Announcement Announcement Module
Collapse
No announcement yet.
Help Me - Using PreAuthenticatedProcessingFilter Randomly picks user? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help Me - Using PreAuthenticatedProcessingFilter Randomly picks user?

    OK here is the problem.

    I am using the spring security frameword and have it plugged in. here is my web.xml

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
        http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    
        <display-name>YAPrApp</display-name>
    
        <context-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>
                classpath:com/sherwin/sd/product/yapr/applicationContext.xml
                classpath:com/sherwin/product/applicationContext.xml
                classpath:com/sherwin/sd/product/yapr/securityContext.xml
            </param-value>
        </context-param>
        <!-- START FILTERS -->
    
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>
                org.springframework.web.filter.DelegatingFilterProxy
            </filter-class>
        </filter>
    
    
        
        <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>*</url-pattern>
            <dispatcher>REQUEST</dispatcher>
        </filter-mapping>
        
        <listener>
            <listener-class>
                org.springframework.security.ui.session.HttpSessionEventPublisher
            </listener-class>
          </listener>
    
    
    
    
    </web-app>
    here is my securityContext.xml


    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:security="http://www.springframework.org/schema/security"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
    
    
        <bean id="springSecurityFilterChain"
            class="com.sherwin.sd.security.PreAuthenticatedProcessingFilter">
            <security:custom-filter position="PRE_AUTH_FILTER" />
            <property name="principalRequestHeader" value="eid" />
            <property name="authenticationManager"
                ref="authenticationManager" />
        </bean>
    
    
        <bean id="authenticationProvider"
            class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
            <security:custom-authentication-provider />
            <property name="preAuthenticatedUserDetailsService">
                <bean id="userDetailsServiceWrapper"
                    class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
                    <property name="userDetailsService"
                        ref="userDetailsService" />
                </bean>
            </property>
        </bean>
        <bean id="userDetailsService"
            class="com.sherwin.sd.security.CustomUserDetailsService">
            <property name="userTypeService" ref="userTypeService" />
            <property name="userService" ref="userService" />
        </bean>
    
    
        <security:authentication-manager alias="authenticationManager" />
    </beans>
    my app allows anonymous users. so i hit the page first, without signing in. so my PreAuthenticatedProcessingFilter returns "0" which is the id of our anonymous users. this creates a context token for anonymous and i see it print out on my console

    Code:
    2009-02-34+16:34:30 PreAuthenticatedProcessingFilter [DEBUG] Checking secure context token: org.springframework.s[email protected]7d3eb: Principal: com.sherwin.sd.security.CustomUserDetails@5e21800: Username: 0; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: anonymous; Password: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: 148.141.17.108; SessionId: wDb1JL4FKLYHfT4dJKsm5cVJtHN3f1JxybQ8wynPjp57RJQcQ3nM!1918274515!1233696869125; Granted Authorities: anonymous
    notice the username is "0" and the session id is some value.

    NOW, i login. my login action is as follows. it invalidates the session and does what i think is logs out the current anonymous user.

    this should log me out right? of my current spring security user?
    Code:
        SecurityContextLogoutHandler logoutHandler = new SecurityContextLogoutHandler();
            logoutHandler.setInvalidateHttpSession(true);
            
            logoutHandler.logout(getServletRequest(), getServletResponse(),
                    getSpringAuthentication());
    anyway it creates a new context token as show below. and now in my console i spools off multple message of securecontext tokens existing.

    i see this now but also my old one tooo, i though that go killed but i looks ok because its associated with a old sessionID right? wrong see problem below.

    also notice there are more than one. whats the deal with that
    Code:
    2009-02-34+17:01:11 PreAuthenticatedProcessingFilter [DEBUG] Checking secure context token: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@d80b8408: Principal: com.sherwin.sd.security.CustomUserDetails@7c098000: Username: 390459036; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: BRAND_3m, DOMAIN_8, anonymous, brand_mgr, domain_mgr, sys_admin; Password: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: 148.141.17.108; SessionId: 8RnxJL9QwjpxtSR91qhn6qL5KwpMJGZrJ9v0QWgk4szjBJ1fzMhD!62980229!1233698192406; Granted Authorities: BRAND_3m, DOMAIN_8, anonymous, brand_mgr, domain_mgr, sys_admin
    2009-02-34+17:01:11 PreAuthenticatedProcessingFilter [DEBUG] Checking secure context token: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@86f73101: Principal: com.sherwin.sd.security.CustomUserDetails@5e21800: Username: 0; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: anonymous; Password: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: 148.141.17.108; SessionId: QnpKJL2B99Fz2HBsZdPJCZvlGkl9JdlyND1PpnwhvDtr3HfDG2Jb!62980229!1233698369593; Granted Authorities: anonymous
    2009-02-34+17:01:11 PreAuthenticatedProcessingFilter [DEBUG] Checking secure context token: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@86f75b73: Principal: com.sherwin.sd.security.CustomUserDetails@5e21800: Username: 0; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: anonymous; Password: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: 148.141.17.108; SessionId: B26CJL9JKng7VkBbvQBmd6wcJVQnJQn2N04YhXD8ZqXG45yHZRB0!62980229!1233698260343; Granted Authorities: anonymous
    2009-02-34+17:01:11 PreAuthenticatedProcessingFilter [DEBUG] Checking secure context token: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@86f75b73: Principal: com.sherwin.sd.security.CustomUserDetails@5e21800: Username: 0; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: anonymous; Password: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: 148.141.17.108; SessionId: B26CJL9JKng7VkBbvQBmd6wcJVQnJQn2N04YhXD8ZqXG45yHZRB0!62980229!1233698260343; Granted Authorities: anonymous
    2009-02-34+17:01:12 PreAuthenticatedProcessingFilter [DEBUG] Checking secure context token: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@86f75b73: Principal: com.sherwin.sd.security.CustomUserDetails@5e21800: Username: 0; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: anonymous; Password: [PROTECTED]; Authenticated: true; Details: [email protected]: RemoteIpAddress: 148.141.17.108; SessionId: B26CJL9JKng7VkBbvQBmd6wcJVQnJQn2N04YhXD8ZqXG45yHZRB0!62980229!1233698260343; Granted Authorities: anonymous
    THE PROBLEM.
    if i keep refreshing the page over and over again after logging in, it randomly gives me a content token of its choosing.

    this is the code that returns at random a authentication user
    Code:
        SecurityContext securityContext = SecurityContextHolder.getContext();
            List <GrantedAuthority> authorities = Arrays.asList(securityContext.getAuthentication().getAuthorities());
    so sometimes it registers me as my logged in user. and sometimes give me the anonymous user. BUT how is this possible because the anonymous user is registered with a session id I am nolonger part of. I checked my cookies and the anonymous user is for my old, not current session. why is this happening?

  • #2
    added &lt;bean org.springframework.security.context.HttpSessionCo ntextIntegrationFilter

    by adding to the securityContext.xml i think I fixed it.

    Code:
    <bean id="httpSessionContextIntegrationFilterWithASCTrue" class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
    		<property name="allowSessionCreation" value="true"/>
    	</bean>

    Comment

    Working...
    X