Only one User using entire web application at a time - Spring boot

Question

In spring boot application only one user should be using the certain page at a time (let's call it home.jsp). Another users should be redirected to different page(let's call it another_home.jsp) if they appear when accessing that same url. User doesn't login and just uses the application as it is. Any policy can be used for home.jsp could be first-come-first-serve or any other.

If more than one users are using application at a time only one user should be using home.html and all rest of the others should be using another_home.jsp.

As no login is needed in the application I believe I need anonymous sessions. Also, session needs to be expired after some time of inactivity. I've searched spring security but couldn't find anything.

How do you want to figure out, the first user is still on the page? When should the application be available for the next one? — Arne Burmeister, Oct 22 '20 at 16:33
Spring security maintains information about anonymous sessions. May be that type of mechanism either already available in some library or reproducible in my context with some tweaks in configurations. — It's K, Oct 23 '20 at 06:59

Gregor Riegler · Answer 1 · 2020-10-25T19:00:42.707

You need to create a serverside state that is either empty or stores the identifier of the visitor that is currently claiming /home.jsp. This could be a field on a singleton Bean, or an entity in the database. It has to expire automatically, or it will prevent new visitors forever to make a claim. As long as the state is empty, the first visitors identifier will be stored in this state. And from that moment on, you will redirect all other visitors to another_home.jsp

So the Controllers Code would be something like this

if(visitorHoldsTheClaim()) {
  return "home.jsp"
} else if (noClaimActive()) {
  createClaimForVisitor();
  return "home.jsp"
} else {
  return "redirect:/another_home.jsp"
}

Depending on your implementation, these methods will do different things.

I'd usually recommend against serverside session state (more about this in Roy Fieldings Dissertation), but for your use case, you need a way to identify a visitor over many requests. A session would certainly be a very simple way to achieve this. You can at least minimize session usage by only creating one session at a time - the one for the visitor that holds the claim. In this case you'd never have more than one open session, and the visitor that owns the session is the visitor that holds the claim.

So in this case, the implementation would be be something like this:

if(currentUserHasASession()) { // checks if the current user has a session, but !!!does not create a new session if it does not exist!!! careful, HttpServletRequest.getSession(true) would create it!
  return "home.jsp"
} else if (serverHasNoSessions()) { // https://stackoverflow.com/questions/49539076/how-can-i-get-a-list-of-all-sessions-in-spring
  createSessionForUser(); // HttpServletRequest.getSession(true)
  return "home.jsp"
} else {
  return "redirect:/another_home.jsp"
}

Keep in mind that this only works if you do not create Sessions in another place. So you have to configure Spring Boot/Spring Security to not create Sessions. How to make spring boot never issue session cookie?

Also keep concurrency in mind. For example, if you had only one server instance, you could put this code into a synchronized method to avoid two visitors creating a claim at the same time.

Sorry, but the link you've provided is not much of use. `synchronized` is a solution but it will make application really slow and also not what I'm trying to do. — It's K, Oct 27 '20 at 11:56

score 2 · Accepted Answer · answered Oct 27 '20 at 20:12

I think that you don't even need spring security. Simple http session will work too. As far as I can see you just want to allocate the stream to one user and for that you need first user's session id which you can compare against whenever the requests come again. So store session id and expire after some timeout with some Time object or Date object.

In properties

server.servlet.session.timeout = 600   // 10 minutes

Something like this

private String currSessionId = null;
private Date lastDate = new Date();
private Integer TIMEOUT = 600000;    // 10 minutes

public String loadHomePage(Model model) {
    if(currSessionId!=null && new Date().getTime()- lastDate.getTime()>TIMEOUT){
        currSessionId = null;
    }
    if(currSessionId==null){
        currSessionId = session.getId();
        lastDate = new Date();
        return "home";
    }else{
        if(session.getId().equals(currSessionId)){
            return "home";
        }else{
            return "another_home";
        }
    }
}

This is as simple as it gets when you don't have logged in users to manage and also don't need to remember previous state where user left off. Let me know if it helps.

Looks super simple. Let me give it a try. – It's K Oct 27 '20 at 20:14 — It's K, Oct 27 '20 at 20:14

score 0 · Answer 3 · answered Oct 26 '20 at 12:53

So... first of all, this sounds like a bad idea. I would be curious why you would need such an unusual behavior. There might be more sensible approaches for it.

Like Gregor said, the redirect code part is rather straightforward:

if(pageLock.getUser() == null) {
  pageLock.setUser(user);
} 
if(user.equals(pageLock.getUser())) {
  return "home.jsp"
} else {
  return "redirect:/another_home.jsp"
}

What is actually more tricky is the part when "expiring" the lock. It's likely the user will simply close the browser and not click on "logout" (or whatever), leaving the lock forever. On the other extreme, the user might be gone for a lunch break but its browser still has the page open for hours.

So that's the first thing you wanna add: some keep-alive mechanism on the page, regularly prolonging the lock, and some expiration checker, releasing the lock if nothing was received for a while.

...but like I said in the beginning, the whole thing sounds fishy.

The API I'm using allows only one streaming connection at a time. So I cannot avail stream to more than one user. So basically I'm trying to do is serve first user when streaming is available and release when user leaves or some timeout(maybe 15 minutes). I do think that keep-alive mechanism is a good idea. Let me try spring security session link provided by @Gregor Riegler — It's K, Oct 26 '20 at 19:45
I'm streaming data on `home.jsp` so when the stream is open it should not release the resource even if no other actions are fired. The keep-alive mechanism is way to go but I don't invest much of time in building the mechanism from scratch as it is not the priority. So do you know any library for the basic implementation of what you've suggested? — It's K, Oct 27 '20 at 12:06

Only one User using entire web application at a time - Spring boot

3 Answers3