-1

I am working on a Spring-MVC project running on Tomcat in which I have Spring-security for authentication and authorization. As our project is currently in development, we have more deployments than usual. Generally what happens after a deployment is that all the clients are logged out as the server is restarted.

Is there any way where I can put the session-data in database or somewhere, so even after Tomcat/JVM crashes/restarts, already logged-in users wont have a problem.

Is there any strategy to solving this problem? Any idea how?

security-applicationContext.xml :

 <!-- Global Security settings -->
    <security:http pattern="/resources/template/demo/clients" security="none"/>

    <security:http create-session="ifRequired" use-expressions="true" auto-config="false" disable-url-rewriting="true">
        <security:form-login login-page="/login" username-parameter="j_username" password-parameter="j_password"
                             login-processing-url="/j_spring_security_check" default-target-url="/dashboard"
                             always-use-default-target="true" authentication-failure-url="/denied"/>
        <security:remember-me key="_spring_security_remember_me" user-service-ref="userDetailsService"
                              token-validity-seconds="1209600" data-source-ref="dataSource"/>
        <security:logout delete-cookies="JSESSIONID" invalidate-session="true" logout-url="/j_spring_security_logout"/>
     <!--<security:intercept-url pattern="/**" requires-channel="https"/>-->
        <security:port-mappings>
            <security:port-mapping http="80" https="443"/>
        </security:port-mappings>
        <security:logout logout-url="/logout" logout-success-url="/" success-handler-ref="myLogoutHandler"/>

        <security:session-management session-fixation-protection="migrateSession">
            <security:concurrency-control session-registry-ref="sessionReg" max-sessions="5" expired-url="/login"/>
        </security:session-management>
    </security:http>

    <beans:bean id="sessionReg" class="org.springframework.security.core.session.SessionRegistryImpl"/>

    <beans:bean id="rememberMeAuthenticationProvider"
                class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
        <beans:constructor-arg index="0" value="_spring_security_remember_me"/>
        <beans:constructor-arg index="1" ref="userDetailsService"/>
        <beans:constructor-arg index="2" ref="jdbcTokenRepository"/>
        <property name="alwaysRemember" value="true"/>
    </beans:bean>

    <beans:bean id="jdbcTokenRepository"
                class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
        <beans:property name="createTableOnStartup" value="false"/>
        <beans:property name="dataSource" ref="dataSource"/>
    </beans:bean>

    <!-- Remember me ends here -->
    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider user-service-ref="LoginServiceImpl">
            <security:password-encoder ref="encoder"/>
        </security:authentication-provider>
    </security:authentication-manager>

    <beans:bean id="encoder"
                class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
        <beans:constructor-arg name="strength" value="11"/>
    </beans:bean>

    <beans:bean id="daoAuthenticationProvider"
                class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <beans:property name="userDetailsService" ref="LoginServiceImpl"/>
        <beans:property name="passwordEncoder" ref="encoder"/>
    </beans:bean>
</beans>

LoginServiceImpl :

@Transactional
@Service("userDetailsService")
public class LoginServiceImpl implements UserDetailsService {

    @Autowired
    private PersonDAO personDAO;

    @Autowired
    private Assembler assembler;

    public LoginServiceImpl() {
    }

@Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
        Person person = personDAO.findPersonByUsername(username.toLowerCase());
        if (person == null) {
            throw new UsernameNotFoundException("Wrong username or password");
        }
        return assembler.buildUserFromUserEntity(person);
    }
}

Assembler :

@Service("assembler")
public class Assembler {
    @Transactional(readOnly = true)
    User buildUserFromUserEntity(Person userEntity) {
        String username = userEntity.getUsername().toLowerCase();
        String password = userEntity.getPassword();

        boolean enabled = userEntity.isEnabled();
        boolean accountNonExpired = userEntity.isAccountNonExpired();
        boolean credentialsNonExpired = userEntity.isCredentialsNonExpired();
        boolean accountNonLocked = userEntity.isAccountNonLocked();

        Collection<GrantedAuthority> authorities = new ArrayList<>();
        authorities.add(new SimpleGrantedAuthority("ROLE_USER"));

        return new User(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
    }
}

If there is any more information required, kindly let me know. Thank you.. :-)

We are Borg
  • 5,117
  • 17
  • 102
  • 225
  • Why was the question downvoted? Any explanations? – We are Borg Mar 07 '16 at 12:56
  • Take a look at this question and answers for ideas: http://stackoverflow.com/questions/13211615/how-to-store-spring-security-session-information-in-redis – Fortunato Mar 07 '16 at 13:18
  • @Fortunato : The Redis option does sound good. I already have the remember-me functionality, and as the links say, Spring-session with Redis is already out of the box. Any idea what I have to change in this project for proper integration? – We are Borg Mar 07 '16 at 13:26

1 Answers1

0

Not sure of the configuration available in Spring, but this is possible with Tomcat(you mentioned using tomcat).

In your context.xml file, locate this line/statement

<Manager pathname="" />

Comment/delete this entry. This shall enable session persistence across graceful tomcat restarts.

Anirudh
  • 150
  • 3