > specifically > >>> > >>> http://static.springframework.org/spring-security/site/reference/htm > >>> > >>> > > >>l/ au t > >>> > > >> > >>> > > >> >hentication-common-auth-services.html#concurrent-sessions > >>> > > >> > > >>> > > >> > I haven't tried this, but it looks like you'll need to add the > >>> > > >> > lister > >>> > > >> > >>> > > >> to > >>> > > >> > >>> > > >> > web.xml as described, and override the 'authenticationManager' > >>> > > >> > bean in resources.groovy: > >>> > > >> > > >>> > > >> > import > >>> > >>> org.springframework.security.concurrent.ConcurrentSessionControlle > >>> > >>> > > >> >rI mp l import > >>> > > >> > org.springframework.security.concurrent.SessionRegistryImpl > >>> > >>> import > >>> > >>> > > >> > org.springframework.security.providers.ProviderManager > >>> > > >> > > >>> > > >> > beans = { > >>> > > >> > > >>> > > >> > > >>> > > >> > concurrentSessionController(ConcurrentSessionControllerImpl) > >>> > >>> { > >>> > >>> > > >> > maximumSessions = 1 > >>> > > >> > sessionRegistry = new SessionRegistryImpl() > >>> > > >> > } > >>> > > >> > > >>> > > >> > authenticationManager(ProviderManager) { > >>> > > >> > providers = [ref('daoAuthenticationProvider'), > >>> > > >> > ref('anonymousAuthenticationProvider'), > >>> > > >> > ref('rememberMeAuthenticationProvider')] > >>> > > >> > sessionController = concurrentSessionController > >>> > > >> > } > >>> > > >> > } > >>> > > >> > > >>> > > >> > A cleaner way to do this (since the sessionController setter > >>> > > >> > doesn't do any > >>> > > >> > more work than just set the field value) would be to set the > >>> > > >> > sessionController in Bootstrap. The advantage of this is that > >>> > >>> you > >>> > >>> > > >> > don't need > >>> > > >> > to override the authenticationManager, which might result in > >>> > > >> > problems later > >>> > > >> > if the plugin's definition changes: > >>> > > >> > > >>> > > >> > beans = { > >>> > > >> > > >>> > > >> > > >>> > > >> > concurrentSessionController(ConcurrentSessionControllerImpl) > >>> > >>> { > >>> > >>> > > >> > maximumSessions = 1 > >>> > > >> > sessionRegistry = new SessionRegistryImpl() > >>> > > >> > } > >>> > > >> > } > >>> > > >> > > >>> > > >> > class BootStrap { > >>> > > >> > > >>> > > >> > def authenticationManager > >>> > > >> > def concurrentSessionController > >>> > > >> > > >>> > > >> > def init = { servletContext -> > >>> > > >> > authenticationManager.sessionController = > >>> > > >> > concurrentSessionController > >>> > > >> > } > >>> > > >> > > >>> > > >> > def destroy = {} > >>> > > >> > } > >>> > > >> > > >>> > > >> > Burt > >>> > > >> > > >>> > > >> > On Thursday 14 August 2008 2:22:20 pm carlos orrego wrote: > >>> > > >> >> I am trying to implement Concurrent Session Handling > >>> > > >> >> according > >>> > >>> to > >>> > >>> > > >> >> the following documentation: > >>> > >>> http://www.acegisecurity.org/guide/springsecurity.html#concurrent-se > >>> > >>> > > >>ss io > >>> > > >> > >>> > > >> >>ns > >>> > > >> >> > >>> > > >> >> It mentions FilterChainProxy which i can not find to add a > >>> > > >> >> listener. > >>> > > >> >> > >>> > > >> >> Any ideas on how to implement this on grails > >>> > > >> >> > >>> > > >> >> thanks > >>> > >>> ------------------------------------------------------------------ > >>> > >>> > > >> >-- - To unsubscribe from this list, please visit: > >>> > > >> > > >>> > > >> > http://xircles.codehaus.org/manage_email > >>> > >>> --------------------------------------------------------------------- > >>> > >>> > > > To unsubscribe from this list, please visit: > >>> > > > > >>> > > > http://xircles.codehaus.org/manage_email > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe from this list, please visit: > >>> > >>> http://xircles.codehaus.org/manage_email > >> > >> --------------------------------------------------------------------- > >> To unsubscribe from this list, please visit: > >> > >> http://xircles.codehaus.org/manage_email --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email |
SessionIdentifierAware did not return a Session ID
|
|
Another issue. Now i keep getting this exception:
java.lang.IllegalArgumentException: SessionIdentifierAware did not return a Session ID if i delete path cookies it starts working fine till the session ends, then exception again. I found this bug: http://jira.springframework.org/browse/SEC-183 any ideas? c
|
«
Return to Grails - user
|
1 view|%1 views
Loading...
| Powered by Nabble | See how NAML generates this page |
