Announcement Announcement Module
Collapse
No announcement yet.
SS 3.1.3 Error after relogin Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • SS 3.1.3 Error after relogin

    Hello. I have the next configuration for spring security:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:beans="http://www.springframework.org/schema/beans"
        xsi:schemaLocation="
            http://www.springframework.org/schema/beans
            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/security 
            http://www.springframework.org/schema/security/spring-security-3.1.xsd">
        <http access-denied-page="/index.html">
            <intercept-url pattern="/errors/**" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" />
            <intercept-url pattern="/extjs/**" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" />
            <intercept-url pattern="/locale/**" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" />
            <intercept-url pattern="/pkgs/**" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" />
            <intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" />
            <intercept-url pattern="/tinymce/**" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" />
            <intercept-url pattern="/ulmart-constants.js" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" />
            <intercept-url pattern="/app-ulmart-login.js" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" />
            <intercept-url pattern="/UlmartExtJSListener" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" />
            <intercept-url pattern="/UlmartFileUploader" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" />
            <intercept-url pattern="/index.html*" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" />
    
            <intercept-url pattern="/**" access="ROLE_ulmart_user" />
        
            <form-login login-page="/index.html" authentication-failure-handler-ref="loginFailureHandler"
                authentication-success-handler-ref="loginSuccessHandler" always-use-default-target="true"/>
                
            <logout invalidate-session="true" delete-cookies="JSESSIONID" success-handler-ref="logoutSuccessHandler"/>
    
            <remember-me key="rememberMeUlmartKey" services-ref="ulmartIPTokenBasedRememberMeServicesBean" />
    
            <session-management invalid-session-url="/index.html">
                <concurrency-control max-sessions="1" />
            </session-management>
        </http>
        
        <authentication-manager alias="authenticationManager">
            <authentication-provider user-service-ref="userService">
                <password-encoder ref="ulmartPasswordEncoder">
                    <salt-source ref="ulmartSaltSource" />
                </password-encoder>
            </authentication-provider>
        </authentication-manager>
    
        <beans:bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="ulmartSaltSource">
            <beans:property name="userPropertyToUse" value="username" />
        </beans:bean>
    
        <beans:bean class="ru.ulmart.web.admin.security.IPTokenBasedRememberMeServices" name="ulmartIPTokenBasedRememberMeServicesBean">
            <beans:property name="key">
                <beans:value>rememberMeUlmartKey</beans:value>
            </beans:property>
            <beans:property name="userDetailsService" ref="userService" />
        </beans:bean>
    
        <beans:bean class="ru.ulmart.web.admin.security.PasswordEncoder" id="ulmartPasswordEncoder" />
    
        <beans:bean id="loginFailureHandler" class="ru.ulmart.web.admin.security.LoginFailureHandler" />
        <beans:bean id="loginSuccessHandler" class="ru.ulmart.web.admin.security.LoginSuccessHandler" />
        <beans:bean id="logoutSuccessHandler" class="ru.ulmart.web.admin.security.LogoutSuccessHandler" />
        
        <beans:bean id="userService" class="ru.ulmart.web.admin.security.UserManagerDaoImpl">
            <beans:property name="sessionFactory" ref="sessionFactory"/>
        </beans:bean>
    </beans:beans>
    The situation is:
    0. Login as User2 without role ROLE_ulmart_user - dont have access to main.html- OK;
    1. Login as User1 with role ROLE_ulmart_user - have access to main.html- OK;
    2. Logout;
    3. Login as User1 with role ROLE_ulmart_user - have access to main.html- OK;
    4. Logout;
    5. Login with User2 without role ROLE_ulmart_user - have access to main.html - BAD!!!!; Why it have access?
    6. Try to login as User1 - get access denied - Whe dont have access - it must have it;

  • #2
    Try enabling debug logging

    Comment


    • #3
      already enabled. But i dont understand why. I supose that the session is cookie enabled for this.

      Comment


      • #4
        It is difficult to say w/out seeing your logs. Can you post them? Are you switching between HTTP and HTTPS? If so, you may want to consult the FAQ. You can also use a plug in like FireFox's Tamper Data to view the requests and determine if the JSESSIONID cookie is being submitted and if so with what values.

        Comment

        Working...
        X