search

philipsorst / angular-rest-springsecurity

An example AngularJS Application that uses a Spring Security protected Jersey REST backend based on Hibernate/JPA
Apache License 2.0
620 stars 367 forks source link

How to invalidate token for logout #16

Closed luckyhughes closed 9 years ago

luckyhughes commented 10 years ago

Hi Phil,

I went through this project and found very useful for securing restapi. Thanks for sharing and putting it together. Could you please guide me how to write invalidate rest end point for logout the session.

--Sandeep

debjava commented 9 years ago

Please suggest me Sir about how to logout.

debjava commented 9 years ago

Please suggest how to logout using rest call.

NicksMehta commented 9 years ago

Hi Phil, I checked your code and theres not way to validate the token (except the expiry time). So I have a scenario as follows:

I have 2 users, both are admins and they both logged in the system, all works well. Let suppose Admin1 deletes the db entry for Admin2(but still Admin2 has the valid token). But the problem is the Admin2 can still use the system APIs without any issue disrecpect that now theres not such user in the DB. So please help for the issue.

One potential solution can be: on validating the token we check the db entry too, corresponding to that user. But this leads a hit to DB query. To mitigate DB hit issue, we have to use caching so that the existence of the user can be verify directly from the cache. Of course, we have to evict the user (Admin2) from the cache when there is delete operation.

Please share your views/thoughts, so that we can build it a bit better.

Thanks, Nick

philipsorst commented 9 years ago

Hi all,

right, currently there is no way to invalidate the token. Still it will become invalid if you change the password or delete the user to which the token belongs. (The doFilter() method in the AuthenticationTokenProcessingFilter calls the User Service and loads the user from the DB, then in the TokenUtils.validateToken() it will check if the signature matches, which also includes the password.) If you really want to have the ability to invalidate the token, you will need to implement some Token Storage. This could be a simple database table which stores some random string (the token), the User it belongs to and an expiry. On first successful authentication the random string is generated and inserted into the table. When you validate the token on subsequent REST requests you can simply lookup the token in the table, check the expiry and insert the corresponding User into the Security Context. To invalidate a token you can simply delete the corresponding row. However you will need to invalidate all table rows belonging to the User "by hand" whenever the user changes the password in order to invalidate all of its token and you should implement some cleanup method that runs from time to time and removes all expired tokens from the table to not let it grow to large.

Hope that helps, regards,

Philip

NicksMehta commented 9 years ago

Yes, you're right, thanks for giving the reply. I already built this by capturing the User in cache (if cache is null it fetched from DB).

Thanks, Nikhil

On Sun, Oct 11, 2015 at 7:29 PM, Philip Sorst notifications@github.com wrote:

Hi all,

right, currently there is no way to invalidate the token. Still it will become invalid if you change the password or delete the user to which the token belongs. (The doFilter() method in the AuthenticationTokenProcessingFilter calls the User Service and loads the user from the DB, then in the TokenUtils.validateToken() it will check if the signature matches, which also includes the password.) If you really want to have the ability to invalidate the token, you will need to implement some Token Storage. This could be a simple database table which stores some random string (the token), the User it belongs to and an expiry. On first successful authentication the random string is generated and inserted into the table. When you validate the token on subsequent REST requests you can simply lookup the token in the table, check the expiry and insert the corresponding User into the Security Context. To invalidate a token you can simply delete the corresponding row. However you will need to invalidate all table rows belonging to the User "by hand" whenever the user changes the password in order to invalidate all of its token and you should implement some cleanup method that runs from time to time and removes all expired tokens from the table to not let it grow to large.

Hope that helps, regards,

Philip

— Reply to this email directly or view it on GitHub https://github.com/philipsorst/angular-rest-springsecurity/issues/16#issuecomment-147196542 .