0

In my webapp the login page is http://localhost:8080/vsingh/login

I am able to do below

  1. Open tab1 and open the login page
  2. Open tab2 and open the login page

In tab1 login with USER1. User is redirected to homepage. Now open tab2 and login with USER2. Now user is redirected to homepage of USER1.

How can I logout USER1 automatically in this case? Any pointers are appreciated.

PS: I do redirect automatically to homepage is user is already logged in and hits the login page, however in this case, the tab was already open before the user attempted login

@RequestMapping("/login")
public String login() {
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    if (!(auth instanceof AnonymousAuthenticationToken) && auth != null) {
        return "redirect:userHome";
    }
    return "login";
}

Spring Security XML

<http auto-config='true' use-expressions="true">
    <intercept-url pattern="/*" access="permitAll" />
    <access-denied-handler error-page="/login"/>
    <form-login login-page="/login"
        authentication-failure-handler-ref="customAuthFailureHandler"
        username-parameter="username" password-parameter="password"  
        authentication-success-forward-url="/userHomeX" />
    <csrf />
    <logout logout-success-url="/logout" />
</http>

<authentication-manager>
    <authentication-provider>
        <password-encoder ref="encoder" />
        <jdbc-user-service data-source-ref="dataSource"
            users-by-username-query="SELECT USERNAME, RTRIM(PASSWORD) AS PASSWORD, CASE WHEN ENABLED=1 AND ADMIN_LOCK = 0 THEN 1 ELSE 0 END AS ENABLED FROM JWBDATABASE.JWBSCHEMA.USERS WHERE USERNAME=?"
            authorities-by-username-query="SELECT USERNAME,USER_ROLE AS ROLE FROM JWBDATABASE.JWBSCHEMA.USERS WHERE USERNAME=?" />
    </authentication-provider>
</authentication-manager>

<beans:bean id="encoder"
    class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
    <beans:constructor-arg name="strength" value="11" />
</beans:bean>

<beans:bean id="customAuthFailureHandler"
    class="com.vj.authenticationManager.CustomAuthFailureHandler">
</beans:bean>

Why it is not duplicate? Question is not about allowing multiple logins in different tabs but somehow force a single login for all tabs. If someone logins thru an already open login page with a different userid, either the old one should be forced logged out or throw an error on new login with some message

  • 1
    Open tab1 and open the login page. Do not login. Open tab2 and open the login page. Do not login. Now in TAB1 login with user1. Remember tab2 still shows login page becuase its not refreshed yet. Now in tab2 login with another account. –  Aug 07 '18 at 18:42
  • *Now user is redirected to homepage of USER1.* Why is user2 redirected to hompage of user1? Where is it implemented? – dur Aug 07 '18 at 19:03
  • Thats where I need help. When i debug the code, auth gives me principal name as USER1 instead of USER2 –  Aug 07 '18 at 19:05
  • I dont think thats the problem. Its just a name, homepage will be same for all users where details will be fetched based on their ID. I want either Spring to log out user1 or throw some error. Do i need to create a custom login handler for this? –  Aug 07 '18 at 19:44
  • Are you sure, that user2 is not logged in? Maybe it is only a caching problem? – dur Aug 07 '18 at 19:45
  • You're going to have a session cookie that will load the auth from a JSESSION ID. See this answer. https://stackoverflow.com/questions/6128134/can-i-manage-multiple-browser-tabs-with-spring-security – Darren Forsythe Aug 07 '18 at 19:46
  • Possible duplicate of [Can I manage multiple browser tabs with Spring Security?](https://stackoverflow.com/questions/6128134/can-i-manage-multiple-browser-tabs-with-spring-security) – Darren Forsythe Aug 07 '18 at 19:46
  • @DarrenForsythe That is not the problem, because both tabs should use the same session and the session should change after relogin with user2. Hence both tabs should show user2's content (after reload). – dur Aug 07 '18 at 19:48
  • Why would the session change? Its the same browser session. You need to force a logout before attempting to re-authorise other wise the JSESSIONID from the cookie will load the user1 auth. You may want to research invalidating a spring security session. – Darren Forsythe Aug 07 '18 at 19:50
  • @uSeruSher: *I want either Spring to log out user1 or throw some error.* You could only allow anonymous users to see the login page, but if you already have the login page open, there is no way, see https://stackoverflow.com/questions/33283213/deny-log-in-with-already-authenticated-session – dur Aug 07 '18 at 19:52
  • @DarrenForsythe Its called session fixation protection. However, if the session id isn't changed, the session on backend will contain user2 not user1, because Spring Security will change the authentication in the session. – dur Aug 07 '18 at 19:54
  • @dur this is not happening for sure, because i am pulling information based on auth.getname and its pulling user1's info not USER2. I will try a custom login success handler and debug there. I will also try keeping a session variable with logged-in user name and check if there is mismatch between auth name and the value from the session then force logout with custom error. Not sure if this is the right path to follow but I will give it a try –  Aug 07 '18 at 20:09
  • @uSeruSher Are try to reload your homepage? Your are not redirecting the user, you are fowarding, hence the request isn't go through all filters again. You could also try to use redirect instead of forwarding. – dur Aug 07 '18 at 20:22
  • @dur Sure thing, I will try that as well and update here if that works –  Aug 07 '18 at 20:23

0 Answers0