Announcement Announcement Module
Collapse
No announcement yet.
Problem with SecurityContextHolder Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with SecurityContextHolder

    Hi,

    Ours is an enterprise application and we are using Acegi 1.0.3. We are facing a problem in fetching authenticated data from SecurityContextHolder.

    When multiple users try to access SecurityContextHolder concurrently to fetch authentication details it's not returning correct data and this problem is not consistent. By multiple users i mean multiple logged in users (authenticated users) hitting the same piece of code in the server concurrently (at the same time) to fetch authentication details from SecurityContextHolder. Sometimes it works but sometimes authentication details are jumbled up and returned.

    The same code works perfectly fine for any number of non concurrent hits.

    My questions ...

    1. Is there any limitation in Acegi on the number of users who can access SecurityContextHolder concurrently?

    2. Did anyone face such a problem earlier, if so any solution?

    3. How does SecuirtyContextHolder work when accessed by multiple users concurrently?

    We are stuck with a major problem because of this and any help is greatly appreciated.

    Thanks in advance,

    Regards,
    Lakshmi

  • #2
    The SecuritContextHolder stores the user information in a ThreadLocal. So if the request of each user is handled in a separate thread then there is no problem. In your scenario it seems that multiple users share the same thread somehow. Can you check this?

    Comment


    • #3
      Thanks a lot for the reply.

      We are using Flex as our front end, so front end doesn't create any threads for request. Client request start in flex goes through struts 2.0 action and reaches service layer from there. Please let me know if i am missing something in this flow.

      Comment


      • #4
        I have not used Flex yet, so I cannot comment on this. But I cannot think of how concurrent requests should be handled in one thread?
        I would investigate this further as in the normal case concurrent user interactions should occur in different threads.

        Regards,
        Andreas

        Comment


        • #5
          Hi Lakshmi,

          This problem happens to us also. sometimes authentication details are jumbled up, i.e., you can log-in to our spring-jboss based application (with Apache in the front) and after some navigation in the site your authentication gets switched and you appear as another user...
          As for your questions, i really don't think it relates to the number of concurrent users. Deep navigation in Acegi code found no concern about the number of concurrent users. We still have no solution to this case.
          Yet, i found some bug in Acegi JIRA that might be related to this problem - http://opensource.atlassian.com/proj...browse/SEC-398 . Still haven't tried the committed fix though...

          Have you found a solution already?

          Comment


          • #6
            Hi Matid,

            Actually we were testing in Mozilla browser and found something interesting about the browser. Mozilla FireFox (5.0) when we open two windows or two tabs and access the same url it doesn't create two independent unique session id's but it shares the same id between these two. Since we get only one session Id there is only one object in the SecurityContext even though you have logged in as two different users. Neverthless issue was not found when testing in IE 6.0.

            Thats what we have found. We are still testing. Will keep you posted as and when we get a solution.

            Regards,
            Lakshmi

            Comment


            • #7
              Originally posted by mslakshmi View Post
              Actually we were testing in Mozilla browser and found something interesting about the browser. Mozilla FireFox (5.0) when we open two windows or two tabs and access the same url it doesn't create two independent unique session id's but it shares the same id between these two. Since we get only one session Id there is only one object in the SecurityContext even though you have logged in as two different users. Neverthless issue was not found when testing in IE 6.0.
              Hi Lakshmi. That is expected, as IE6 starts an own process for each window while Mozilla uses only one process. When using IE7 with tabbing you would encounter the same issue there.

              Regards,
              Andreas

              Comment


              • #8
                Hi Senft,

                We too have anticipated the same even in IE 7. But since we are using single sign in also in our application the entries in SessionRegistry (Acegi) are not populated properly because of this browser behaviour. That was causing the issue.

                Any solution...

                Regards,
                Lakshmi

                Comment


                • #9
                  Hi Lakshmi. That is expected, as IE6 starts an own process for each window while Mozilla uses only one process. When using IE7 with tabbing you would encounter the same issue there.
                  Well not entirly true . If you open a new window with [CTRL]+[N] (if IE or Firefox) it still runs in the same process (well at least it shares the session information). Only opening a new window with the IE icon or Firefox icon will create a complete clean IE/Firefox.

                  Comment


                  • #10
                    Ok. I confess I wasn't too accurate on my statement

                    Comment


                    • #11
                      Even with this browser behavior I do not understand how that could cause the problem of jumbling user data. If you have different sessions there should nothing interfere and if you share a session with multiple browsers then it should be the same user.

                      Do you have some DEBUG log output of such a problematic case?

                      Regards,
                      Andreas

                      Comment


                      • #12
                        Right now i do not have any debug log available with me but i can try to explain the problem i am facing.

                        User 1 logs into browser 1 ( authenticated and logged in)
                        User 2 logs into browser 2 (let it be a new tab or new window in mozilla)
                        User 2 is also authenticated and logged in.

                        If you notice in Flex UI there will be two logged in users but the session id is only one for both users in the SecurityContextHolder. When one of the users logs out since we are clearing SecurityContext and httpsession on logout the other user is also forcibly logged out.

                        This is one side of the problem. The other side is later at some point of time in the application when users details are retrieved from SecurityContext it returns wrong user details. Though it is inconsistent but problem is there.

                        Comment


                        • #13
                          Originally posted by mslakshmi View Post
                          If you notice in Flex UI there will be two logged in users but the session id is only one for both users in the SecurityContextHolder.
                          Is this some "feature" of Flex then? As I said, I am not familiar with it. But with, for example, a JSP app two users should end up with two sessions. I would investigate what Flex actually does here.

                          Regards,
                          Andreas

                          Comment


                          • #14
                            This is not a feature of Flex. We have investigated that. If you still find something interesting please do keep me posted.

                            Comment


                            • #15
                              If it is

                              1) A new Tab in Firefox/IE7
                              2) A new window opened with [CTRL]+[N]

                              then the behavior you see is expected! This is because all of the session information etc. is copied onto the new window/tab. If you would open a new window with the IE or Firefox icon (or start-menu) this behavior shouldn't happen and you should see 2 sessions. You would see the same behavior for a Flex or JSP application.

                              Is there a work-around? Not that I'm aware of, the sessionId is needed to lookup the current user.

                              The only solution I can think of is the remove the dependency on the HTTP session and make your application stateless (or keep the state on the client side instead of the server) and don't use the session.

                              Comment

                              Working...
                              X