Announcement Announcement Module
Collapse
No announcement yet.
Authentication manager and database concurrency Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authentication manager and database concurrency

    Hi guys,

    As Luke suggested in http://forum.springsource.org/showthread.php?t=79341 I have stopped defining my own _authenticationManager bean, and defined a security:authentication-manager like this

    Code:
    <security:authentication-manager alias="authenticationManager">
      <security:authentication-provider user-service-ref="userService">
    	<security:password-encoder hash="plaintext"/>
      </security:authentication-provider>
    </security:authentication-manager>
    
    <security:http auto-config="true">
      <security:http-basic/>
      <security:intercept-url pattern="/restricted/my/**" filters="ROLE_ADMIN,ROLE_USER"/>
    </security:http>
    Does this look correct, or am I missing something or doing something wrong?

    I use Spring Core and Spring Security 3.0.0.RC1, and my REST controllers usually have the sequence of using SecurityContextHolder.getContext().getAuthenticati on().getName() to look up the user in the UserDAO and check that it has access to this resource. If it has that, do the required actions of using other services (that use other DAOs) to perform the desired action. Does this sound all right?

    My userService.lookupUser(String name) is simply "return DAO.read(name);"

    My controller function thus looks like this:

    Code:
    @RequestMapping(value="my/path/{ID}", method = RequestMethod.GET)
    public ModelAndView getMyPathWithID(@PathVariable Integer ID) {
    	ModelAndView mav = new ModelAndView(jsonView);
    	if(userService.lookupUser(SecurityContextHolder.getContext().getAuthentication().getName()).canAccess(ID)) { .... }
    	else mav.addObject("Error", "Access denied");
    	return mav;
    }
    Running this by itself works great, I get the data back in a hurry and the data are correct and if I authenticate with a user that doesn't have access, he is denied.

    But! When running two identical requests at the same time, one will work as expected, and one will fail, apparently by having its database connection closed during execution:

    Code:
    java.util.ConcurrentModificationException
    	at java.util.LinkedHashMap$LinkedHashIterator.nextEntry(LinkedHashMap.java:373)
    	at java.util.LinkedHashMap$ValueIterator.next(LinkedHashMap.java:388)
    	at org.hibernate.engine.StatefulPersistenceContext.afterTransactionCompletion(StatefulPersistenceContext.java:253)
    	at org.hibernate.impl.SessionImpl.afterTransactionCompletion(SessionImpl.java:450)
    	at org.hibernate.jdbc.JDBCContext.afterNontransactionalQuery(JDBCContext.java:271)
    	at org.hibernate.impl.SessionImpl.afterOperation(SessionImpl.java:444)
    	at org.hibernate.impl.SessionImpl.list(SessionImpl.java:1604)
    	at org.hibernate.impl.CriteriaImpl.list(CriteriaImpl.java:306)
    	at tld.mydomain.business.UserServiceImpl.lookupUser(UserServiceImpl.java:35)
    	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    	at java.lang.reflect.Method.invoke(Method.java:597)
    	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
    	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
    	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
    	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
    	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
    	at $Proxy22.lookupUser(Unknown Source)
    It happens that I get other, similar errors. The following exception is from the { ... } code where I simply look up the paths for this user using the PathService, and limit it by ID. Again it is quite simple,

    Code:
    return DAO.getSession().createCriteria(Path.class).setResultTransformer(Criteria.DISTINCT_ROOT_ENTITY).addOrder(Order.asc("pathName")).add(Restrictions.isNotEmpty("items")).list();
    But this fails and gives a simliar error to the one just mentioned

    Code:
    org.hibernate.SessionException: Session is closed!
    	at org.hibernate.impl.AbstractSessionImpl.errorIfClosed(AbstractSessionImpl.java:72)
    	at org.hibernate.impl.SessionImpl.getBatcher(SessionImpl.java:287)
    	at org.hibernate.loader.Loader.doQuery(Loader.java:749)
    	at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:259)
    	at org.hibernate.loader.Loader.doList(Loader.java:2228)
    	at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2125)
    	at org.hibernate.loader.Loader.list(Loader.java:2120)
    	at org.hibernate.loader.criteria.CriteriaLoader.list(CriteriaLoader.java:118)
    	at org.hibernate.impl.SessionImpl.list(SessionImpl.java:1596)
    	at org.hibernate.impl.CriteriaImpl.list(CriteriaImpl.java:306)
    	at org.hibernate.impl.CriteriaImpl$Subcriteria.list(CriteriaImpl.java:481)
    	at tld.mydomain.business.PathServiceImpl.pathsForSingleUser(PathServiceImpl.java:65)
    	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    	at java.lang.reflect.Method.invoke(Method.java:597)
    	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
    	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
    	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
    	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
    	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
    	at $Proxy24.vejeWithByggesag(Unknown Source)
    	at tld.mydomain.view.web.controller.RestrictedController.getMyPathViaID(RestrictedController.java:79)
    	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    When I used my _authenticationManager, this worked great, but now I seem to be closing database sessions too often, even though I don't have any of my own code closing any as far as I'm aware. Any suggestions to what is going on and what I can do about it?

    The rest of my config files are quite similar to what can be found in my sample app: http://github.com/niklassaers/Sample...bRoot/WEB-INF/

    Cheers

    Nik

  • #2
    Problem solved... (possibly)

    It seems that I had a big problem in database session handling in my DAO, so I've made a write-up of my solution at StackOverflow and asked for people's opinion on the solution. I hope it doesn't give more issues :-)

    Comment

    Working...
    X