Announcement Announcement Module
Collapse
No announcement yet.
Security Session Issue in IE 8 Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Session Issue in IE 8

    Hi,
    We are using jboss 7, spring security 3.0.5. The security code works fine in firefox browser. But when I try to access the application throught IE8 code doesn't work. I debugged the issue and found that session information not available to IE8. i.e., after entering correct credentials details it redirects back to login page. I added a debug statement on my custom SavedRequestAwareAuthenticationSuccessHandler to log if user logged in successfully or not & it does log that user is logged in successfully. but IE 8 doesn't have that information and doesn't allow user to access any other pages to( I manually entered url address).

    I deployed the same war file on myeclipse 8.1 internal tomcat server, it works fine in both IE8 and firefox.

    Any Idea what might be the problem and any suggestion on how to fix it?

  • #2
    I don't think this is going to be a browser issue or anything specific to jboss vs tomcat. We're talking about a session here... Similarly, there's nothing browser specific in spring security.

    I would look at how your ie8 browser is configured with regards to security first and then look to see what customized code you might have on the jboss server as it relates to specific browsers. For example, I suspect localhost is probably configured to be trusted where your jboss server is not. Something like that.

    Comment


    • #3
      Please provide the logs from Spring Security. Also what do the request/responses look like? FYI you can use something like live headers or fidler to obtain the request and responses.

      Comment


      • #4
        Hi,
        Thanks for your reply. I did try to run the application through fiddler in both IE8 & firefox 3.6.22 and I observed that JSESSIONID cookie is same for all the requests in firefox where as the JSESSIONID cookie value is different once the user is logged in successfully. I'm suspecting something problem with IE8 and Jboss 7 configuration regarding session problem.

        Request header to post the user credentials
        Code:
        POST http://panther:8080/mapp/j_spring_security_check HTTP/1.1
        x-requested-with: XMLHttpRequest
        Accept-Language: en-us
        Referer: http://panther:8080/mapp/Login;jsessionid=wty69fmarC-IP10LxzGGvgDC
        Accept: */*
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip, deflate
        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; Tablet PC 2.0; .NET4.0E)
        Host: panther:8080
        Content-Length: 41
        Connection: Keep-Alive
        Pragma: no-cache
        ResponseHeader
        Code:
        HTTP/1.1 200 OK
        Server: Apache-Coyote/1.1
        Set-Cookie: JSESSIONID=5ml4Xn9XhcM2GLrnVaeko9WH; Version=1; Path="/mapp"
        Accept-Charset: big5, big5-hkscs, compound_text..... (some long charsets)
        Content-Type: application/json
        Content-Length: 100
        please let me know if it is something to be configured on JBOSS/IE8

        Comment


        • #5
          Can you provide all the request/responses from the request that triggers the login page to the response after login failed? Also what do the Spring Security logs look like for these requests/responses?

          Comment


          • #6
            I use Ajax based login. After successfull login I do redirect to next page(Dashboard page). The login doesn't fail. Jboss server does logs the User as logged in logs
            Code:
            10:49:09,375 INFO  [stdout] (http--127.0.0.1-9090-3) [ INFO] [http--127.0.0.1-9090-3 10:49:09] (AjaxAuthenticationSuccessHandler.java:onAuthenticationSuccess:75) *** User:superuser Logged in Successfully
            Here are the request/response for redirect.


            Request the redirect page
            Code:
            GET http://panther:8080/mapp/Dashboard HTTP/1.1
            Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
            Accept-Language: en-US
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; Tablet PC 2.0; .NET4.0E)
            Accept-Encoding: gzip, deflate
            Connection: Keep-Alive
            Host: panther:8080
            response
            Code:
            HTTP/1.1 200 OK
            Server: Apache-Coyote/1.1
            X-Powered-By: JSP/2.2
            Cache-Control: no-store
            Content-Type: text/html;charset=ISO-8859-1
            Content-Language: en
            Transfer-Encoding: chunked
            Date: Fri, 04 Nov 2011 16:34:28 GMT

            Comment


            • #7
              One more thing: take the request/response's in IE8 against tomcat and compare them against that of jboss's. What differs? Do either mark the cookie as HttpOnly? If that doesn't help please post the request for the login through the response for the dashboard for both Tomcat and Jboss clearly labeling both.

