You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@fineract.apache.org by Usman Khaliq <us...@gmail.com> on 2017/05/10 13:23:38 UTC
Limiting Concurrent User Sessions to 1
Hi everyone,
I have written the following code in the infrastructure/core/boot directory
to set the number of concurrent user sessions at 1:
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.sessionRegistry(sessionRegistry());
}
// Work around https://jira.spring.io/browse/SEC-2855
@Bean
public SessionRegistry sessionRegistry() {
SessionRegistry sessionRegistry = new SessionRegistryImpl();
return sessionRegistry;
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws
Exception {
auth
.inMemoryAuthentication()
.withUser("mifos").password("password").roles("USER");
}
// Register HttpSessionEventPublisher
@Bean
public static ServletListenerRegistrationBean
httpSessionEventPublisher() {
return new ServletListenerRegistrationBean(new
HttpSessionEventPublisher());
}
}
I have also registered the Spring Security filter created above in the
AbstractSecurityWebApplicationInitializer in the infrastructure/core/boot
directory as follows:
public class SecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
protected Class<?>[] getRootConfigClasses() {
return new Class[] { WebSecurityConfig.class };
}
}
However, I am still able to log into multiple browser sessions from my
machine. Any advise on what I am doing wrong with my code? Thanks in
advance.
--
Kind Regards
Usman Khaliq
Programmer and R&D Lead
iDT Labs
5 Foday Drive,Regent Road,Hill Station
Freetown,Sierra Leone
Tel: +92334 3777 059/ + 232 77 775 775
Skype: usman.khaliq
Website:www.idtlabs.sl
Re: Limiting Concurrent User Sessions to 1
Posted by Usman Khaliq <us...@gmail.com>.
Hello Ippez,
I have been trying to use Spring Security to implement this functionality,
but have not been successful at it yet. I shall look into your solution
today and work on it. Will post here if I can come up with a working
solution.
On Fri, May 12, 2017 at 2:00 AM, Ippez Robert <ip...@gmail.com> wrote:
> Hi Usman Khaliq,
>
> Have you got a solution for thjs based on what i shared with you? Please
> shares.
>
> Thanks
> Regards
> Ippez Robert
>
> On Wed, May 10, 2017 at 4:30 PM, Ippez Robert <ip...@gmail.com>
> wrote:
>
> > Hi i was hoping to implement this as here but some how got lost. What i
> > wanted to do is to prevent users from login in multiple devices/computers
> > by adding a column is_logged_in to m_appuser table so when a user tries
> to
> > login and if his credentials are correct, but is logged in another
> computer
> > he is rejected from loggin in. and notified in the community-app that he
> is
> > logged in another device. he should log out from there and try again.
> >
> > I tried to test what i have done and here is how it behaves... a user
> > login and the value of is_logged_in is set to 1. Which is correct but
> now
> > what i want is to have a check for is_logged_in value before a user if
> > fully authenticated. Thats my challenge.
> >
> > Here is my code snippet, please make some tweak and if it works, then
> > share back.
> >
> > The commit is here https://github.com/Ippezrobert/incubator-
> > fineract/commit/c49280aa8ec6659e0133004787c6e11919854dd6
> > <https://www.google.com/url?q=https%3A%2F%2Fgithub.com%
> 2FIppezrobert%2Fincubator-fineract%2Fcommit%2Fc49280aa8ec6659e0133004787c6
> e11919854dd6&sa=D&sntz=1&usg=AFQjCNEk9TnHtXAWmlwD1sLgyCIy763D1g>
> >
> > Thanks
> > Regards
> >
> > On Wed, May 10, 2017 at 4:23 PM, Usman Khaliq <us...@gmail.com>
> > wrote:
> >
> >> Hi everyone,
> >>
> >> I have written the following code in the infrastructure/core/boot
> >> directory
> >> to set the number of concurrent user sessions at 1:
> >>
> >> @EnableWebSecurity
> >> @Configuration
> >> public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
> >>
> >> @Override
> >> protected void configure(HttpSecurity http) throws Exception {
> >> http
> >> .authorizeRequests()
> >> .anyRequest()
> >> .authenticated()
> >> .and()
> >> .sessionManagement()
> >> .maximumSessions(1)
> >> .maxSessionsPreventsLogin(true)
> >> .sessionRegistry(sessionRegistry());
> >> }
> >>
> >> // Work around https://jira.spring.io/browse/SEC-2855
> >> @Bean
> >> public SessionRegistry sessionRegistry() {
> >> SessionRegistry sessionRegistry = new SessionRegistryImpl();
> >> return sessionRegistry;
> >> }
> >>
> >> @Autowired
> >> public void configureGlobal(AuthenticationManagerBuilder auth)
> throws
> >> Exception {
> >> auth
> >> .inMemoryAuthentication()
> >> .withUser("mifos").password("p
> >> assword").roles("USER");
> >> }
> >>
> >> // Register HttpSessionEventPublisher
> >> @Bean
> >> public static ServletListenerRegistrationBean
> >> httpSessionEventPublisher() {
> >> return new ServletListenerRegistrationBean(new
> >> HttpSessionEventPublisher());
> >> }
> >> }
> >>
> >> I have also registered the Spring Security filter created above in the
> >> AbstractSecurityWebApplicationInitializer in the
> infrastructure/core/boot
> >> directory as follows:
> >>
> >> public class SecurityWebApplicationInitializer
> >> extends AbstractSecurityWebApplicationInitializer {
> >> protected Class<?>[] getRootConfigClasses() {
> >> return new Class[] { WebSecurityConfig.class };
> >> }
> >> }
> >> However, I am still able to log into multiple browser sessions from my
> >> machine. Any advise on what I am doing wrong with my code? Thanks in
> >> advance.
