Announcement Announcement Module
Collapse
No announcement yet.
SPRING_SECURITY_CONTEXT not stored in session until http response has been delivered Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • SPRING_SECURITY_CONTEXT not stored in session until http response has been delivered

    Almost always our springsecurity 3.0.6 configuration works great. However, under some load, our tomcat-6/container instances acts strangely (incorrectly?) with springsecurity wrt SPRING_SECURITY_CONTEXT being stored in the session via HttpSessionSecurityContextRepository.

    We are using remote clients with a CommonsHttpInvokerRequestExecutor using Hessian serialization.

    A non-threaded client makes a "login" call. And typically the tomcat threadpool executes the request, passes down each of the security:http filters and constructs. In the SecurityContextPersistenceFilter.doFilter finally block, the securityContext is persisted to the httpsession.

    After the login, the client proceeds to make hessian calls to the server which require authorization (in this case, ROLE_USER will do).

    as pseudo logging would describe this...

    Code:
    [http-8080-1] {     } HttpSessionSecurityContextRepository | HttpSession returned null object for SPRING_SECURITY_CONTEXT
    [http-8080-1] {     } HttpSessionSecurityContextRepository | No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@2bafea. A new one will be created.
    [http-8080-1] {   h:20C56DB6C899943849466E93A4E8AA26 c:5614 } LoginManagerImpl | Authenticating user foo
    [http-8080-1] {   h:20C56DB6C899943849466E93A4E8AA26 c:5614 } LoginManagerImpl | Authentication success
    [http-8080-2] {     } HttpSessionSecurityContextRepository | HttpSession returned null object for SPRING_SECURITY_CONTEXT
    [http-8080-2] {     } HttpSessionSecurityContextRepository | No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@2bafea. A new one will be created.
    [http-8080-2] {     } ExceptionReporter | security.accessDenied
    [http-8080-1] {     } HttpSessionSecurityContextRepository | SecurityContext stored to HttpSession: '[email protected]13416: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fb413416: Principal: com.whatever.model.User@7278e5fc: Username: foo; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN{regular},ROLE_USER{regular}; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ADMIN{regular}, ROLE_USER{regular}'
    [http-8080-2] {     } HttpSessionSecurityContextRepository | SecurityContext is empty or anonymous - context will not be stored in HttpSession.

    a summary of that pseudo-logging is that the "login" comes in on tomcat threadpool http-8080-1 but the SPRING_SECURITY_CONTEXT isn't persisted until *after* the call requiring ROLE_USER fails on tomcat threadpool http-8080-2.

    Our client side code is single threaded for this operation and can only make assumptions that the underneath commons-http isn't doing some eager connection request-response magic. But certainly that is a consideration.

    Overall, I am just not sure when a http request is "complete" with regard to the stack of springsecurity filterChains, etc...

    of course I have more bean definitions in my applicationContext but I am hoping this snippet is sufficient to consider what things I should try next.
    Code:
      <security:http auto-config="false" access-decision-manager-ref="accessDecisionManager" create-session="always" disable-url-rewriting="true">
    <security:session-management>
          <security:concurrency-control max-sessions="1" />
        </security:session-management>
        <security:intercept-url pattern="/remoting/**" access="ROLE_ANONYMOUS,ROLE_USER" />
        <security:anonymous key="anonymous" username="anonymous" granted-authority="ROLE_ANONYMOUS" />
        <security:form-login />
        <security:http-basic />
        <security:logout />
      </security:http>
    
      <bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
        <property name="forceEagerSessionCreation" value="true" />
      </bean>

  • #2
    Related JIRA https://jira.springsource.org/browse/SEC-2005

    Comment


    • #3
      I think this might be related to my issue:
      http://forum.springsource.org/showth...ecurityContext

      Comment

      Working...
      X