churrusco
Thanks Dario.
The MBean strategy works perfectly for us.
The reason why we want to kill the user session is not really related with having multiple sessions (I guess to solve this overwrite the newSession callback method in the adapter is more than enough) but with security. Our system has a built-in hard session expiry mechanism to prevent malicious session handling attacks.
Having the JMX possibility is enough for us. Btw, is the JMX server secured? Because if it stores the session as it seems I guess that you can obtain plenty of useful information from it.
Regards,
Martin
Dario Crivelli
Hi Martin
may you please clarify your security concerns?
We aim to guarantee security against external hosts. The JMX interface is exposed through some configurable ports, which can be hidden by the firewall and this should be enough.
However, at the moment, we don't protect the Server (and, in particular, its JMX interface) against its own Adapters. We consider the Server and all configured Adapters as "friends". In fact, they all lie in the same ClassLoader.
Dario
churrusco
Hi Dario.
The problem is not the adapter but an attacker from outside that box, even within the green zone. You can enable some firewall rules to protect you from external attackers but within your intranet probably your sysadmins will want to be able to use the JMX console wherever they are.
As far as I know, there is no authentication for the JMX RMI interface so anyone that is in the intranet can open a JMX console and kill other user's sessions. Correct me if I'm wrong as I haven't tried it so it is only speculation.
Anyways, not a big issue for as and I suppose it could be an improvement.
Dario Crivelli
Hi Martin,
Indeed, such a protection in the JMX access is lacking.
The extension is in our roadmap, but no time references have been set yet.
Dario
churrusco
Thanks Dario,
that's good to know.
Is there any reason why Lighstreamer is using its own JMX server implementation instead of using the JDK Platform MBean Server?
Martin
Alessandro Alinone
Hi Martin,
Lightstreamer Server uses Sun's MBean Server (in particular, Sun's JMX Reference Implementation and Sun's JMX Remote API). You can find the related JAR files under "\Lightstreamer\lib".
phan_lam
@Alessandro, Wrote:
There exist cases where you could decide to disconnect a user from Lightstreamer Server (for example if they log into a second session on a different Server and you don't want to support multiple push session for the same account;
Option 3) Handle the termination on the client side. Your clients will subscribe to some "service item" through which your Data Adapter will deliver termination notifications to the clients. When a client receives such message, it will terminate its Lightstreamer session, disconnecting from Lightstreamer Server.
This is our case: we want the server to disconnect all previous sessions of an user when he/she connects again (the same way as Yahoo Messenger does). And Option 3 sounds like a solution. Could you please explain a bit more details on how could I achieve this effect. Thank you.
Dario Crivelli
Note that the "termination on the client side" technique was suggested for a java-based client.
If your client were a web page, it might be easier for a malicious user to disable the mechanism.
The idea is that the Data Adapter should manage special items that allow each single client session to subscribe to its own item, so as to receive its own notifications from the Data Adapter. For instance, the item names might be of the general form "<sessionID>_status".
The client should only subscribe to a generic name like "session_status"; then, the Metadata Adapter, in getItems could generate the final name by leveraging session information.
The Data Adapter might manage a single field for all those items (let's call it "allowed") and value it as "Y" or "N", according to your constraints.
A client which found that the "allowed" field has a value of "N" should disconnect.
Consider that the forthcoming 3.6 release of the Server will support a new "destroy session" request, as a milder replacement for the deprecated "kill all user sessions" feature.
So, it will be possible to issue the request from any backend process that knows the active session IDs (by communicating with the various Metadata Adapter instances).
However, the availability of the generic client SDK would be needed, which requires the Presto or Vivace version of the Server.
Dario Crivelli
Lightstreaemer Server 3.6 release is now available.
What follows is a sample code for forcing session termination from the Metadata Adapter, made possible by the new "destroy session" request.
The sample can substitute the JMX based one shown earlier in this thread and represents a new implementation of Option 1 introduced above.
So, we show a code snippet that, added to the Metadata Adapter code, listens to the notifications for session initiation and termination and causes each session to be closed after it has lived longer than five minutes.
Upon forced session closure, the Web Client Library will enter "DISCONNECTED" state and won't try to recover the session; it will just notify application code through the "onServerError" event handler, with proper error codes.
