Announcement Announcement Module
Collapse
No announcement yet.
Really weird thing going on with JSESSIONID and Spring Security, please advice Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Really weird thing going on with JSESSIONID and Spring Security, please advice

    Hello everybody,

    I'm having a serious issue here and I'm a bit lost.

    I've been working on www.zukbox.com with the next security configuration:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
    	<global-method-security pre-post-annotations="enabled">
    		<!-- AspectJ pointcut expression that locates our "post" method and applies 
    			security that way <protect-pointcut expression="execution(* bigbank.*Service.post*(..))" 
    			access="ROLE_TELLER"/> -->
    	</global-method-security>
    
    	<beans:bean id="authenticationHandler"
    		class="com.zukbox.zukbox.webapp.filter.ZukboxAuthenticationHandler" />
    
    	<http use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint"
    		 auto-config="false">
    		<intercept-url pattern="/secure/**" access="isAuthenticated()" />
    		<intercept-url pattern="/payments/book" access="isAuthenticated()" />
    		<intercept-url pattern="/paypal-checkout" access="isAuthenticated()" />
    		<intercept-url pattern="/*" access="permitAll" />
    		<logout />
    		<remember-me services-ref="rememberMeServices" />
    <!-- 		<session-management session-fixation-protection="none"> -->
    <!-- 		</session-management> -->
    		<session-management>
    		 <concurrency-control expired-url="/terms" max-sessions="1"/>
    		</session-management>
    		<custom-filter position="FORM_LOGIN_FILTER" ref="zukboxAuthenticationFilter" />
    	</http>
    
    	<beans:bean id="concurrencyFilter"
    		class="org.springframework.security.web.session.ConcurrentSessionFilter">
    		<beans:property name="sessionRegistry" ref="sessionRegistry" />
    	</beans:bean>
    
    	<beans:bean id="sessionRegistry"
    		class="org.springframework.security.core.session.SessionRegistryImpl" />
    
    	<beans:bean id="userAuthProvider"
    		class="com.zukbox.zukbox.service.user.impl.UserAuthenticationProviderImpl">
    		<beans:property name="userDetailsService" ref="userDetailsService" />
    	</beans:bean>
    
    	<beans:bean id="userDetailsService"
    		class="com.zukbox.zukbox.service.user.impl.UserDetailsServiceImpl">
    		<beans:property name="userDao" ref="userDao" />
    	</beans:bean>
    
    	<authentication-manager alias="authManager">
    		<authentication-provider ref="userAuthProvider"
    			user-service-ref="userDetailsService">
    		</authentication-provider>
    		<authentication-provider ref="facebookAuthenticationProvider"></authentication-provider>
    	</authentication-manager>
    
    	<beans:bean id="rememberMeFilter"
    		class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
    		<beans:property name="rememberMeServices" ref="rememberMeServices" />
    		<beans:property name="authenticationManager" ref="authManager" />
    	</beans:bean>
    
    	<beans:bean id="rememberMeServices"
    		class="com.zukbox.zukbox.webapp.login.ZukboxRememberMeServices">
    		<beans:property name="userDetailsService" ref="userDetailsService" />
    		<beans:property name="key" value="SpringSecured" />
    		<beans:property name="alwaysRemember" value="true" />
    		<beans:property name="tokenValiditySeconds" value="1296000" />
    	</beans:bean>
    
    	<beans:bean id="rememberMeAuthenticationProvider"
    		class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
    		<beans:property name="key" value="SpringSecured" />
    	</beans:bean>
    
    	<beans:bean id="facebookAuthenticationProvider"
    		class="com.zukbox.zukbox.webapp.login.FacebookAuthenticationProvider">
    		<beans:property name="userDetailsService" ref="userDetailsService" />
    	</beans:bean>
    
    	<beans:bean id="loginUrlAuthenticationEntryPoint"
    		class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    		<beans:property name="loginFormUrl" value="/signin" />
    	</beans:bean>
    
    	<beans:bean id="zukboxAuthenticationFilter"
    		class="com.zukbox.zukbox.webapp.login.ZukboxAuthenticationFilter">
    		<beans:property name="authenticationManager" ref="authManager" />
    		<beans:property name="authenticationFailureHandler"
    			ref="authenticationHandler" />
    		<beans:property name="authenticationSuccessHandler"
    			ref="authenticationHandler" />
    		<beans:property name="rememberMeServices" ref="rememberMeServices" />
    	</beans:bean>
    
    
    
    	<beans:bean id="sessionControlStrategy"
    		class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    		<beans:constructor-arg name="sessionRegistry"
    			ref="sessionRegistry" />
    		<beans:property name="maximumSessions" value="-1" />
    	</beans:bean>
    
