MAF Non-Concurrent User Sessions (terminate existing sessions)
Hi, This is a question regarding a requirement to restrict user/password authenticated MAF users to a single session to prevent credentials sharing. There was a previous post ([
http://techoverflow.int.westgroup.com/questions/1679/limit-maf-concurrent-sessions][1]) that answered a question regarding the ability to set the login limit in SAP/PRISM ref: [
http://nsawiki.int.westgroup.com/wiki/index.php5/Prism_Security_Admin_Login_Limits/Meter_Terminator_Service][2] and [
http://nsawiki.int.westgroup.com/wiki/index.php5/PrismSec_Online_Service#Login_Limits][3]. However, this provides opposite functionality to what Westlaw India have clarified that they want to achieve. Westlaw India want to allow a user to be able to login and have any existing sessions **terminated**. Those existing sessions could be sessions that are idle (due to browser close without logout) or those that are in use in another browser instance or on another device. From a Spring perspective, the two variants are captured in section 11.3 of [
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/session-mgmt.html][4] : > 11.3 Concurrency Control > > Spring Security is able to prevent a principal from concurrently authenticating to the same application more than a specified number of times. Many ISVs take advantage of this to enforce licensing, whilst network administrators like this feature because it helps prevent people from sharing login names. You can, for example, stop user “Batman” from logging onto the web application from two different sessions. You can either expire their previous login or you can report an error when they try to log in again, preventing the second login. Note that if you are using the second approach, a user who has not explicitly logged out (but who has just closed their browser, for example) will not be able to log in again until their original session expires. The desired option for Westlaw India is "expire their previous login". There are limitations, of course, with the Spring implementation. It's in memory so only supports a single node - not a cluster - I believe that we would need to write an implementation of org.springframework.security.concurrent.SessionRegistry to try to overcome that, example ref: [
http://chaabuwa.blogspot.co.uk/2009/03/concurrent-login-handling-in-clustered.html][5]. A filter would be added to the filter chain to check session validity (data in PRISM?) on each request. My question is, could we integrate this pattern into MAF? I guess we need to consider things like: - the fact that that in Prod there are many instances - is there anything that could be done at the "front door" (i.e. BigIP)? - it would probably be nice to use the SAP/PRISM login limit setting as the value for the number of permitted concurrent sessions - although the logic to handle this setting in PRISM probably contradicts what we are trying to achieve here. - others? Many thanks for taking the time to read this - does anyone have any guidance / suggestions? Dave [1]:
http://techoverflow.int.westgroup.com/questions/1679/limit-maf-concurrent-sessions [2]:
http://nsawiki.int.westgroup.com/wiki/index.php5/Prism_Security_Admin_Login_Limits/Meter_Terminator_Service [3]:
http://nsawiki.int.westgroup.com/wiki/index.php5/PrismSec_Online_Service#Login_Limits [4]:
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/session-mgmt.html [5]:
http://chaabuwa.blogspot.co.uk/2009/03/concurrent-login-handling-in-clustered.html
http://techoverflow.int.westgroup.com/questions/1679/limit-maf-concurrent-sessions][1]) that answered a question regarding the ability to set the login limit in SAP/PRISM ref: [
http://nsawiki.int.westgroup.com/wiki/index.php5/Prism_Security_Admin_Login_Limits/Meter_Terminator_Service][2] and [
http://nsawiki.int.westgroup.com/wiki/index.php5/PrismSec_Online_Service#Login_Limits][3]. However, this provides opposite functionality to what Westlaw India have clarified that they want to achieve. Westlaw India want to allow a user to be able to login and have any existing sessions **terminated**. Those existing sessions could be sessions that are idle (due to browser close without logout) or those that are in use in another browser instance or on another device. From a Spring perspective, the two variants are captured in section 11.3 of [
