Announcement Announcement Module
Collapse
No announcement yet.
Concurrent session control problem Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Concurrent session control problem

    Hi all,

    I am having this issue with whenever my session times out and I try to access a secured page, it directs me to my login page to re-authenticate. Which is fine and works as expected.

    The problem is when I try to login I get this exception.

    Maximum sessions of 1 for this principal exceeded.

    Here is the bit of xml from the security config.

    Code:
    <concurrent-session-control max-sessions="1" 
    	exception-if-maximum-exceeded="true"
    	expired-url="/session_expired.htm" />
    And I have got

    Code:
    <http auto-config="true" access-denied-page="/accessDenied.htm">
    The only way to quickly fix the problem is to re-start tomcat

    I think that somehow the concurrent session attribute is not cleared when session expires while the user is still logged on.

    Here is brief summary of libraries and software I am using.

    Spring core: 2.5.4
    Spring security: 2.0.2
    Spring webflow: 2.0.2
    Tomcat: 6.0
    Java: 1.6.0_06
    Firefox: 3.0

    Any ideas what can I do to fix this problem?

    Regards,
    Oracle.

  • #2
    Now the problem is happening even after I logout properly and immediately try to login

    After increasing the log levels. This is what I am getting. I have highlighted the lines I feel might help in Red.

    I don't remember experience this problem in the past. Only lately it has suddently come up. It's very weird.