> >>
> >> --
> >> Kind Regards
> >> Usman Khaliq
> >> Programmer and R&D Lead
> >> iDT Labs
> >> 5 Foday Drive,Regent Road,Hill Station
> >> Freetown,Sierra Leone
> >> Tel: +92334 3777 059/ + 232 77 775 775
> >> Skype: usman.khaliq
> >> Website:www.idtlabs.sl
> >>
> >
> >
> >
> > --
> > Ippez Roberts
> > Director & Founder - Skyline Technologies Uganda
> > "IT Consultants & Engineers"
> > P.O.Box 155, Moyo
> > UGANDA.
> > Tel: +256788725408 <+256%20788%20725408>/789643284
> > Skype ID: ippez.robert1
> > Email: ippezrobert@gmail.com
> >
>
>
>
> --
> Ippez Roberts
> Director & Founder - Skyline Technologies Uganda
> "IT Consultants & Engineers"
> P.O.Box 155, Moyo
> UGANDA.
> Tel: +256788725408/789643284
> Skype ID: ippez.robert1
> Email: ippezrobert@gmail.com
>
--
Kind Regards
Usman Khaliq
Programmer and R&D Lead
iDT Labs
5 Foday Drive,Regent Road,Hill Station
Freetown,Sierra Leone
Tel: +92334 3777 059/ + 232 77 772 772
Skype: usman.khaliq
Website:www.idtlabs.sl
Re: Limiting Concurrent User Sessions to 1
Posted by Ippez Robert <ip...@gmail.com>.
Hi Usman Khaliq,
Have you got a solution for thjs based on what i shared with you? Please
shares.
Thanks
Regards
Ippez Robert
On Wed, May 10, 2017 at 4:30 PM, Ippez Robert <ip...@gmail.com> wrote:
> Hi i was hoping to implement this as here but some how got lost. What i
> wanted to do is to prevent users from login in multiple devices/computers
> by adding a column is_logged_in to m_appuser table so when a user tries to
> login and if his credentials are correct, but is logged in another computer
> he is rejected from loggin in. and notified in the community-app that he is
> logged in another device. he should log out from there and try again.
>
> I tried to test what i have done and here is how it behaves... a user
> login and the value of is_logged_in is set to 1. Which is correct but now
> what i want is to have a check for is_logged_in value before a user if
> fully authenticated. Thats my challenge.
>
> Here is my code snippet, please make some tweak and if it works, then
> share back.
>
> The commit is here https://github.com/Ippezrobert/incubator-
> fineract/commit/c49280aa8ec6659e0133004787c6e11919854dd6
> <https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2FIppezrobert%2Fincubator-fineract%2Fcommit%2Fc49280aa8ec6659e0133004787c6e11919854dd6&sa=D&sntz=1&usg=AFQjCNEk9TnHtXAWmlwD1sLgyCIy763D1g>
>
> Thanks
> Regards
>
> On Wed, May 10, 2017 at 4:23 PM, Usman Khaliq <us...@gmail.com>
> wrote:
>
>> Hi everyone,
>>
>> I have written the following code in the infrastructure/core/boot
>> directory
>> to set the number of concurrent user sessions at 1:
>>
>> @EnableWebSecurity
>> @Configuration
>> public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
>>
>> @Override
>> protected void configure(HttpSecurity http) throws Exception {
>> http
>> .authorizeRequests()
>> .anyRequest()
>> .authenticated()
>> .and()
>> .sessionManagement()
>> .maximumSessions(1)
>> .maxSessionsPreventsLogin(true)
>> .sessionRegistry(sessionRegistry());
>> }
>>
>> // Work around https://jira.spring.io/browse/SEC-2855
>> @Bean
>> public SessionRegistry sessionRegistry() {
>> SessionRegistry sessionRegistry = new SessionRegistryImpl();
>> return sessionRegistry;
>> }
>>
>> @Autowired
>> public void configureGlobal(AuthenticationManagerBuilder auth) throws
>> Exception {
>> auth
>> .inMemoryAuthentication()
>> .withUser("mifos").password("p
>> assword").roles("USER");
>> }
>>
>> // Register HttpSessionEventPublisher
>> @Bean
>> public static ServletListenerRegistrationBean
>> httpSessionEventPublisher() {
>> return new ServletListenerRegistrationBean(new
>> HttpSessionEventPublisher());
>> }
>> }
>>
>> I have also registered the Spring Security filter created above in the
>> AbstractSecurityWebApplicationInitializer in the infrastructure/core/boot
>> directory as follows:
>>
>> public class SecurityWebApplicationInitializer
>> extends AbstractSecurityWebApplicationInitializer {
>> protected Class<?>[] getRootConfigClasses() {
>> return new Class[] { WebSecurityConfig.class };
>> }
>> }
>> However, I am still able to log into multiple browser sessions from my
>> machine. Any advise on what I am doing wrong with my code? Thanks in
>> advance.
