Announcement Announcement Module
Collapse
No announcement yet.
Cookie problem when using spring security 2.0.1 Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cookie problem when using spring security 2.0.1

    Hi all,

    i want to auto login by cookie, and i got my config like this:

    Code:
    <bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
    	<property name="filterInvocationDefinitionSource">
    		<value>
    			CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    			PATTERN_TYPE_APACHE_ANT
    			/**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,rememberMeProcessingFilter,filterInvocationInterceptor
    		</value>
    	</property>
    </bean>
    
    
    <bean id="rememberMeProcessingFilter" class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter">
    	<property name="rememberMeServices" ref="rememberMeServices"/>
    	<property name="authenticationManager" ref="authenticationManager"/>
    </bean>
    
    
    <bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
    	<property name="tokenValiditySeconds" value="2678400"/>
    	<property name="key" value="myproj"/>
    	<property name="userDetailsService" ref="jdbcDaoImpl" />
    </bean>
    
    
    <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
    	<property name="providers">
    		<list>
    			<ref local="daoAuthenticationProvider"/>
    				<bean class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
    			<property name="key" value="myproj"/>
    			</bean>
    		</list>
    	</property>
    	<property name="sessionController">
    		<ref bean="concurrentSessionController"/>
    	</property>
    </bean>
    
    
    <bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
    	<property name="userDetailsService" ref="jdbcDaoImpl"/>
    	<property name="userCache" ref="userCache"/>
    	<property name="passwordEncoder" ref="passwordEncoder"/>
    </bean>
    
    
    <bean id="authenticationProcessingFilter" class="filter.UserAuthenticationProcessingFilter">	<property name="authenticationManager" ref="authenticationManager"/>
    	<property name="userService" ref="userService"/>
    	
    	<property name="authenticationFailureUrl">
    		<value>/login.jsp</value>
    	</property>
    	
    	<property name="defaultTargetUrl">
    		<value>/pages/intoIndex.action</value>
    	</property>
    	
    	<property name="filterProcessesUrl">
    		<value>/j_spring_security_check</value>
    	</property>
    	
    	<property name="exceptionMappings">
    		<value>
    			org.springframework.security.userdetails.UsernameNotFoundException=/login.jsp?login_error=user_not_found_error
    			org.springframework.security.BadCredentialsException=/login.jsp?login_error=user_psw_error
    			org.springframework.security.concurrent.ConcurrentLoginException=/login.jsp?login_error=too_many_user_error
    		</value>
    	</property>
    
    	<property name="rememberMeServices" ref="rememberMeServices"/>
    </bean>
    when i try to login by cookie i got these messages:

    Code:
    DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 6 of 7 in additional filter chain; firing Filter: 'org.springframework.security.ui.rememberme.RememberMeProcessingFilter[ order=1300; ]'
    DEBUG org.springframework.security.ui.rememberme.TokenBasedRememberMeServices - Remember-me cookie detected
    DEBUG org.springframework.security.ui.rememberme.TokenBasedRememberMeServices - Remember-me cookie accepted
    DEBUG org.springframework.security.providers.ProviderManager - Authentication attempt using org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider
    DEBUG org.springframework.security.concurrent.SessionRegistryImpl - Registering session 9D8670EE917A99EF23C679216B358AEB, for principal myname
    it seemed that cookie is accepted, but it didn't login into the app but return to the login page.

    i am puzzled, and i think that there is something wrong with the config, anyone can give me some tips?

    thanks to all.
    Last edited by Killua; Jan 3rd, 2011, 09:34 PM.

  • #2
    Try switching the order of exceptionTranslationFilter and rememberMeProcessingFilter. Can you enable all logging for Spring Security and post all the logs (i.e. RememberMeProcessingFilter).

    FYI: You may want to update to 2.0.6.RELEASE to avoid the security vulnerability.