    	<beans:bean id="securityContextPersistenceFilter"
    		class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    		<beans:property name='securityContextRepository'>
    			<beans:bean
    				class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'>
    				<beans:property name='allowSessionCreation' value='false' />
    			</beans:bean>
    		</beans:property>
    	</beans:bean>
    
    </beans:beans>
    Code:
    FacebookAuthenticationProvider:
    
    public Authentication authenticate(Authentication authentication)
                throws AuthenticationException {
            FacebookAuthenticationToken auth = (FacebookAuthenticationToken) authentication;
            FacebookClient fbClient = new DefaultFacebookClient(auth.getToken());
            
             // yada yada yada
    
            AcegiUserDetails details = (AcegiUserDetails) userDetailsService
                    .loadUserByUsername(user.getEmail());
    
            return new UsernamePasswordAuthenticationToken(details, details.getPassword(),
                    details.getAuthorities());
        }

    Code:
        public FacebookAuthenticationToken(String socialId, String token, List<GrantedAuthority> authorities) {
            super(authorities);
            this.socialId = socialId;
            this.token = token;
            super.setAuthenticated(true);
        }
    Code:
    ZukboxAuthenticationFilter which extends UsernamePasswordAuthenticationFilter
    public Authentication attemptAuthentication(HttpServletRequest request,
                HttpServletResponse response) throws AuthenticationException {
            if (postOnly && !request.getMethod().equals("POST")) {
                throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
            }
    
            String loginType = obtainLoginType(request);
            AbstractAuthenticationToken authRequest = null;
            if ("Facebook".equals(loginType)) {
                String socialId = obtainSocialId(request);
                String token = obtainToken(request);
                authRequest = new FacebookAuthenticationToken(socialId, token);
            } else {
                String username = obtainUsername(request);
                String password = obtainPassword(request);
    
                if (username == null) {
                    username = "";
                }
    
                if (password == null) {
                    password = "";
                }
    
                username = username.trim();
    
                authRequest = new UsernamePasswordAuthenticationToken(username, password);
    
                // Place the last username attempted into HttpSession for views
                HttpSession session = request.getSession(false);
    
                if (session != null || getAllowSessionCreation()) {
                    request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, TextEscapeUtils.escapeEntities(username));
                }
    
                // Allow subclasses to set the "details" property
                setDetails(request, (UsernamePasswordAuthenticationToken) authRequest);
            }
    
            return this.getAuthenticationManager().authenticate(authRequest);
        }

    I'm getting a really short session, sometimes I appear as logged in, sometimes I don't even though the remember me cookie is there.
    Same happens with the locale you choose, it jumps to what ever it fits best.

    I really don't know where else to look.

    Any help/guidance would be much appreciated.
    Thanks in advance.

    Federico

  • #2
    I've managed to stop generating sessions by adding

    Code:
    <%@ page session="false" %>
    to all of our jsps.

    But I'm still facing the issue that Spring suddenly stops reading cookies (either for CookieLocaleResolver or RememberMeServices) which leaves my users unauth and with default locale, then on the next request cookies work and they get authenticated and locale cookie based.
    This happens quite oftenly so a user get this real bad browsing experience.

    Below's my security-config.xml:


    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
    	<global-method-security pre-post-annotations="enabled">
    		<!-- AspectJ pointcut expression that locates our "post" method and applies 
    			security that way <protect-pointcut expression="execution(* bigbank.*Service.post*(..))" 
    			access="ROLE_TELLER"/> -->
    	</global-method-security>
    
    	<beans:bean id="authenticationHandler"
    		class="com.zukbox.zukbox.webapp.filter.ZukboxAuthenticationHandler" />
    
    	<http use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint"
    		 auto-config="false" create-session="never">
    		<intercept-url pattern="/secure/**" access="isAuthenticated()" />
    		<intercept-url pattern="/payments/book" access="isAuthenticated()" />
    		<intercept-url pattern="/paypal-checkout" access="isAuthenticated()" />
    		<intercept-url pattern="/*" access="permitAll" />
    		<logout />
    		<remember-me services-ref="rememberMeServices" />
    		<session-management session-fixation-protection="none" >
    		 	<concurrency-control error-if-maximum-exceeded="true" expired-url="/terms" max-sessions="1"/>
    		</session-management>
    		<custom-filter position="FORM_LOGIN_FILTER" ref="zukboxAuthenticationFilter" />
    	</http>
    
