Announcement Announcement Module
Collapse
No announcement yet.
need to login twice for ConcurrencySessionFilter to work Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • need to login twice for ConcurrencySessionFilter to work

    Hello,

    I have recently configured my application with ConcurrencySessionFilter and started to get a weird problem whereby after the first successful login, the session is gone and I had to relogin again for it to work. I can't figure out what is wrong. I have pasted my security configuration and part of the log where it says that the session is gone.

    09-Mar-2013 10:38:27,834 DEBUG [org.springframework.security.web.context.HttpSessi onSecurityContextRepository] No HttpSession currently exists
    09-Mar-2013 10:38:27,834 DEBUG [org.springframework.security.web.context.HttpSessi onSecurityContextRepository] No HttpSession currently exists
    09-Mar-2013 10:38:27,834 DEBUG [org.springframework.security.web.context.HttpSessi onSecurityContextRepository] No SecurityContext was available from the HttpSession: null. A new one will be created.
    09-Mar-2013 10:38:27,834 DEBUG [org.springframework.security.web.context.HttpSessi onSecurityContextRepository] No SecurityContext was available from the HttpSession: null. A new one will be created.



    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <beans xmlns="http://www.springframework.org/schema/beans"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:p="http://www.springframework.org/schema/p"
           xmlns:context="http://www.springframework.org/schema/context"
    	   xmlns:aop="http://www.springframework.org/schema/aop"
           xmlns:tx="http://www.springframework.org/schema/tx"
           xmlns:s="http://www.springframework.org/schema/security"
           xsi:schemaLocation="
    			http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    			http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
    			http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
                http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
                http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
    
    <context:annotation-config />
    
    <aop:aspectj-autoproxy/>
    
        <!--<import resource="applicationContext-dataSource.xml"/>-->
        <bean id="propertyConfigurer"
              class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
    		<property name="locations">
    			<list>
    				<value>WEB-INF/jdbc.properties</value>
                    <value>WEB-INF/mail.properties</value>
    			</list>
    		</property>
        </bean>
    
        <bean id="dataSource"
              class="org.springframework.jdbc.datasource.DriverManagerDataSource"
              p:driverClassName="${jdbc.driverClassName}"
              p:url="${jdbc.url}"
              p:username="${jdbc.username}"
              p:password="${jdbc.password}" />
    
        <!-- Start Security -->
    
    	<s:http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint" >
            <s:intercept-url pattern="/Info/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
            <s:intercept-url pattern="/Home/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
            <s:intercept-url pattern="/doc/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
            <s:access-denied-handler error-page="/Info/denied.action"/>
            <s:custom-filter ref="authenticationProcessingFilter" position="FORM_LOGIN_FILTER"/>
            <s:custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />
            <s:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>                
            <s:session-management session-authentication-strategy-ref="sessionAuthenticationStrategy"/>            
    	</s:http>
    
        <bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
            <property name="sessionRegistry" ref="sessionRegistry" />
            <property name="expiredUrl" value="/Info/denied.action" />
        </bean>
        
        <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
    
        <bean id="sessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
            <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
            <property name="maximumSessions" value="-1" />
        </bean>    
    
        <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
            <constructor-arg index="0" value="/" />
            <constructor-arg index="1">
                <list>
                    <bean id="myLogoutHandler" class="com.myproj.business.security.MyLogoutHandler" />                
                    <bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
                </list>
            </constructor-arg>
            <property name="filterProcessesUrl" value="/Home/logout.action" />
        </bean>
    
        <bean id="accessDeniedHandler" class="com.myproj.business.security.MyAccessDeniedHandlerImpl">
            <property name="accessDeniedUrl" value="/Info/denied.action" />
        </bean>
    
        <bean id="userDetailsService" class="com.myproj.business.service.impl.UserServiceImpl" />
    
        <bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md4PasswordEncoder">
    		<property name="encodeHashAsBase64"><value>true</value></property>
        </bean>
    	<bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource">
            <property name="userPropertyToUse"><value>getId</value></property>
        </bean>
        <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
            <property name="userDetailsService" ref="userDetailsService"/>
            <property name="hideUserNotFoundExceptions"><value>false</value></property>
            <property name="saltSource" ref="saltSource"/>
            <property name="passwordEncoder" ref="passwordEncoder"/>
        </bean>
    
        <bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
    		<property name="key" value="the_user"/>
    	</bean>
    
        <bean id="anonymousAuthFilter" class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
            <property name="key" value="the_user"/>
            <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS,ROLE_PUBLIC"/>
        </bean>
    
    	<bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    		<property name="loginFormUrl" value="/Home/login.action"/>
    		<property name="forceHttps" value="false"/>
    	</bean>
    
        <bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler" p:alwaysUseDefaultTargetUrl="true" p:defaultTargetUrl="/User/postLogin.action"/>
    
        <bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
            <constructor-arg type="java.lang.String" name="defaultFailureUrl" value="/Home/login.action?login_error=1"/>
        </bean>
        
        <bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
            <property name="basenames">
                <list>
                    <value>security</value>
                </list>            
            </property>
        </bean>
        
    	<bean id="authenticationProcessingFilter" class="com.myproj.business.security.MyUsernamePasswordAuthenticationFilter">
    		<property name="authenticationManager" ref="authenticationManager"/>
    		<property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"/>
    		<property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
    		<property name="filterProcessesUrl" value="/Home/j_acegi_security_check.action"/>
    		<property name="sessionAuthenticationStrategy" ref="sessionAuthenticationStrategy"/>
    		<property name="messageSource" ref="messageSource"/>
    	</bean>
    
    	<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    		<property name="allowIfAllAbstainDecisions" value="false"/>
    		<property name="decisionVoters">
    			<list>
    				<bean class="org.springframework.security.access.vote.RoleVoter"/>
    				<bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
    			</list>
    		</property>
    	</bean>
        <bean id="filterInvocationInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
            <property name="authenticationManager" ref="authenticationManager"/>
            <property name="accessDecisionManager" ref="accessDecisionManager"/>
            <property name="observeOncePerRequest" value="false"/>
            <property name="securityMetadataSource">
                <s:filter-security-metadata-source>
                    <s:intercept-url pattern="/Role/*" access="ROLE_WE_DONT_HAVE"/>
                </s:filter-security-metadata-source>
            </property>
        </bean>
    
    	<s:authentication-manager alias="authenticationManager">
    		<s:authentication-provider ref="daoAuthenticationProvider"/>
            <!--<s:authentication-provider ref="anonymousAuthenticationProvider"/>-->
    	</s:authentication-manager>
    
    
        <bean id="myDummyObjectDefinitionSource" class="com.myproj.business.security.MyDummyFilterSecuritySource"/>
    
        <!-- End Security -->
    
    </beans>

  • #2
    I think the problem is Tomcat server 7.0.14 because after I switched to Glassfish 3.1 the problem is gone.
    Has anyone encountered this problem before? How to get it to work on Tomcat server?

    Comment

    Working...
    X