>>
>> --
>> Kind Regards
>> Usman Khaliq
>> Programmer and R&D Lead
>> iDT Labs
>> 5 Foday Drive,Regent Road,Hill Station
>> Freetown,Sierra Leone
>> Tel: +92334 3777 059/ + 232 77 775 775
>> Skype: usman.khaliq
>> Website:www.idtlabs.sl
>>
>
>
>
> --
> Ippez Roberts
> Director & Founder - Skyline Technologies Uganda
> "IT Consultants & Engineers"
> P.O.Box 155, Moyo
> UGANDA.
> Tel: +256788725408 <+256%20788%20725408>/789643284
> Skype ID: ippez.robert1
> Email: ippezrobert@gmail.com
>
--
Ippez Roberts
Director & Founder - Skyline Technologies Uganda
"IT Consultants & Engineers"
P.O.Box 155, Moyo
UGANDA.
Tel: +256788725408/789643284
Skype ID: ippez.robert1
Email: ippezrobert@gmail.com
Re: Limiting Concurrent User Sessions to 1
Posted by Ippez Robert <ip...@gmail.com>.
Hi i was hoping to implement this as here but some how got lost. What i
wanted to do is to prevent users from login in multiple devices/computers
by adding a column is_logged_in to m_appuser table so when a user tries to
login and if his credentials are correct, but is logged in another computer
he is rejected from loggin in. and notified in the community-app that he is
logged in another device. he should log out from there and try again.
I tried to test what i have done and here is how it behaves... a user login
and the value of is_logged_in is set to 1. Which is correct but now what i
want is to have a check for is_logged_in value before a user if fully
authenticated. Thats my challenge.
Here is my code snippet, please make some tweak and if it works, then share
back.
The commit is here
https://github.com/Ippezrobert/incubator-fineract/commit/c49280aa8ec6659e0133004787c6e11919854dd6
<https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2FIppezrobert%2Fincubator-fineract%2Fcommit%2Fc49280aa8ec6659e0133004787c6e11919854dd6&sa=D&sntz=1&usg=AFQjCNEk9TnHtXAWmlwD1sLgyCIy763D1g>
Thanks
Regards
On Wed, May 10, 2017 at 4:23 PM, Usman Khaliq <us...@gmail.com>
wrote:
> Hi everyone,
>
> I have written the following code in the infrastructure/core/boot directory
> to set the number of concurrent user sessions at 1:
>
> @EnableWebSecurity
> @Configuration
> public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
>
> @Override
> protected void configure(HttpSecurity http) throws Exception {
> http
> .authorizeRequests()
> .anyRequest()
> .authenticated()
> .and()
> .sessionManagement()
> .maximumSessions(1)
> .maxSessionsPreventsLogin(true)
> .sessionRegistry(sessionRegistry());
> }
>
> // Work around https://jira.spring.io/browse/SEC-2855
> @Bean
> public SessionRegistry sessionRegistry() {
> SessionRegistry sessionRegistry = new SessionRegistryImpl();
> return sessionRegistry;
> }
>
> @Autowired
> public void configureGlobal(AuthenticationManagerBuilder auth) throws
> Exception {
> auth
> .inMemoryAuthentication()
> .withUser("mifos").password("password").roles("USER");
> }
>
> // Register HttpSessionEventPublisher
> @Bean
> public static ServletListenerRegistrationBean
> httpSessionEventPublisher() {
> return new ServletListenerRegistrationBean(new
> HttpSessionEventPublisher());
> }
> }
>
> I have also registered the Spring Security filter created above in the
> AbstractSecurityWebApplicationInitializer in the infrastructure/core/boot
> directory as follows:
>
> public class SecurityWebApplicationInitializer
> extends AbstractSecurityWebApplicationInitializer {
> protected Class<?>[] getRootConfigClasses() {
> return new Class[] { WebSecurityConfig.class };
> }
> }
> However, I am still able to log into multiple browser sessions from my
> machine. Any advise on what I am doing wrong with my code? Thanks in
> advance.
>
> --
> Kind Regards
> Usman Khaliq
> Programmer and R&D Lead
> iDT Labs
> 5 Foday Drive,Regent Road,Hill Station
> Freetown,Sierra Leone
> Tel: +92334 3777 059/ + 232 77 775 775
> Skype: usman.khaliq
> Website:www.idtlabs.sl
>
--
Ippez Roberts
Director & Founder - Skyline Technologies Uganda
"IT Consultants & Engineers"
P.O.Box 155, Moyo
UGANDA.
Tel: +256788725408/789643284
Skype ID: ippez.robert1
Email: ippezrobert@gmail.com