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/session-mgmt.html][4] : > 11.3 Concurrency Control > > Spring Security is able to prevent a principal from concurrently authenticating to the same application more than a specified number of times. Many ISVs take advantage of this to enforce licensing, whilst network administrators like this feature because it helps prevent people from sharing login names. You can, for example, stop user “Batman” from logging onto the web application from two different sessions. You can either expire their previous login or you can report an error when they try to log in again, preventing the second login. Note that if you are using the second approach, a user who has not explicitly logged out (but who has just closed their browser, for example) will not be able to log in again until their original session expires. The desired option for Westlaw India is "expire their previous login". There are limitations, of course, with the Spring implementation. It's in memory so only supports a single node - not a cluster - I believe that we would need to write an implementation of org.springframework.security.concurrent.SessionRegistry to try to overcome that, example ref: [
http://chaabuwa.blogspot.co.uk/2009/03/concurrent-login-handling-in-clustered.html][5]. A filter would be added to the filter chain to check session validity (data in PRISM?) on each request. My question is, could we integrate this pattern into MAF? I guess we need to consider things like: - the fact that that in Prod there are many instances - is there anything that could be done at the "front door" (i.e. BigIP)? - it would probably be nice to use the SAP/PRISM login limit setting as the value for the number of permitted concurrent sessions - although the logic to handle this setting in PRISM probably contradicts what we are trying to achieve here. - others? Many thanks for taking the time to read this - does anyone have any guidance / suggestions? Dave [1]:
http://techoverflow.int.westgroup.com/questions/1679/limit-maf-concurrent-sessions [2]:
http://nsawiki.int.westgroup.com/wiki/index.php5/Prism_Security_Admin_Login_Limits/Meter_Terminator_Service [3]:
http://nsawiki.int.westgroup.com/wiki/index.php5/PrismSec_Online_Service#Login_Limits [4]:
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/session-mgmt.html [5]:
http://chaabuwa.blogspot.co.uk/2009/03/concurrent-login-handling-in-clustered.html
Tagged:
2
Answers
-
Terminating any existing session it will not be something easy to do due to our deployment strategy. Session managment is not done centrally. Each Tomcat instance manage their own session, and BigIP redirect each request with an active sessionId to the specific Tomcat instance. We would need to find where others session might have been started and terminate them. While I'm not sure if this is possible really. Including Spring Security into MAF is not easy neither. Spring needs to start having control of the session manangement which require several changes, we tried to do this in the past, but it was discarded due to the complexity. We still have Struts in MAF, and that plays a big role on this, which makes the use of Spring Security harder. We might investigate further, but it seems to be a big thing.0
-
What you are asking would require a centralized session management approach. This would be a significant and complex development effort.0
Categories
- All Categories
- 6 AHS
- 37 Alpha
- 161 App Studio
- 4 Block Chain
- 4 Bot Platform
- 16 Connected Risk APIs
- 47 Data Fusion
- 30 Data Model Discovery
- 608 Datastream
- 1.3K DSS
- 577 Eikon COM
- 4.9K Eikon Data APIs
- 7 Electronic Trading
- Generic FIX
- 7 Local Bank Node API
- Trading API
- 2.7K Elektron
- 1.3K EMA
- 236 ETA
- 519 WebSocket API
- 33 FX Venues
- 10 FX Market Data
- 1 FX Post Trade
- 1 FX Trading - Matching
- 12 FX Trading – RFQ Maker
- 5 Intelligent Tagging
- 2 Legal One
- 20 Messenger Bot
- 2 Messenger Side by Side
- 9 ONESOURCE
- 7 Indirect Tax
- 59 Open Calais
- 264 Open PermID
- 39 Entity Search
- 2 Org ID
- PAM
- PAM - Logging
- 8.4K Private Comments
- 6 Product Insight
- Project Tracking
- ProView
- ProView Internal
- 20 RDMS
- 1.4K Refinitiv Data Platform
- 367 Refinitiv Data Platform Libraries
- 3 Refinitiv Due Diligence
- LSEG Due Diligence Portal API
- 3 Refinitiv Due Dilligence Centre
- Rose's Space
- 1.1K Screening
- 18 Qual-ID API
- 13 Screening Deployed
- 23 Screening Online
- 10 World-Check Customer Risk Screener
- 990 World-Check One
- 44 World-Check One Zero Footprint
- 45 Side by Side Integration API
- Test Space
- 3 Thomson One Smart
- 1.2K TR Internal
- Global Hackathon 2015
- 2 Specialists Who Code
- 10 TR Knowledge Graph
- 150 Transactions
- 142 REDI API
- 1.7K TREP APIs
- 4 CAT
- 21 DACS Station
- 117 Open DACS
- 1.1K RFA
- 103 UPA
- 172 TREP Infrastructure
- 224 TRKD
- 886 TRTH
- 5 Velocity Analytics
- 5 Wealth Management Web Services
- 59 Workspace SDK
- 9 Element Framework
- 5 Grid
- 13 World-Check Data File
- Yield Book Analytics
- 46 中文论坛