Announcement Announcement Module
Collapse
No announcement yet.
Security Context problem with multiple threads Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Context problem with multiple threads

    Hi I am using spring security 2.0.6 , I see that when many requests are send continuously, then what I see is that for a particular user the security context value is been changed and when I retrieve the user from the security context I get a different user which was authenticated.

    Let me give scenario, we are firing continuously requests with a constant username and if a simultaneous request with a different user is fired then we are facing this problem.

    Note:This scenario is not reproduced for all requests, but its intermittent.

    Could you please help me with this issue,that would be very helpful

    Thanks,



    My XML configuration
    Code:
    <beans xmlns="http://www.springframework.org/schema/beans"
    	xmlns:security="http://www.springframework.org/schema/security"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                  http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
    
    
    
    	<!-- ****** START Spring Security Configuration ******* -->
    	<!-- ======================== FILTER CHAIN ======================= -->
    
    	<!-- <security:global-method-security secured-annotations="enabled" /> -->
    	
    		<bean id="customAuthProvider" class="controllers.UserDetailsAuthenticationProvider">
        <security:custom-authentication-provider/>
    	</bean>
    	<bean id="myWebAuthenticationDetailsSource" class="controllers.MyWebAuthenticationDetailsSource"/>
    	
    
    	<security:http
    		entry-point-ref="basicProcessingFilterEntryPoint">
    		<!-- Restrict URLs based on role -->
    
    		<security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
    
    
    
    	</security:http>
    
    	<security:authentication-manager alias="authenticationManager" />
    
    <!-- 	<security:authentication-provider>
    		<security:user-service id="userDetailsService">
    		<security:user name="anto" password="anto" authorities="ROLE_USER, ROLE_ADMIN" />
    		<security:user name="bob" password="bob" authorities="ROLE_USER" />
    		</security:user-service>
    	</security:authentication-provider> -->
    
    	<bean id="basicProcessingFilter"
    		class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
    		<security:custom-filter  position="BASIC_PROCESSING_FILTER" /> 
    		<property name="authenticationDetailsSource" ref="myWebAuthenticationDetailsSource" />
    		<property name="authenticationManager" ref="authenticationManager" />
    		<property name="authenticationEntryPoint" ref="basicProcessingFilterEntryPoint" />
    	</bean>
    
    	<bean id="basicProcessingFilterEntryPoint"
    		class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
    		<property name="realmName" value="MyRealm" />
    	</bean>
    
    
    	<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
    	<security:filter-chain-map path-type="ant">
    		<security:filter-chain pattern="/**" filters="
    			httpSessionContextIntegrationFilterWithASCTrue,
    			basicProcessingFilter, exceptionTranslationFilter,
    		    filterSecurityInterceptor " />
    	</security:filter-chain-map>
    	
    	</bean>
    	
    
    	<bean id="httpSessionContextIntegrationFilterWithASCTrue"
    		class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
    		<property name="allowSessionCreation" value="true" />
    	</bean>
    
    
    	<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
    
    	<property name="authenticationEntryPoint">
    		<ref bean="basicProcessingFilterEntryPoint" />
    	</property>
    
    	<property name="accessDeniedHandler">
    		<bean class="org.springframework.security.ui.AccessDeniedHandlerImpl" />
    	</property>
    
    	</bean>
    	
    
    
    
    	<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    
    		<property name="authenticationManager" ref="authenticationManager" />
    		<property name="accessDecisionManager" ref="accessDecisionManager" />
    		<property name="objectDefinitionSource">
    		
    		<security:filter-invocation-definition-source>
    			<security:intercept-url pattern="/**"
    				access="ROLE_USER,ROLE_ADMIN" />
    		</security:filter-invocation-definition-source>
    	
    		</property>
    	</bean>
    
    
    	<bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
    		<property name="decisionVoters">
    			<list>
    				<ref local="roleVoter" />
    				<bean class="org.springframework.security.vote.AuthenticatedVoter" />
    			</list>
    		</property>
    	</bean>
    
    	<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter" />
    
    	<!-- ****** END SPRING Security Configuration ******* -->
    
    	<bean id="dataSource"
    		class="org.springframework.jdbc.datasource.DriverManagerDataSource">
    		<property name="driverClassName">
    			<value>com.mysql.jdbc.Driver</value>
    		</property>
    		<property name="url">
    			<value>jdbc:mysql://localhost:3306/springacegi</value>
    		</property>
    		<property name="username">
    			<value>root</value>
    		</property>
    		<property name="password">
    			<value>root</value>
    		</property>
    	</bean>
    
    
    
    </beans>
Working...
X