| Author |
Additional authentication with j_security_check
|
Jeremy Wilkinson
Greenhorn
Joined: Mar 31, 2010
Posts: 13
|
|
|
When a user logs in successfully I write an entry to a database table with their session id and login id. I want to limit the number of times a user can login with the same user id. Is there a way to add additional authentication checks to the j_security_check process?
|
 |
Tim Holloway
Saloon Keeper
Joined: Jun 25, 2001
Posts: 11740
|
|
This is kind of hard to do with the container-managed security system. What you're really trying to do is restrict the number of active Sessions to one per user ID, and the Realm A&A modules don't have access to session information. One reason for that is that security may be covering more than just a single webapp (for example, single signon), which means most likely more than one session.
The cleanest way to do this is probably to craft up a custom Realm where you push a token to a central repository (such as a database) when you successfully authenticate. Or rather, check for the existence of one, and reject authentication if it already exists.
The sticky part is tracking when the user logs out. If you don't manage that well, users will end up locked out. For example, if the user's browser crashes, their token may remain, but their authentication may be gone. Plus, since there is no container-managed logout management, removing the token is probably going to require an asymmetry where a SessionListener in the app does the token removal.
You can make this more symmetrical by tracking user sessions on a per request basis by using a servlet filter. There is no "login event" as such, but if a user has a session and the session has transitioned from a null userID to a non-null userID, that's an indicator that the user logged in, so at that point you can set the token if you prefer, and even force-logout the user if needed.
|
A lot the of modern-day software development platforms are designed to permit parcelling out work to those with the best aptitude for it. A lot of modern-day business is predicated on making one person do all the work, regardless of aptitude.
|
|
Jeremy Wilkinson
Greenhorn
Joined: Mar 31, 2010
Posts: 13
|
|
|
Yes, I do have a session listener setup to remove the token when the session times out or the user clicks on logout. I like the idea of authenticating with a custom Realm. Can you point me in the right direction to get this coded, maybe an example I can use as a model?
|
|
Tim Holloway
Saloon Keeper
Joined: Jun 25, 2001
Posts: 11740
|
|
Probably the easiest thing to do is to download the Tomcat source code and look at the predefined examples. The MemoryRealm is pretty simple.
Mostly what a realm does is supply a backend to the "authenticate" and "hasRole" functionalities and sets up a concrete instance of a UserPrincipal object to attach to inbound requests.
|
|
Jeremy Wilkinson
Greenhorn
Joined: Mar 31, 2010
Posts: 13
|
|
|
After searching the apache documentation I did find custom authentication information using JAASRealm. Looks like I'm going to have to do a little studying to get this working.
|
|
 |
|
|
subject: Additional authentication with j_security_check
|
|
|
0