    Also, here is the snippet of form-login and logout

    Code:
    <form-login login-page="/login.htm" 
    	authentication-failure-url="/login.htm?login_error=1" 
    	login-processing-url="/j_security_check"
    	default-target-url="/userHome.htm"
    	always-use-default-target="false"/>       		
    <logout invalidate-session="true" logout-url="/logout" logout-success-url="/login.htm?logout=success"/>
    Code:
    [DEBUG] 15:12:07 FilterChainProxy - Converted URL to lowercase, from: '/j_security_check'; to: /j_security_check'
    [DEBUG] 15:12:07 FilterChainProxy - Candidate is: '/j_security_check'; pattern is /**; matched=true
    [DEBUG] 15:12:07 FilterChainProxy - /j_security_check at position 1 of 11 in additional filter chain; firing Filter: 'org.springframework.security.concurrent.ConcurrentSessionFilter[ order=100; ]'
    [DEBUG] 15:12:07 FilterChainProxy - /j_security_check at position 2 of 11 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'
    [DEBUG] 15:12:07 HttpSessionContextIntegrationFilter - HttpSession returned null object for SPRING_SECURITY_CONTEXT
    [DEBUG] 15:12:07 HttpSessionContextIntegrationFilter - New SecurityContext instance will be associated with SecurityContextHolder
    [DEBUG] 15:12:07 FilterChainProxy - /j_security_check at position 3 of 11 in additional filter chain; firing Filter: 'org.springframework.security.ui.logout.LogoutFilter[ order=300; ]'
    [DEBUG] 15:12:07 FilterChainProxy - /j_security_check at position 4 of 11 in additional filter chain; firing Filter: 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]'
    [DEBUG] 15:12:07 AuthenticationProcessingFilter - Request is to process authentication
    [DEBUG] 15:12:07 ProviderManager - Authentication attempt using org.springframework.security.providers.dao.DaoAuthenticationProvider
    [DEBUG] 15:12:07 AuthenticationProcessingFilter - Updated SecurityContextHolder to contain null Authentication
    [DEBUG] 15:12:07 AuthenticationProcessingFilter - Authentication request failed
    : org.springframework.security.concurrent.ConcurrentLoginException: Maximum sessions of 1 for this principal exceeded
    [DEBUG] 15:12:07 TokenBasedRememberMeServices - Interactive login attempt was unsuccessful.
    [DEBUG] 15:12:07 TokenBasedRememberMeServices - Cancelling cookie
    [DEBUG] 15:12:07 HttpSessionContextIntegrationFilter - SecurityContextHolder now cleared, as request processing completed
    [DEBUG] 15:12:07 FilterChainProxy - Converted URL to lowercase, from: '/login.htm?login_error=1'; to: '/login.htm?login_error=1'
    [DEBUG] 15:12:07 FilterChainProxy - Candidate is: '/login.htm?login_error=1'; pattern is /**; matched=true
    [DEBUG] 15:12:07 FilterChainProxy - /login.htm?login_error=1 at position 1 of 1
    1 in additional filter chain; firing Filter: 'org.springframework.security.concurrent.ConcurrentSessionFilter[ order=100; ]'
    [DEBUG] 15:12:07 FilterChainProxy - /login.htm?login_error=1 at position 2 of 1
    1 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'
    [DEBUG] 15:12:07 HttpSessionContextIntegrationFilter - HttpSession returned null object for SPRING_SECURITY_CONTEXT
    [DEBUG] 15:12:07 HttpSessionContextIntegrationFilter - New SecurityContext instance will be associated with SecurityContextHolder
    [DEBUG] 15:12:07 FilterChainProxy - /login.htm?login_error=1 at position 3 of 1
    1 in additional filter chain; firing Filter: 'org.springframework.security.ui.logout.LogoutFilter[ order=300; ]'
    [DEBUG] 15:12:07 FilterChainProxy - /login.htm?login_error=1 at position 4 of 1
    1 in additional filter chain; firing Filter: 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]'
    [DEBUG] 15:12:07 FilterChainProxy - /login.htm?login_error=1 at position 5 of 1
    1 in additional filter chain; firing Filter: 'org.springframework.security.ui.basicauth.BasicProcessingFilter[ order=1000; ]'
    [DEBUG] 15:12:07 BasicProcessingFilter - Authorization header: null
    [DEBUG] 15:12:07 FilterChainProxy - /login.htm?login_error=1 at position 6 of 1
    1 in additional filter chain; firing Filter: 'org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1100; ]'
    [DEBUG] 15:12:07 SavedRequestAwareWrapper - Wrapper not replaced; SavedRequest was: null
    [DEBUG] 15:12:07 FilterChainProxy - /login.htm?login_error=1 at position 7 of 1
    1 in additional filter chain; firing Filter: 'org.springframework.security.ui.re
    memberme.RememberMeProcessingFilter[ order=1200; ]'
    [DEBUG] 15:12:07 FilterChainProxy - /login.htm?login_error=1 at position 8 of 1
    1 in additional filter chain; firing Filter: 'org.springframework.security.providers.anonymous.AnonymousProcessingFilter[ order=1300; ]'
    [DEBUG] 15:12:07 AnonymousProcessingFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.providers.anonymous.AnonymousAuthenticationToken@d45793f4: Principal: guest; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@21a2c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: F426CB5D06EF5C8242682C76D07DCF7F; Granted Authorities: ROLE_ANONYMOUS'
    [DEBUG] 15:12:07 FilterChainProxy - /login.htm?login_error=1 at position 9 of 1
    1 in additional filter chain; firing Filter: 'org.springframework.security.ui.ExceptionTranslationFilter[ order=1400; ]'
    [DEBUG] 15:12:07 FilterChainProxy - /login.htm?login_error=1 at position 10 of
    11 in additional filter chain; firing Filter: 'org.springframework.security.ui.SessionFixationProtectionFilter[ order=1600; ]'
    [DEBUG] 15:12:07 FilterChainProxy - /login.htm?login_error=1 at position 11 of
    11 in additional filter chain; firing Filter: 'org.springframework.security.intercept.web.FilterSecurityInterceptor@fffa61'
    [DEBUG] 15:12:07 DefaultFilterInvocationDefinitionSource - Converted URL to lowercase, from: '/login.htm'; to: '/login.htm'
    [DEBUG] 15:12:07 DefaultFilterInvocationDefinitionSource - Candidate is: '/login.htm'; pattern is /images/*; matched=false
    [DEBUG] 15:12:07 DefaultFilterInvocationDefinitionSource - Candidate is: '/login.htm'; pattern is /styles/loanapp.css; matched=false
    [DEBUG] 15:12:07 DefaultFilterInvocationDefinitionSource - Candidate is: '/login.htm'; pattern is /resources/**; matched=false
    [DEBUG] 15:12:07 DefaultFilterInvocationDefinitionSource - Candidate is: '/login.htm'; pattern is /login.htm*; matched=true
    [DEBUG] 15:12:07 AbstractSecurityInterceptor - Secure object: FilterInvocation:
     URL: /login.htm?login_error=1; ConfigAttributes: [ROLE_ANONYMOUS, ROLE_USER]
    [DEBUG] 15:12:07 AbstractSecurityInterceptor - Previously Authenticated: org.springframework.security.providers.anonymous.AnonymousAuthenticationToken@d45793f4
    : Principal: guest; Password: [PROTECTED]; Authenticated: true; Details: org.spr
    ingframework.security.ui.WebAuthenticationDetails@21a2c: RemoteIpAddress: 0:0:0:
    0:0:0:0:1; SessionId: F426CB5D06EF5C8242682C76D07DCF7F; Granted Authorities: ROLE_ANONYMOUS
    [DEBUG] 15:12:07 AbstractSecurityInterceptor - Authorization successful
    [DEBUG] 15:12:07 AbstractSecurityInterceptor - RunAsManager did not change Authentication object
    [DEBUG] 15:12:07 FilterChainProxy - /login.htm?login_error=1 reached end of additional filter chain; proceeding with original chain
    [DEBUG] 15:12:07 LoginController - ############## Inside loginHandler #######
    ##############
    [DEBUG] 15:12:07 ExceptionTranslationFilter - Chain processed normally
    [DEBUG] 15:12:07 HttpSessionContextIntegrationFilter - SecurityContextHolder now cleared, as request processing completed

    Comment


    • #3
      Problem solved!!! Woohoo!!

      It was my mistake. What happened is I was trying to debug another problem in the application and therefore, I removed the following from my web.xml file.

      Code:
      <listener>
      <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
      </listener>
      And I believe for the concurrent session to work it needs this listener configured in the web.xml file.

      Once I put the above listener back it's working like a charm.

      So anyone having problems with concurrent session make sure you have the above listener configured in the web.xml file.

      Cheers,
      Oracle.

      Comment

      Working...
      X