              Comment


              • #8
                Request/Response for Tomcat:
                ------------------------------------
                1) Request Login Page Header
                Code:
                GET http://localhost:8080/mapp/Login HTTP/1.1
                Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
                Accept-Language: en-US
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; Tablet PC 2.0; .NET4.0E)
                Accept-Encoding: gzip, deflate
                Connection: Keep-Alive
                Host: localhost:8080
                Cookie: JSESSIONID=F2DE899300146DB940E5AA4C81948FD5
                Response
                Code:
                HTTP/1.1 200 OK
                Server: Apache-Coyote/1.1
                Cache-Control: no-store
                Access-Control-Allow-Headers: x-requested-with
                Content-Type: text/html;charset=ISO-8859-1
                Content-Language: en
                Transfer-Encoding: chunked
                Date: Mon, 07 Nov 2011 16:07:53 GMT
                2) Validate User Credentials Request
                Code:
                POST http://localhost:8080/mapp/j_spring_security_check HTTP/1.1
                x-requested-with: XMLHttpRequest
                Accept-Language: en-us
                Referer: http://localhost:8080/mapp/Login
                Accept: */*
                Content-Type: application/x-www-form-urlencoded
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; Tablet PC 2.0; .NET4.0E)
                Host: localhost:8080
                Content-Length: 41
                Connection: Keep-Alive
                Pragma: no-cache
                Cookie: JSESSIONID=F2DE899300146DB940E5AA4C81948FD5
                
                j_username=abcde&j_password=abcde12
                RESPONE
                Code:
                HTTP/1.1 200 OK
                Server: Apache-Coyote/1.1
                Accept-Charset: big5, big5-hkscs, euc-jp, euc-kr, gb18030, gb2312, gbk, ibm-thai, ibm00858, ibm01140, ibm01141, ibm01142, ibm01143, ibm01144, ibm01145, ibm01146, ibm01147, ibm01148, ibm01149, ibm037, ibm1026, ibm1047, ibm273, ibm277, ibm278, ibm280, ibm284, ibm285, ibm297, ibm420, ibm424, ibm437, ibm500, ibm775, ibm850, ibm852, ibm855, ibm857, ibm860, ibm861, ibm862, ibm863, ibm864, ibm865, ibm866, ibm868, ibm869, ibm870, ibm871, ibm918, iso-2022-cn, iso-2022-jp, iso-2022-jp-2, iso-2022-kr, iso-8859-1, iso-8859-13, iso-8859-15, iso-8859-2, iso-8859-3, iso-8859-4, iso-8859-5, iso-8859-6, iso-8859-7, iso-8859-8, iso-8859-9, jis_x0201, jis_x0212-1990, koi8-r, koi8-u, shift_jis, tis-620, us-ascii, utf-16, utf-16be, utf-16le, utf-32, utf-32be, utf-32le, utf-8, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257, windows-1258, windows-31j, x-big5-solaris, x-euc-jp-linux, x-euc-tw, x-eucjp-open, x-ibm1006, x-ibm1025, x-ibm1046, x-ibm1097, x-ibm1098, x-ibm1112, x-ibm1122, x-ibm1123, x-ibm1124, x-ibm1381, x-ibm1383, x-ibm33722, x-ibm737, x-ibm833, x-ibm834, x-ibm856, x-ibm874, x-ibm875, x-ibm921, x-ibm922, x-ibm930, x-ibm933, x-ibm935, x-ibm937, x-ibm939, x-ibm942, x-ibm942c, x-ibm943, x-ibm943c, x-ibm948, x-ibm949, x-ibm949c, x-ibm950, x-ibm964, x-ibm970, x-iscii91, x-iso-2022-cn-cns, x-iso-2022-cn-gb, x-iso-8859-11, x-jis0208, x-jisautodetect, x-johab, x-macarabic, x-maccentraleurope, x-maccroatian, x-maccyrillic, x-macdingbat, x-macgreek, x-machebrew, x-maciceland, x-macroman, x-macromania, x-macsymbol, x-macthai, x-macturkish, x-macukraine, x-ms932_0213, x-ms950-hkscs, x-mswin-936, x-pck, x-sjis_0213, x-utf-16le-bom, x-utf-32be-bom, x-utf-32le-bom, x-windows-50220, x-windows-50221, x-windows-874, x-windows-949, x-windows-950, x-windows-iso2022jp
                Content-Type: application/json
                Content-Length: 100
                Date: Mon, 07 Nov 2011 16:08:05 GMT
                3) Redirect to Dashboard page after successful login
                Code:
                GET http://localhost:8080/mapp/Dashboard HTTP/1.1
                Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
                Referer: http://localhost:8080/mapp/Login
                Accept-Language: en-US
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; Tablet PC 2.0; .NET4.0E)
                Accept-Encoding: gzip, deflate
                Host: localhost:8080
                Connection: Keep-Alive
                Cookie: JSESSIONID=F2DE899300146DB940E5AA4C81948FD5
                Reponse
                Code:
                HTTP/1.1 200 OK
                Server: Apache-Coyote/1.1
                Cache-Control: no-store
                Access-Control-Allow-Headers: x-requested-with
                Content-Type: text/html;charset=ISO-8859-1
                Content-Language: en
                Transfer-Encoding: chunked
                Date: Mon, 07 Nov 2011 16:08:05 GMT