    	<beans:bean id="concurrencyFilter"
    		class="org.springframework.security.web.session.ConcurrentSessionFilter">
    		<beans:property name="sessionRegistry" ref="sessionRegistry" />
    	</beans:bean>
    
    	<beans:bean id="sessionRegistry"
    		class="org.springframework.security.core.session.SessionRegistryImpl" />
    
    	<beans:bean id="userAuthProvider"
    		class="com.zukbox.zukbox.service.user.impl.UserAuthenticationProviderImpl">
    		<beans:property name="userDetailsService" ref="userDetailsService" />
    	</beans:bean>
    
    	<beans:bean id="userDetailsService"
    		class="com.zukbox.zukbox.service.user.impl.UserDetailsServiceImpl">
    		<beans:property name="userDao" ref="userDao" />
    	</beans:bean>
    
    	<authentication-manager alias="authManager">
    		<authentication-provider ref="userAuthProvider"
    			user-service-ref="userDetailsService">
    		</authentication-provider>
    		<authentication-provider ref="facebookAuthenticationProvider"></authentication-provider>
    	</authentication-manager>
    
    	<beans:bean id="rememberMeFilter"
    		class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
    		<beans:property name="rememberMeServices" ref="rememberMeServices" />
    		<beans:property name="authenticationManager" ref="authManager" />
    	</beans:bean>
    
    	<beans:bean id="rememberMeServices"
    		class="com.zukbox.zukbox.webapp.login.ZukboxRememberMeServices">
    		<beans:property name="userDetailsService" ref="userDetailsService" />
    		<beans:property name="key" value="SpringSecured" />
    		<beans:property name="alwaysRemember" value="true" />
    		<beans:property name="tokenValiditySeconds" value="1296000" />
    	</beans:bean>
    
    	<beans:bean id="rememberMeAuthenticationProvider"
    		class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
    		<beans:property name="key" value="SpringSecured" />
    	</beans:bean>
    
    	<beans:bean id="facebookAuthenticationProvider"
    		class="com.zukbox.zukbox.webapp.login.FacebookAuthenticationProvider">
    		<beans:property name="userDetailsService" ref="userDetailsService" />
    	</beans:bean>
    
    	<beans:bean id="loginUrlAuthenticationEntryPoint"
    		class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    		<beans:property name="loginFormUrl" value="/signin" />
    	</beans:bean>
    
    	<beans:bean id="zukboxAuthenticationFilter"
    		class="com.zukbox.zukbox.webapp.login.ZukboxAuthenticationFilter">
    		<beans:property name="authenticationManager" ref="authManager" />
    		<beans:property name="authenticationFailureHandler"
    			ref="authenticationHandler" />
    		<beans:property name="authenticationSuccessHandler"
    			ref="authenticationHandler" />
    		<beans:property name="rememberMeServices" ref="rememberMeServices" />
    	</beans:bean>
    
    	<beans:bean id="sessionControlStrategy"
    		class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    		<beans:constructor-arg name="sessionRegistry"
    			ref="sessionRegistry" />
    		<beans:property name="maximumSessions" value="-1" />
    	</beans:bean>
    
    	<beans:bean id="securityContextPersistenceFilter"
    		class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    		<beans:property name='securityContextRepository'>
    			<beans:bean
    				class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'>
    				<beans:property name='allowSessionCreation' value='false' />
    			</beans:bean>
    		</beans:property>
    	</beans:bean>
    
    </beans:beans>

    I'm under a lot of load and I need some help please!

    Thanks in advance
    Federico
    Last edited by fwachs; Sep 26th, 2011, 11:43 AM.

    Comment


    • #3
      This is rather vague ("Spring suddenly stops reading cookies"). You'll need to provide some debugging information. What have you done to monitor the cookies being exchanged? Have you related this to the debug logs?

      Also, why are you using:

      Code:
      create-session="never"
      This will prevent Spring Security from storing the security context after authenticating the user (unless a session already exists). You should see a message to that effect in the debug log.

      Comment


      • #4
        For starters clean up your configuration.. You have about duplicated the http elements with plain xml configuration, so not sure what is going on there...

        Comment


        • #5
          Thank you so much for your reply.

          I've been doing a lot of testing, but haven't been checking the log files just yet.
          I see that the 2 important cookies are there and the values they contain are correct. But for some reason CookieLocaleResolver and RememberMeServices stop working, I'm trying to find out why but I can't find any reason just yet.

          Any guidance is greatly appreciated

          Comment


          • #6
            Originally posted by Marten Deinum View Post
            For starters clean up your configuration.. You have about duplicated the http elements with plain xml configuration, so not sure what is going on there...
            You're right. I've been doing so many tests that there are many un used things in there.

