Announcement Announcement Module
Collapse
No announcement yet.
strange remember-me behaviour Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • strange remember-me behaviour

    hi,

    I'm using spring security 2.0 in combination with JSF.

    There is a real strange behaviour when I'm trying to use the final step of the remember-me feature. Let me explain in more detail:

    1. I log in to my application successfully via a form; this brings me to the secured area
    2. I close the browser
    3. I successfully check that the cookie is set
    4a. I reopen the browser and try to get access to the secured area => this works

    LOG:
    Code:
    Authentication event AuthenticationSuccessEvent: [email protected]; details: org.springframework.security.ui.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null
    Authentication event InteractiveAuthenticationSuccessEvent: [email protected]; details: org.springframework.security.ui.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null
    Security authorized for authenticated principal: org.springframework.security.providers.rememberme.RememberMeAuthenticationToken@4f2c9185: Principal: org.springframework.security.userdetails.User@b07ed00: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER, user; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_USER, user; secure object: FilterInvocation: URL: /profiles/index.jsf; configuration attributes: [ROLE_USER]
    5a. BUT: i have a managed bean that gets the username for me, so that i can write sth like this in facelet *.xhtml files of the secured area:

    Code:
    <p>Hello #{authenticationController.user.username}</p>
    The beans method is like this:

    Code:
    public User getUser() {
            final HttpServletRequest request = getRequest();
            SecurityContextImpl  securityContextHolder = (SecurityContextImpl) request.getSession().getAttribute( HttpSessionContextIntegrationFilter.SPRING_SECURITY_CONTEXT_KEY );
            Authentication auth = securityContextHolder.getAuthentication();
            return (User) auth.getPrincipal();
        }
    AND THIS delivers a NullPointerException (on securityContextHolder.getAuthentication().
    Note, that it does work when i do a normal login and then go to this page (Steps 1+2)


    4b. And here is another strange thing:
    After reopening the browser I tried to go to the public area first and then go to the secured area => Now this works (NO NullPointer anymore)

    really strange and I can't really figuere out why.

    I'd appreciate any hints!

    Thanks in advance


    My Securitycontext is like this:

    Code:
        <http auto-config="false" >
            <intercept-url pattern="/profiles/**" access="ROLE_USER"/>    
            <form-login login-page="/login.jsf"/>
            <logout />
            <remember-me key="rememberMeKey" user-service-ref="userService" />
        </http>
    
    ...
    Last edited by callisto; May 5th, 2008, 06:44 AM.

  • #2
    I think, that the failure, the strange behaviour happens because of the invalid/not-present session (In the logs it says: "SessionId: null").

    Therefore the SecurityContextHolder can't be taken out of the session...

    But why is this? Why is there NO session present?

    Is there a possible workaround (say to initiate a session and link it to the RememberMeAuthenticationToken manully)?

    Again, thanks in advance

    Comment


    • #3
      I still have the same problem and massivly lacking of possible solutions now...

      Here is my full securityContext:

      Code:
      <?xml version="1.0" encoding="UTF-8"?>
      <beans:beans xmlns="http://www.springframework.org/schema/security"
                   xmlns:beans="http://www.springframework.org/schema/beans"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                      http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">  
          
          <http auto-config="false" session-fixation-protection="none">
              <intercept-url pattern="/profiles/**" access="ROLE_USER"/>    
              <form-login login-page="/login.jsf"/>
              <logout />
              <remember-me key="rememberMeKey" user-service-ref="userService" />
          </http>
          
          <authentication-provider user-service-ref="userService">
              <password-encoder hash="md5" />
          </authentication-provider>
          
          <beans:bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
              <beans:property name="resourceRef" value="false"/>
              <beans:property name="jndiName" value="pgdb" />
          </beans:bean>
          
          <beans:bean id="userService" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
              <beans:property name="dataSource" ref="dataSource" />
              <beans:property name="usersByUsernameQuery">
                  <beans:value>
                      SELECT email AS username, password, enabled FROM user WHERE email = ?
                  </beans:value>
              </beans:property>
              <beans:property name="authoritiesByUsernameQuery">
                  <beans:value>
                      SELECT u.email AS username, r.userrole AS authority FROM user u JOIN user2userrole r ON (u.email = r.email) WHERE u.email = ?
                  </beans:value>
              </beans:property>
          </beans:bean>
          
          <authentication-manager alias="authenticationManager"/>
          
          <beans:bean id="authenticationController" class="com.test.user.security.AuthenticationController" scope="session">
              <beans:property name="authenticationManager" ref="authenticationManager" />
              <beans:property name="rememberMeServices" ref="_rememberMeServices" />
          </beans:bean>
          
          
          <!-- This beans are optional; it isn't used by any other bean as it only listens and logs -->
          <beans:bean id="loggerListenerAuthentication" class="org.springframework.security.event.authentication.LoggerListener"/>
          <beans:bean id="loggerListenerAuthorization"  class="org.springframework.security.event.authorization.LoggerListener"/>
      </beans:beans>
      Any hints?

      best regards

      Comment


      • #4
        it's working

        Finally, i got it working.

        Instead of getting the Authentication object out of the http session via

        Code:
        final HttpServletRequest request = getRequest();
        SecurityContextImpl  securityContextHolder = (SecurityContextImpl) request.getSession().getAttribute( HttpSessionContextIntegrationFilter.SPRING_SECURITY_CONTEXT_KEY );
        Authentication auth = securityContextHolder.getAuthentication();
        I now use the static method of SecurityContextHolder:

        Code:
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        which works fine.

        But there is still a question, that bothers me, since I'm using the first approach in another piece of code:

        What's the exact difference between those two?

        Comment

        Working...
        X