                Comment


                • #9
                  ------------------------------------------------------------------------------------------------------------------------
                  Request/Response for JBOSS 7:
                  ------------------------------------
                  1) Request Login Page Header
                  Code:
                  GET http://localhost:9090/mapp/Login HTTP/1.1
                  Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; Tablet PC 2.0; .NET4.0E)
                  Accept-Encoding: gzip, deflate
                  Connection: Keep-Alive
                  Host: localhost:9090
                  Cookie: JSESSIONID=F2DE899300146DB940E5AA4C81948FD5
                  Response
                  Code:
                  HTTP/1.1 200 OK
                  Server: Apache-Coyote/1.1
                  X-Powered-By: JSP/2.2
                  Set-Cookie: JSESSIONID=-sYWpiq9yiwoqUn5hYPYLJQz; Version=1; Path="/mapp"
                  Cache-Control: no-store
                  Access-Control-Allow-Headers: x-requested-with
                  Content-Type: text/html;charset=ISO-8859-1
                  Content-Language: en
                  Transfer-Encoding: chunked
                  Date: Mon, 07 Nov 2011 16:21:07 GMT
                  2) Validate User Credentials Request
                  Code:
                  POST http://localhost:9090/mapp/j_spring_security_check HTTP/1.1
                  x-requested-with: XMLHttpRequest
                  Accept-Language: en-us
                  Referer: http://localhost:9090/mapp/Login
                  Accept: */*
                  Content-Type: application/x-www-form-urlencoded
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; Tablet PC 2.0; .NET4.0E)
                  Host: localhost:9090
                  Content-Length: 41
                  Connection: Keep-Alive
                  Pragma: no-cache
                  Cookie: JSESSIONID=F2DE899300146DB940E5AA4C81948FD5
                  RESPONSE
                  Code:
                  HTTP/1.1 200 OK
                  Server: Apache-Coyote/1.1
                  Set-Cookie: JSESSIONID=P99fzDIXopRLomeg+ap8+Gyo; Version=1; Path="/mapp"
                  Accept-Charset: big5, big5-hkscs, euc-jp, euc-kr, gb18030, gb2312, gbk, ibm-thai, ibm00858, ibm01140, ibm01141, ibm01142, ibm01143, ibm01144, ibm01145, ibm01146, ibm01147, ibm01148, ibm01149, ibm037, ibm1026, ibm1047, ibm273, ibm277, ibm278, ibm280, ibm284, ibm285, ibm297, ibm420, ibm424, ibm437, ibm500, ibm775, ibm850, ibm852, ibm855, ibm857, ibm860, ibm861, ibm862, ibm863, ibm864, ibm865, ibm866, ibm868, ibm869, ibm870, ibm871, ibm918, iso-2022-cn, iso-2022-jp, iso-2022-jp-2, iso-2022-kr, iso-8859-1, iso-8859-13, iso-8859-15, iso-8859-2, iso-8859-3, iso-8859-4, iso-8859-5, iso