6 Replies Latest reply: Apr 8, 2013 9:45 PM by marlis RSS

    Limit user session in ADF security

    marlis
      I want single user work in web application only with a single session at any time. How can I limit user sessions?
        • 1. Re: Limit user session in ADF security
          prateekazam
          Hi,

          You have to store user log-in and log-out related information in database table like user name /id , session id and is user active or not.
          So before login any user into application check whether this user active flag.If it is true it mean user is accessing the application currently then deny user or if it is false let user allow to access the application.

          This is one approach which we did in our last application.However there is possibility for having different approach for same usecase.

          But one base line is common that you should need to maintain user log-in and log-out information.

          Thanks,
          Prateek
          • 2. Re: Limit user session in ADF security
            Timo Hahn
            Prateek's approach is the way to go. You must have some kind of fallback to reset the user login info as otherwise you get calls from your users which can't login as they are already logged in from the systems point of view, but really aren't because they simply closed the browser and did not explicit used the logout.

            Timo
            • 3. Re: Limit user session in ADF security
              marlis
              Thanks for your responses.
              I have some questions.

              prateekazam
              1. How can I override ADF security (based on JAAS) credentials checking mechanism j_security_check ?
              2. How can I store users log-in log-out information in database? Which classess and which methods must be overriden? Can you show code sample of your realisation, please?

              Timo Hahn
              How can I check if user closed browser?
              • 4. Re: Limit user session in ADF security
                Timo Hahn
                You can't check as the application dont get an event in this case. That is the reason I noted it on the thread!
                You have to implement some kind of fall back like a special workflow which can delete the confusing information from the DB (e.g. make the user as if he has not logged in).

                Timo
                • 5. Re: Limit user session in ADF security
                  Frank Nimphius-Oracle
                  Hi,

                  +1. How can I override ADF security (based on JAAS) credentials checking mechanism j_security_check ?+

                  Why do you want to override this?

                  +2. How can I store users log-in log-out information in database? Which classess and which methods must be overriden? Can you show code sample of your realisation, please?+

                  Authentication is not handled by ADF but WebLogic Server. If you want to track database login information you will need to write a custom JAAS Login Module and configure it as an authentication provider in WLS

                  How can I check if user closed browser?

                  I would use a temporary cookie with no lifetime. This way, when the browser is closed, the cokie is unavailable, indicating that the user is good to login again. However, this then allows users to start 2 sessions using different browsers (again something you would need to check)

                  Frank
                  • 6. Re: Limit user session in ADF security
                    marlis
                    1. I need to check if user already logged or not before j_security_check

                    2. I am using ADF security based on JAAS. Authentication based on database credentials table, WLS sql auth provider is configured, too. I meant to store users log-in and log-out information.

                    3. How can I check coockie info on the server side?