I am using 'plugins.spring-security-core' wondering is there any easy way to limit # of session from a given user to just 1. I tried 'HttpSessionBindingListener' but in the current plugin implementation looks like it just binds the user 'id' and not the full user session as such the appropriate events are not getting called.
I am wondering if any one has come across solution to the above problem.
Thanks in advance
-Amitabh
here is a good example
http://blog.block-consult.com/2012/01/restricting-concurrent-user-sessions-in-grails-2-using-spring-security-core-plugin/
/jörg
Related
I've implemented the code from http://satalketo.com/2013/09/mvc-two-factor-authentication/
Two Factor Authentication in ASP.NET MVC
when user register he gets a Secret Key and shown a QRcode he can scan to Google Authenticator,
all works fine and well, accept when the user tries to Log In the system the key always different from the one he enters. function GeneratePin at server side generate different key from that he gets in the Google Authenticator mobile app. I have no idea whats wrong, tried to think maybe time zone isn't correct ,my time zone is Jerusalem UTC + 2
I've looked through my code a fair bit and I can't see any reason why this should be an issue. The only reason that I can come up with is that one of the two devices is more than 30 seconds out of sync with UTC.
I have updated the source code to include checking against the 30 second periods either side of the current one to try and deal with any situations like that.
You can find the updated code on GitHub, which would be the best place to download the entire solution. My article Two Factor Authentication in ASP.NET MVC has been updated to include the code for checking the period either side.
If this doesn't help please let me know with any additional information you can think of.
I need a UI to manage all app sessions. How could I retrive data from foreign sessions? Im interested in getting data set bysetState` function during other users login.
I'm using CDbHttpSession for storing sessions in DB
So, i found answer, but it isnt good in my opinion. But maybe it will be helpfull for others. Yii stores data in session table using php built in session serialization method (it isnt regular serialize function). And only way that i found to work with it is suggested on the php session_decode manual page in the comments.
I'm looking for the way to restrict users access by time in my grails application. I mean that users will be able to use (not only login) application only in allowed timeframes defined by days of week and start & end hours.
Could anyone advise the best way of doing this?
I'm thinking about adding some set of tables to my domain model which will contain time access rules. This rules will be applied to roles and users. Users rules will override roles rules.
As I understand, I need to implement some Authorization (not Authentication) Filter, which will do the check of time restrictions.
Am I one the right way? If so, then could anyone provide some usefull links for this task?
Aha, I already answered this on the mailinglist.
What I wrote:
Possible solution (two-fold):
For login:
Custom UserDetails class that throws appropiate exception if outside
timeslot (not sure if it is the most semantically correct place to do
it, but it's easy there).
For people already logged in:
Quartz job that run at the boundaries (like 2pm if thats when a slot
ends) that run through active sessions and invalidate them.
You can keep a list of active sessions in various ways, one (one and a
half really, not sure if you can use Burt's plugin in a programmatic
way) are covered here:
In grails, how do I get a reference to all current sessions?
I see now that the AccessDecisionVoter is a better solution than the custom userdetails, but the answer still remains for the same for the already logged in people.
I am actually feeling a bit dumb for asking this but I tried for half a day now and can't find a way to get information on the currently logged in user in my controllers as well as my views.
I tried several suggestions I found on the web like "authenticateService" etc.
Now, it is possible that I have a misconception about the basics of Grails there. I come from other frameworks where a task like this is a matter of {{ request.user }} and I am done with it.
My exact need is to be able to access the ID of the currently logged in user in order to serve a custom navigation.
Thx in advance for your help.
def user = springSecurityService.currentUser
always good to try the docs:
http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/index.html
In gsps, there is a specific tag, which we use like
<sec:loggedInUserInfo field='firstName'/>
again, its in the docs posted above.
Nowadays, I think the way to do it is:
def user = getAuthenticatedUser()
There is one IP (from China) which is trying to download my entire website. It downloads all my pages and loads the server significantly (I have more than 500 000 pages). Looking at the access logs I can tell it's definitely not a Google bot or any other search engine bot.
Temporarily I've banned it (using iptables rules), but it's not a solution for me, because some of my real users also have the same IP, so they are also banned and cannot acces the website.
Is there any way to prevent such kind of "user activity"? Maybe a mechanism which implements captcha if you try to request more than 5 requests a second or something?
P.S. I'm using Yii framework (PHP).
Any suggestions are greatly appreciated.
thank you!
You have answered your own question!
Make captcha appear if the request exceeds certain number per second or per minute!
You should use CCaptchaAction to implement, like this.
I guess the best way to monitor for suspicious user activity is really user session, CWebUser's getState()/setState(). Store current request time in user session, compare it to several previous values, show captcha if user makes requests too often.
Create new component, preload it via CWebApplication::$preload and check user activity in components init() function. This way you'll be able to turn bot check on and off easily.