[SYNTAX="JAVA"]
import java.io.BufferedReader;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.Timer;
import java.util.TimerTask;
import com.lightstreamer.interfaces.metadata.CreditsException;
import com.lightstreamer.interfaces.metadata.NotificationException;
.................
private static final String host = "localhost";
private static final int port = 80;
// we cast the local port number; the ports used by the current instance
// of Lightstreamer Server cannot be inspected in a simple way;
// the name of the configured <http_server> or <https_server> block
// related with the port on which the requests for the current session
// have been received is available as the "LOCAL_SERVER" element in the
// clientContext Map in notifyNewSession
private final Set currSessions = new HashSet();
private final Timer timer = new Timer();
private final long expiryTime = 5 * 60 * 1000;
public void notifyNewSession(String user, final String session, Map clientContext)
throws CreditsException, NotificationException {
synchronized (currSessions) {
currSessions.add(session);
}
timer.schedule(new TimerTask() {
public void run() {
synchronized (currSessions) {
if (! currSessions.contains(session)) {
return;
}
}
try {
killSession(session);
// this also causes notifySessionClose to be called
} catch (IOException e) {
// TODO
}
}
}, expiryTime);
}
public void notifySessionClose(String session) throws NotificationException {
synchronized (currSessions) {
currSessions.remove(session);
}
}
private void killSession(String session) throws IOException {
URL url = new URL("http", host, port, "/lightstreamer/control.txt");
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("POST");
connection.setUseCaches(false);
connection.setDoOutput(true);
connection.setDoInput(true);
connection.setAllowUserInteraction(false);
DataOutputStream requestStream = new DataOutputStream(connection.getOutputStream());
requestStream.writeBytes("LS_op=destroy&LS_session=" + session);
requestStream.flush();
requestStream.close();
InputStream answerStream = connection.getInputStream();
BufferedReader answer = new BufferedReader(new InputStreamReader(answerStream));
String outcome = answer.readLine();
if (outcome != null && outcome.equals("OK")) {
// done
} else if (outcome != null && outcome.equals("SYNC ERROR")) {
// the session was not found
// TODO
} else {
// an unexpected condition occurred
// TODO
}
connection.disconnect();
}
.........
[/SYNTAX]
Note that the above code can only be used in Lightstreamer "Presto" or "Vivace" edition, in which the text interface is available.
In "Allegro" or "Moderato" edition, we need to resort to the html or javascript interface; the following code snippet exploits the javascript case; the request syntax is the same, but for control.jsin place of control.txt .
[SYNTAX="JAVA"]
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.Timer;
import java.util.TimerTask;
import com.lightstreamer.interfaces.metadata.CreditsException;
import com.lightstreamer.interfaces.metadata.NotificationException;
.................
private static final String host = "localhost";
private static final int port = 80;
// we cast the local port number; the ports used by the current instance
// of Lightstreamer Server cannot be inspected in a simple way;
// the name of the configured <http_server> or <https_server> block
// related with the port on which the requests for the current session
// have been received is available as the "LOCAL_SERVER" element in the
// clientContext Map in notifyNewSession
private final Set currSessions = new HashSet();
private final Timer timer = new Timer();
private final long expiryTime = 5 * 60 * 1000;
public void notifyNewSession(String user, final String session, Map clientContext)
throws CreditsException, NotificationException {
synchronized (currSessions) {
currSessions.add(session);
}
timer.schedule(new TimerTask() {
public void run() {
synchronized (currSessions) {
if (! currSessions.contains(session)) {
return;
}
}
try {
killSession(session);
// this also causes notifySessionClose to be called
} catch (IOException e) {
// TODO
}
}
}, expiryTime);
}
public void notifySessionClose(String session) throws NotificationException {
synchronized (currSessions) {
currSessions.remove(session);
}
}
private void killSession(String session) throws IOException {
URL url = new URL("http", host, port, "/lightstreamer/control.js");
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("POST");
connection.setUseCaches(false);
connection.setDoOutput(true);
connection.setDoInput(true);
connection.setAllowUserInteraction(false);
DataOutputStream requestStream = new DataOutputStream(connection.getOutputStream());
requestStream.writeBytes("LS_op=destroy&LS_session=" + session);
requestStream.flush();
requestStream.close();
InputStream answerStream = connection.getInputStream();
/*
* TODO interpretation of the response
*/
connection.disconnect();
}
.........
[/SYNTAX]
Note that the response is in javascript and it is more complicated to analyze it.
In case the operation is successful we should expect:
[SYNTAX="JS"]
/*
window.LS_lastError = {};
window.LS_lastError[1] = null;
*/
[/SYNTAX]
On the other hand, if the session was not found we should expect:
[SYNTAX="JS"]
/*
window.LS_lastError = {};
window.LS_lastError[1] = "sync error";
*/
[/SYNTAX]
Any other response means that an unexpected condition has occurred.
mohamida
Hi Dario,
How to do such thing, for example with the StockList Demo, knowing that this demo is using the default MetaAdapter ?
Do i have to impelement one ?
Dario Crivelli
Yes, the above code is not part of any available sample, so you should add it and recompile in order to test it.
You can create a subclass of the default LiteralBasedProvider class, for instance.
mohamida
Thank you Dario.
What i did is creating a new class, extending the default LiteralBasedProvider class and adding the lines (for destroying the session) in it.
