Announcement Announcement Module
Collapse
No announcement yet.
Getting double login request with HTTPS switch Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Getting double login request with HTTPS switch

    I've got a website that I'm trying to secure with Acegi 1.0.0-RC1 and I'm having a problem where the user is forced to log in twice. It appears to be related to Channel Security because if I disable that, the problem goes away. My goal is to have the login process secured via HTTPS, but return to HTTP after login.

    Here's the scenario to reproduce the problem:

    1) User requests the home page /index.jsp (HTTP)
    2) User clicks Login to go to /login.jsp, which is secure (HTTPS), but not restricted by role
    3) User enters their username and password and submits the login form:
    <form action="/myWebapp/j_acegi_security_check" method="POST" >
    4) A successful login sends them to /redirect.jsp (HTTP or HTTPS).
    5) /redirect.jsp redirects them using a Meta Refresh to /secure/index.jsp (HTTP mandatory).

    That is a successful path, which users get the first time. I added the rediret.jsp step because if I configure Acegi to go straight to /secure/index.jsp, I get an IE warning about redirection to an insecure URL.

    Here's the problem. If I restart the webapp context or the user's session expires and then repeat the steps above, step 5) fails to redirect me to /secure/index.jsp and instead I receive the login screen again. If I again present the right credentials, I go straight to the /secure/index.jsp, skipping the /redirect.jsp.

    Looking in the debug output, it appears that I log in successfully, but Acegi somehow forgets that I'm logged in. It may be related to HTTP vs HTTPS cookies, I'm not sure. Here's the relevant snippet of the log that appears after the first login attempt:

    Code:
    2005-12-28 10:14:05,469 WARN  org.acegisecurity.event.authentication.LoggerListener - Authentication event AuthenticationSuccessEvent: seller; details: org.acegisecurity.ui.WebAuthenticationDetails@a4f040: RemoteIpAddress: 127.0.0.1; SessionId: B890974208866CCAB5CE889B306503D2
    2005-12-28 10:14:05,469 WARN  org.acegisecurity.event.authentication.LoggerListener - Authentication event InteractiveAuthenticationSuccessEvent: seller; details: org.acegisecurity.ui.WebAuthenticationDetails@a4f040: RemoteIpAddress: 127.0.0.1; SessionId: B890974208866CCAB5CE889B306503D2
    2005-12-28 10:14:05,766 DEBUG org.acegisecurity.intercept.web.SecurityEnforcementFilter - Chain processed normally
    2005-12-28 10:14:05,844 DEBUG org.acegisecurity.intercept.web.SecurityEnforcementFilter - Access is denied (user is anonymous); redirecting to authentication entry point
    Below are what I think are the relevant portions of my Acegi configuration:

    Code:
        <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
          <property name="filterInvocationDefinitionSource">
             <value>
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                PATTERN_TYPE_APACHE_ANT
    /**=channelProcessingFilter,httpSessionContextIntegrationFilter,authProcessingFilter,anonymousProcessingFilter,securityEnforcementFilter,securityContextHolderAwareRequestFilter
             </value>
          </property>
        </bean>
    
       <bean id="channelProcessingFilter" class="org.acegisecurity.securechannel.ChannelProcessingFilter">
          <property name="channelDecisionManager"><ref local="channelDecisionManager"/></property>
          <property name="filterInvocationDefinitionSource">
             <value>
                    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                    \A/login.jsp.*\Z=REQUIRES_SECURE_CHANNEL
                    \A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
                    \A/secure/.*\Z=REQUIRES_INSECURE_CHANNEL
             </value>
          </property>
       </bean>
    
       <bean id="authProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
          <property name="authenticationManager"><ref bean="authenticationManager"/></property>
          <property name="authenticationFailureUrl"><value>/login.jsp?login_error=1</value></property>
          <property name="defaultTargetUrl"><value>/redirect.jsp</value></property>
          <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
       </bean>
    
       <bean id="authenticationProcessingFilterEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
          <property name="loginFormUrl"><value>/login.jsp</value></property>
          <property name="forceHttps"><value>false</value></property>
       </bean>
    
       <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
          <property name="authenticationManager"><ref bean="authenticationManager"/></property>
          <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
          <property name="objectDefinitionSource">
              <value>
                  CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                  PATTERN_TYPE_APACHE_ANT
                  /index.jsp=ROLE_ANONYMOUS,ROLE_USER
                  /seller/**=ROLE_SELLER
              </value>
          </property>
       </bean>

  • #2
    This sounds like it might be another HTTPS session issue, similar to that discussed in this thread (and the one which led to it):

    http://forum.springframework.org/showthread.php?t=16675

    Can you give some more information on what container you are using and write a test to check if the session is being lost when you switch from HTTPS to HTTP?

    Comment

    Working...
    X