0

In my web app,I have two user system,one is administrators,another is users.I use Multiple HttpSecurity to configurate Security Filter Chain separately for administrators and users. Firstly,when I login in my web app through administrators and users in signle browser at same time,the latter login UserInfo will cover the former.

This is a big bug,when i try to fix it,i learn about SpringSecurity architecture and implementation,SpringSecurity use session Storing the SecurityContext between requests .Thus,when I login in my web app through administrators and users in signle browser at same time,the latter login userInfo will cover the former login userInfo.

By override HttpSessionSecurityContextRepository,I create my SecurityContextRepository:OneSessionMultiContextRepository.I can use it decide which SecurityContext take from session or which key use to storing to session by current servletPath.

This fix the problem above,two user system can login in my web app without affecting each other now.But there is a new problem,when i logout one,another is logout too!I found SpringSecurity will invalid session when logout,result in this problem.

If I want fix this,i must forbid SessionFixationProtectionStrategy and never invalid session when logout.I don't want do this,because forbid SessionFixationProtectionStrategy and never invalid session when logout will reduce security.

How can i fix this problem?My purpose is make administrators and users can login in my web app in signle bowser at same time without any affecting each other.

I don't understand why SpringSecurity don't offer support for this situation,i think this situation is familiar.

I dont know which code should i put here,because they all too long,if need my code,tell me.

My English is not very good. Please forgive me.

wangyongjun
  • 145
  • 1
  • 1
  • 9
  • Why are you stressing yourself unnecessarily. There's so much security risk in what you are trying to achieve. Even browsers do not support that. You may read this https://stackoverflow.com/questions/5413892/is-it-possible-to-maintain-different-sessions-users-in-different-window-tabs-u. By the way, does that even seem practical to you? That an admin and an ordinary user would be sharing the same browser on the same system concurrently in production. Hmmmm! – Perry Aug 20 '17 at 10:19
  • Thanks much for your timely reply. Appreciate it. – wangyongjun Aug 20 '17 at 14:46
  • I dont understand "There's so much security risk in what you are trying to achieve",what is this mean?I have seen your link,and i dont found a solution.I certainly need an admin and an ordinary user can login and use my web app without affecting each other in same browser. – wangyongjun Aug 20 '17 at 14:54
  • Am i make me clearly?My purpose is make my web app allow someone login admin system and user system in one browser,and the admin system and the user system will not affect each other.Thanks very much again! – wangyongjun Aug 20 '17 at 15:00
  • If i give up SessionFixationProtectionStrategy and don't invalid session when logout,By use OneSessionMultiContextRepository, I can solve this problem.But I don't want to sacrifice safety.Can someone help me? – wangyongjun Aug 21 '17 at 01:52

0 Answers0