Apache Shiro session management on Spring - java

I am newbie to both Spring and Shiro. I have some questions on Session Management.
I saw a question which gives quite a good introduction to Session Management.
But what I did not understand is, how does Shiro communicate with the client to pass the session information, and how will the client authenticate itself again over the subsequent requests. Does Shiro pass a session ID automatically, without me having to code for it?
Does browser automatically store the session IDs and send it (may be over HTTPS) with subsequent requests?
How does the session logout communicated to the client? And how does the client understand that it has to login again?
Thanks!

The session ID is stored as a browser cookie.
The session ID cookie is
removed from the browser when the user logs out (and the session is invalidated on
the server). Requests made after the cookie is dropped will appear
to Shiro to be coming from an anonymous user, so Shiro will redirect the browser to a login page if they try to request a URL that requires you to be logged in.

Related

Is there a way to implement custom SessionTrackingMode for servlet-app

I have a legacy servlet application running in Apache Tomcat. The app uses session to store some data between requests. Session data is stored with REDIS by session manager but cookie JSESSIONID is still used in session tracking.
I would like to integrate this app into microservice environment, where Bearer token authentication is used.
Is there a way to use a subj from token as session id instead of generated/passed via cookie value?
I found session id extraction in org.apache.catalina.connector.CoyoteAdapter#postParseRequest
// Look for session ID in cookies and SSL session
parseSessionCookiesId(request);
parseSessionSslId(request);
sessionID = request.getRequestedSessionId();

Alternatives to Basic Authentication when logout is required?

If BASIC authentication was not build to handle logging out, what alternate authentication methods exist for authenticating backend services that need to be able to log out?
I found these references stating that BASIC auth is not able to do log
out without some hackiness:
How to log out user from web site using BASIC authentication?
How do I log out?
We are using BASIC authentication to log into backend applications, and FORM authentication for frontend applications. After our team tested the stack on FireFox/IE, it was found that a user would not be able to log out if they logged into the backend services via BASIC authentication on those browsers. The hacks and workarounds are unacceptable to my team (asking user to enter incorrect credentials, making user close browser, use javascript to send incorrect credentials, ask user to clear browser cache, etc), so we are seeking advice on alternative authentication methods that DO allow logging out
EDIT- My temporary workaround for logout:
I am currently getting around this problem by using FORM authentication. One problem is that my backend services rely on the shared frontend login.html form, and another problem is that Postman does not support logging in via a redirected FORM input, and our client Arquillian calls blow up from the login form.
FORM authentication gets rid of the "I can't log out with BASIC" problem, but now I can't authenticate as straightforwardly.
Form based-authentication
If it's okay to keep the session state on the server, you can go for form-based authentication.
Send the credentials in the form, if the credentials are valid, the server will issue a cookie that will be sent back and forth to identify the session on the server. To logout, the session can be invalidated:
session.invalidate();
You also can configure your application to expire the sessions due to timeout:
<session-config>
<session-timeout>60</session-timeout> <!-- minutes -->
</session-config>
Token-based authentication
If you want a stateless mechanism, go for token-based authentication.
The client exchanges hard credentials (such as username and password) for a piece of data called token. For each request, instead of sending the hard credentials, the client will send the token to the server to perform authentication and then authorization.
For the token, you could use JSON Web Token (JWT). It's an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
JWT is a generic name for the following types of token:
JSON Web Signature (JWS): The payload is encoded and signed so the integrity of the claims can be verified.
JSON Web Encryption (JWE): They payload is encrypted so the claims are hidden from other parties.
The image was extracted from this page.
The token can define an expiration date in the exp claim. For logout, you can remove the token from the client.
You also could keep the track of the tokens in a whitelist on server-side and invalidate them as you need. There's no need to store the whole token on server side though: Store only a token identifier in the whitelist and use the jti claim to store the token identifier in the token.
I suggest you to have a look at Apache Shiro, especially the way session are managed (https://shiro.apache.org/session-management.html).
They have namely abstracted the concept of session so that it can work in various situations: in a webapp (in such case, it's simply a wrapper around the HTTP session), in a standalone app, etc...
In your particular case, the front-end could open and close (logout from) a Shiro session that is shared with the backend layer.
See the sentence:
Heterogeneous Client Access
(...)
For example, a (desktop) application could ‘see’ and ‘share’ the same physical session. We are unaware of any framework other than Shiro that can support this

Spring/Kerberos - Clearing session cookies from PoolingHttpClientConnectionManager

I am having to integrate with a badly designed RPC API with Kerberos authentication.
To make matters worse it sets a session cookie and doesn't allow multiple requests asynchronously from the same client using the same cookie, so... I need to make sure each request has a cleared session cookie.
I'm using a custom HttpClient with a PoolingHttpConnectionManager and Resttemplate which doesn't allow me to clear the session cookie for me before it reuses a connection.
I need this cookie to be cleared before another request uses the same connection. How do I do this?
Turns out the server attaches a session ID but couldn't care less if it isn't there in subsequent requests. HttpClient allows you to disable cookie management and that seems to work.

How to invalidate authenticated session in weblogic when the server time outs?

How do I logout the authenticated session in weblogic once the server timeouts as per the configured value in deployment descriptor (web.xml)?
It seems by default server calls httpSession.invalidate() method once the server times out. httpSession.invalidate() does not logout the authenticated user.
But I need to programatically call weblogic ServletAuthentication.invalidateAll(HttpServletRequest req).
Thought of using HttpSessionListener but how do I get hold of the HttpServeletRequest object?
Any solution will be appreciated.
Thanks in advance
When the session is time out, the user is automatically logged out. If you refresh the page you will be redirected to the login page.

Session Management in extsj4

What is the best way of implementing session, I am thinking at server side managing sessions like creation, validity of session based on that will be responding to Extjs4 client, Is it best way ?
In app.js I have used launch config as :
launch: function(){
Ext.create('Myapp.view.LoginForm')
}
LoginForm : will show log in dialog and invoke log in controller for communicating with server for authenticating the credentials provided by the user.
So when ever user refreshes the page Extjs is asking for log in that is because of I am not cheeking the session in here, How should be the session details stored in Extjs client and check to avoid prompting the log in unless user has log-out ? and How to manage user session ?
Please help me
You can do that with the help of cookies and java script....

Categories