-8859-6, iso-8859-7, iso-8859-8, iso-8859-9, jis_x0201, jis_x0212-1990, koi8-r, koi8-u, shift_jis, tis-620, us-ascii, utf-16, utf-16be, utf-16le, utf-32, utf-32be, utf-32le, utf-8, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257, windows-1258, windows-31j, x-big5-solaris, x-euc-jp-linux, x-euc-tw, x-eucjp-open, x-ibm1006, x-ibm1025, x-ibm1046, x-ibm1097, x-ibm1098, x-ibm1112, x-ibm1122, x-ibm1123, x-ibm1124, x-ibm1381, x-ibm1383, x-ibm33722, x-ibm737, x-ibm833, x-ibm834, x-ibm856, x-ibm874, x-ibm875, x-ibm921, x-ibm922, x-ibm930, x-ibm933, x-ibm935, x-ibm937, x-ibm939, x-ibm942, x-ibm942c, x-ibm943, x-ibm943c, x-ibm948, x-ibm949, x-ibm949c, x-ibm950, x-ibm964, x-ibm970, x-iscii91, x-iso-2022-cn-cns, x-iso-2022-cn-gb, x-iso-8859-11, x-jis0208, x-jisautodetect, x-johab, x-macarabic, x-maccentraleurope, x-maccroatian, x-maccyrillic, x-macdingbat, x-macgreek, x-machebrew, x-maciceland, x-macroman, x-macromania, x-macsymbol, x-macthai, x-macturkish, x-macukraine, x-ms932_0213, x-ms950-hkscs, x-mswin-936, x-pck, x-sjis_0213, x-utf-16le-bom, x-utf-32be-bom, x-utf-32le-bom, x-windows-50220, x-windows-50221, x-windows-874, x-windows-949, x-windows-950, x-windows-iso2022jp
                  Content-Type: application/json
                  Content-Length: 100
                  Date: Mon, 07 Nov 2011 16:21:17 GMT
                  3) Redirect to Dashboard page after successful login
                  Code:
                  GET http://localhost:9090/mapp/Dashboard HTTP/1.1
                  Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
                  Referer: http://localhost:9090/mapp/Login
                  Accept-Language: en-US
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; Tablet PC 2.0; .NET4.0E)
                  Accept-Encoding: gzip, deflate
                  Host: localhost:9090
                  Connection: Keep-Alive
                  Cookie: JSESSIONID=F2DE899300146DB940E5AA4C81948FD5
                  RESPONSE
                  Code:
                  HTTP/1.1 302 Moved Temporarily
                  Server: Apache-Coyote/1.1
                  Set-Cookie: JSESSIONID=LBaJ9vi7v1n1D7+R8Kv-bw1i; Version=1; Path="/mapp"
                  Location: http://localhost:9090/mapp/Login
                  Content-Length: 0
                  Date: Mon, 07 Nov 2011 16:21:19 GMT

                  Comment


                  • #10
                    I got this issue resolved. The root cause was problem with session creation in JBOSS 7.0.0.
                    Jboss was considering each request as new & creating a new session when request is made through IE8/9. Upgrading to latest version of JBoss 7.0.2 resolved this Issue.

                    Thank you for your quick response.

                    Comment

                    Working...
                    X