            Here's the latests:

            Code:
            <?xml version="1.0" encoding="UTF-8"?>
            <beans:beans xmlns="http://www.springframework.org/schema/security"
            	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                                    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
            
            	<global-method-security pre-post-annotations="enabled">
            	</global-method-security>
            
            	<beans:bean id="authenticationHandler"
            		class="com.zukbox.zukbox.webapp.filter.ZukboxAuthenticationHandler" />
            
            	<http use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint"
            		 auto-config="false" >
            		<intercept-url pattern="/secure/**" access="isAuthenticated()" />
            		<intercept-url pattern="/payments/book" access="isAuthenticated()" />
            		<intercept-url pattern="/paypal-checkout" access="isAuthenticated()" />
            		<intercept-url pattern="/*" access="permitAll" />
            		<logout />
            		<remember-me services-ref="rememberMeServices" />
            		<session-management session-fixation-protection="none" >
            		 	<concurrency-control error-if-maximum-exceeded="true" expired-url="/terms" max-sessions="1"/>
            		</session-management>
            		<custom-filter position="FORM_LOGIN_FILTER" ref="zukboxAuthenticationFilter" />
            	</http>
            
            	<beans:bean id="userAuthProvider"
            		class="com.zukbox.zukbox.service.user.impl.UserAuthenticationProviderImpl">
            		<beans:property name="userDetailsService" ref="userDetailsService" />
            	</beans:bean>
            
            	<beans:bean id="userDetailsService"
            		class="com.zukbox.zukbox.service.user.impl.UserDetailsServiceImpl">
            		<beans:property name="userDao" ref="userDao" />
            	</beans:bean>
            
            	<authentication-manager alias="authManager">
            		<authentication-provider ref="userAuthProvider"
            			user-service-ref="userDetailsService">
            		</authentication-provider>
            		<authentication-provider ref="facebookAuthenticationProvider"></authentication-provider>
            	</authentication-manager>
            
            	<beans:bean id="rememberMeFilter"
            		class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
            		<beans:property name="rememberMeServices" ref="rememberMeServices" />
            		<beans:property name="authenticationManager" ref="authManager" />
            	</beans:bean>
            
            	<beans:bean id="rememberMeServices"
            		class="com.zukbox.zukbox.webapp.login.ZukboxRememberMeServices">
            		<beans:property name="userDetailsService" ref="userDetailsService" />
            		<beans:property name="key" value="SpringSecured" />
            		<beans:property name="alwaysRemember" value="true" />
            		<beans:property name="tokenValiditySeconds" value="1296000" />
            	</beans:bean>
            
            	<beans:bean id="rememberMeAuthenticationProvider"
            		class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
            		<beans:property name="key" value="SpringSecured" />
            	</beans:bean>
            
            	<beans:bean id="facebookAuthenticationProvider"
            		class="com.zukbox.zukbox.webapp.login.FacebookAuthenticationProvider">
            		<beans:property name="userDetailsService" ref="userDetailsService" />
            	</beans:bean>
            
            	<beans:bean id="loginUrlAuthenticationEntryPoint"
            		class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
            		<beans:property name="loginFormUrl" value="/signin" />
            	</beans:bean>
            
            	<beans:bean id="zukboxAuthenticationFilter"
            		class="com.zukbox.zukbox.webapp.login.ZukboxAuthenticationFilter">
            		<beans:property name="authenticationManager" ref="authManager" />
            		<beans:property name="authenticationFailureHandler"
            			ref="authenticationHandler" />
            		<beans:property name="authenticationSuccessHandler"
            			ref="authenticationHandler" />
            		<beans:property name="rememberMeServices" ref="rememberMeServices" />
            	</beans:bean>
            
            </beans:beans>
            Thanks for your reply.

            Comment


            • #7
              I managed to debug this error and found this:

              I receive a request of type :org.springframework.security.web.servletapi.Secur ityContextHolderAwareRequestWrapper
              With 2 classes on its org.springframework.security.authentication.Authen ticationTrustResolverImpl:
              org.springframework.security.authentication.Anonym ousAuthenticationToken
              org.springframework.security.authentication.Rememb erMeAuthenticationToken

              And a RequestWrapper with strippedServletPath: /index.jsp and a http request with no parameters on it and no cookies as well.

              I'm TOTALLY LOST.

              org.springframework.security.authentication.Anonym ousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS

              Comment


              • #8
                I just don't know what to do anymore. This is the stragest thing that ever happened to me.

                Comment

                Working...
                X