Announcement Announcement Module
Collapse
No announcement yet.
HttpInvoker and Session closing Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • HttpInvoker and Session closing

    I'm trying to get Spring-Security to play nice with HttpInvoker remoting (called via Swing application, but that's fairly irrelevant).

    I've got the basics working more or less how I want it using HTTP Basic authentication. However, I see this warning every time I call the server:

    Code:
    23/12/2009 23:25:40 org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper createNewSessionIfAllowed
    WARNING: Failed to create a session, as response has been committed. Unable to store SecurityContext.
    I'm about to try and do some more fancy stuff that will involve the session (I have a crazy plan that might just allow me to not use the aweful http basic stuff), so I'd like to fix this first. Does anyone know why I would be getting this, or what to do about it?

    Even though I get this error, everything works perfectly. I suspect this is because with HTTP basic, I'm passing up the credentials everytime so the absence of the session is not a problem.

    My main application context is:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <beans xmlns="http://www.springframework.org/schema/beans"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:security="http://www.springframework.org/schema/security"
           xsi:schemaLocation=
                   "http://www.springframework.org/schema/beans
                   http://www.springframework.org/schema/beans/spring-beans.xsd
                   http://www.springframework.org/schema/security
                   http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
        <bean id="secureService"
              class="com.j2md.playtime.spring.security.server.SecureServiceImpl">
            <property name="authenticationManager" ref="authenticationManager"/>
        </bean>    
    
        <security:global-method-security pre-post-annotations="enabled">
        </security:global-method-security>
    
        <security:http use-expressions="true">
            <security:http-basic/>
        </security:http>
    
        <security:authentication-manager alias="authenticationManager">
            <security:authentication-provider>
                <security:user-service>
                    <security:user name="testuser1" password="password"
                              authorities="ROLE_USER"/>
                    <security:user name="testuser2" password="password"
                              authorities="ROLE_ADMIN"/>
                </security:user-service>
            </security:authentication-provider>
        </security:authentication-manager>
    </beans>
    My servlet application context exposes the service as an HttpInvoker:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <beans xmlns="http://www.springframework.org/schema/beans"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:sec="http://www.springframework.org/schema/security"
           xsi:schemaLocation=
                   "http://www.springframework.org/schema/beans
                   http://www.springframework.org/schema/beans/spring-beans.xsd
                   http://www.springframework.org/schema/security
                   http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
        <bean name="/**/SecureService"
              class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter">
            <property name="service" ref="secureService"/>
            <property name="serviceInterface" value="com.j2md.playtime.spring.security.server.SecureService"/>
        </bean>
    
    </beans>
    The underlying service is pretty unexciting. Just a hello-world-like POJO with some PreAuthorisation annotations on it.

    My web.xml looks like this

    Code:
    <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    
        <display-name>Spring Security Experiment</display-name>
    
        <listener>
            <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
        </listener>
    
        <context-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/applicationContext.xml</param-value>
        </context-param>
    
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        </filter>
    
        <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/service/*</url-pattern>
        </filter-mapping>
        
        <servlet>
            <servlet-name>serviceExporter</servlet-name>
            <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
            <init-param>
                <param-name>contextConfigLocation</param-name>
                <param-value>/WEB-INF/serviceExporter-servlet.xml</param-value>
            </init-param>
            <load-on-startup>1</load-on-startup>
        </servlet>
    
        <servlet-mapping>
            <servlet-name>serviceExporter</servlet-name>
            <url-pattern>/service/*</url-pattern>
        </servlet-mapping>
    
    </web-app>

  • #2
    Use

    Code:
    <http session-creation='never'>
    If your application is stateless.

    Comment


    • #3
      Thanks for the quick reply Luke!

      Using session-create='never' made the warning go away and works well for the standard HTTP Basic authentication.

      I do want a session however, since I'm replacing HTTP Basic with a LoginService POJO (much more desktop-client friendly, none of that nasty web stuff and I don't have to pass the creds on every call). Using session-create='always' seems to do the job. I can't see any major drawbacks to this.

      I've now just got to figure out how to stop spring-security complaining that I have no AuthenticationEntryPoint configured once I turn off HTTP Basic. I guess I could just leave Basic on, since it doesn't do any harm. Something to look at after xmas

      Cheers for your help!
      Daniel.



      Originally posted by Luke Taylor View Post
      Use

      Code:
      <http session-creation='never'>
      If your application is stateless.

      Comment

      Working...
      X