i have a potential issue which came in mind when using stateless auth. Assume you have a user, who is logged in with a foreign device and the session expires in 12 hours. But the user uses the app on his device, so the session gets extended everytime.
The user leaves the company, then you need to log him out! How?
My first thought is to check on each (page) request if the user is allowed/blocked/blacklisted or what ever and log him programatically out if needed.
My Mainlayouts extends BeforeEnterObserver in its beforeEnterObserver i could check this.
My first thought would end up in a sql query, but i could also initialize a map or anything like that which is globally usable to hold users which need to be forced to be logged out.
Currently its not a problem, but in the future maybe it could be. So i would like to have a solution before the issue occur ;D
I did not go into details, but I think a servlet filter could be a better option.
Just thinking out loud, in an application with Vaadin configured stateless authentication, you might create a filter that uses SecurityContextHolderStrategy to get the current Authentication through the SecurityContext.
If the authentication object is JwtAuthenticationToken, check if the related user is valid; if not, nullify the authentication and/or remove the JWT-related cookies.
The filter should be installed after SecurityContextHolderFilter and SecurityContextPersistenceFilter.
Another option could be to configure logout (HttpSecurity.logout(...)) improving the request matcher to also perform the above check.
Note that I did not test any of these options, so they are not guaranteed to work
But once the user is logged in and uses the app over and over again so he never gets logged out, the auth object remains “valid” because the JWT gets extend every time he navigate in the app etc.
So maybe not a good real world example. Maybe this is a better (but sensless example :D but it should explain the main issue):
The user pay for a 10 hours of app usage. The JWT token is valid for 10h but everytime he clicks around in the app, the token gets extended.
So there must be a way to logg the user out at a specific time or force a relogin
The JWT gets extended as one of the last steps in the security filter chain. The custom filter, or the Spring logout filter) is executed earlier and should basically “revoke” the token by nullifying the Authentication and expiring the cookie
Or maybe I completely misunderstood your question, and you just want to prevent that the JWT expiration gets extended.
In this case, if using Vaadin stateless authentication configuration, it is unfortunately not configurable. But you can again have a custom filter that mimics UpdateJwtCookiesFilter and put it before it; it should read the the expiration from the JWT before executing the rest of the chain and restore the original value after the chain has been executed.
[quote=“Marco Collovati, post:4, topic:178308, username:marcoc_753”]
The JWT gets extended as one of the last steps in the security filter chain. [/quote]
Ahh okay, understood
I think looks like the same like using the beforeEnterListener, right?
Actually, no. Working at the filter level is different from servlet execution.
For example, if you try to update the JWT cookie expiration in the beforeEnterListener, it wil get overridden by the the UpdateJwtCookiesFilter anyway.
