Announcement Announcement Module
Collapse
No announcement yet.
Losing SecurityContext Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Losing SecurityContext

    Hi All,

    We have a web-application and from time to time when a user clicks on a link we seem to lose the securityContext. Spring-security then automatically redirects to the login page.

    This is the securityContext when everything is correct:
    Code:
    timestamp=[01/Jun/2012:14:55:11 +0200] sessionId=3351B849FA8F455938587DB103B12DE6 uri="/obfuscated/history.action" [email protected]50dc8: Authentication:  ...
    This is the securityContext when we lose the context:
    Code:
    timestamp=[01/Jun/2012:14:55:25 +0200] sessionId=3351B849FA8F455938587DB103B12DE6 uri="/obfuscated/summary.action" [email protected]fffff: Null authentication
    As you can see there is only 14 seconds between two clicks so no timeout has occured.

    This problem is really annoying because we can't reproduce this at will so finding a solution is really hard.

    Here is some more information.
    The application runs in jboss 5.1 GA

    The xml file is as follows:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
        <http use-expressions="true">
    	    
                <anonymous enabled="false" />
    	    <!-- Static content mapping -->
    	    <intercept-url pattern="/images/**" access="permitAll" filters="none"/>
    	    <intercept-url pattern="/struts/**" access="permitAll" filters="none"/>
    	    
    	    <!-- other mappings -->
            <session-management invalid-session-url="/timeout.action"/> 
    
            <logout logout-url="/logout" logout-success-url="${logout.url}"/>
     
     	<form-login login-page="/login/login.action" />
            
            <access-denied-handler ref="accessDeniedHandler"/>
    
        </http>
    
        <beans:bean id="acceptAllAuthenticationProvider" class="com.obfuscated.AcceptAllAuthenticationProvider" />
        
        <beans:bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
            <beans:property name="errorPage" value="/accessDenied.action"/>
        </beans:bean>
        
        <authentication-manager alias="authenticationManager">
        	<authentication-provider ref="acceptAllAuthenticationProvider" />
        </authentication-manager>    
    </beans:beans>
    The is the filter chain (DelegatingFilterProxy line 167):
    Code:
    [ApplicationFilterConfig[name=CommonHeadersFilter, filterClass=org.jboss.web.tomcat.filters.ReplyHeaderFilter], 
    ApplicationFilterConfig[name=springSecurityFilterChain, filterClass=org.springframework.web.filter.DelegatingFilterProxy], 
    ApplicationFilterConfig[name=securedHttpFilter, filterClass=com.obfuscated.SecuredHttpFilter],
    ApplicationFilterConfig[name=CacheOffFilter, filterClass=com.obfuscated.CacheOffFilter], 
    ApplicationFilterConfig[name=encodingFilter, filterClass=org.springframework.web.filter.CharacterEncodingFilter], 
    ApplicationFilterConfig[name=struts2, filterClass=org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter], null, null, null, null]
    The is the delegateToUse (DelegatingFilterProxy line 167):
    Code:
    FilterChainProxy[ UrlMatcher = org.springframework.security.web.util.AntUrlPathMatcher[requiresLowerCase='true']; 
    Filter Chains: {/images/**=[], /struts/**=[], /css/**=[], /js/**=[], /favicon.ico=[], /index.html=[], /login.jsp=[], /timeout.action=[], /illegalcharacter.action=[], /login/**=[], /poll/**=[], /**=
    [org.springframework.security.web.context.SecurityContextPersistenceFilter@147e1, 
    org.springframework.security.web.authentication.logout.LogoutFilter@163b25, 
    org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@18538c1, 
    org.springframework.security.web.savedrequest.RequestCacheAwareFilter@1512c9c, 
    org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@47db5e, 
    [email protected]19331e8, 
    org.springframework.security.web.access.ExceptionTranslationFilter@b1b6c0, 
    org.springframework.security.web.access.intercept.FilterSecurityInterceptor@1551d8f]}]
    We don't use the spring-security mechanism to log in but when the user successfully connected we execute the following piece of code:
    Code:
    SecurityContextHolder.getContext().setAuthentication(token);
    putSessionObject(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
    Am I missing something somewhere in order for this to work correctly?

    If you need more information, please ask.

    Regards,

    Tom.
    Last edited by tbriers; Jun 4th, 2012, 04:14 AM.

  • #2
    I believe this might be related to the following thread:
    http://forum.springsource.org/showth...been-delivered
    And the following jira:
    https://jira.springsource.org/browse/SEC-2005

    I'll try to check during new stress-tests.

    Comment

    Working...
    X