    Comment


    • #3
      i changed the order of exceptionTranslationFilter and rememberMeProcessingFilter, then i got the debug below:

      Code:
      DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 1 of 7 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'
      DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 2 of 7 in additional filter chain; firing Filter: 'org.springframework.security.ui.logout.LogoutFilter[ order=400; ]'
      DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 3 of 7 in additional filter chain; firing Filter: 'com.broadtext.eim.security.filter.UserAuthenticationProcessingFilter[ order=800; ]'
      DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 4 of 7 in additional filter chain; firing Filter: 'org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1200; ]'
      DEBUG org.springframework.security.wrapper.SavedRequestAwareWrapper - Wrapper not replaced; SavedRequest was: null
      DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 5 of 7 in additional filter chain; firing Filter: 'org.springframework.security.ui.rememberme.RememberMeProcessingFilter[ order=1300; ]'
      DEBUG org.springframework.security.ui.rememberme.TokenBasedRememberMeServices - Remember-me cookie detected
      DEBUG org.springframework.security.ui.rememberme.TokenBasedRememberMeServices - Remember-me cookie accepted
      DEBUG org.springframework.security.providers.ProviderManager - Authentication attempt using org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider
      WARN  org.springframework.security.event.authentication.LoggerListener - Authentication event AuthenticationSuccessEvent: myname; details: org.springframework.security.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: 7F9D626137539284836542B85B018FB9
      DEBUG org.springframework.security.providers.ProviderManager - Authentication attempt using org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider
      DEBUG org.springframework.security.concurrent.SessionRegistryImpl - Registering session 7F9D626137539284836542B85B018FB9, for principal myname
      DEBUG org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in context [[email protected]19c5048]: org.springframework.security.event.authentication.AuthenticationSuccessEvent[source=org.springframework.security.providers.rememberme.RememberMeAuthenticationToken@6d13c6b3: Principal: org.springframework.security.userdetails.User@0: Username: myname; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ...
      WARN  org.springframework.security.event.authentication.LoggerListener - Authentication event AuthenticationSuccessEvent: myname; details: org.springframework.security.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: 7F9D626137539284836542B85B018FB9
      DEBUG org.springframework.security.ui.rememberme.RememberMeProcessingFilter - SecurityContextHolder populated with remember-me token: 'org.springframework.security.providers.rememberme.RememberMeAuthenticationToken@6d13c6b3: Principal: org.springframework.security.userdetails.User@0: Username: myname; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ...
      DEBUG org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in context [[email protected]19c5048]: org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent[source=org.springframework.security.providers.rememberme.RememberMeAuthenticationToken@6d13c6b3: Principal: org.springframework.security.userdetails.User@0: Username: myname; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ...
      WARN  org.springframework.security.event.authentication.LoggerListener - Authentication event InteractiveAuthenticationSuccessEvent: myname; details: org.springframework.security.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: 7F9D626137539284836542B85B018FB9
      DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 6 of 7 in additional filter chain; firing Filter: 'org.springframework.security.ui.ExceptionTranslationFilter[ order=1500; ]'
      DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 7 of 7 in additional filter chain; firing Filter: 'org.springframework.security.intercept.web.FilterSecurityInterceptor@a9fa9c'
      DEBUG org.springframework.security.intercept.AbstractSecurityInterceptor - Public object - authentication not attempted
      DEBUG org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in context [[email protected]19c5048]: org.springframework.security.event.authorization.PublicInvocationEvent[source=FilterInvocation: URL: //login.jsp]
      DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp reached end of additional filter chain; proceeding with original chain
      DEBUG org.springframework.security.ui.ExceptionTranslationFilter - Chain processed normally
      it was found that 'authentication not attempted' in 'org.springframework.security.intercept.AbstractSe curityInterceptor - Public object - authentication not attempted'.

      now i try to setp into it to find out the problem. may be i should update to 2.0.6~

      thanks a lot.

      Comment


      • #4
        Can you try accessing a protected page?

        Comment


        • #5
          Originally posted by rwinch View Post
          Can you try accessing a protected page?
          What is the protected page you mean?
          //login.jsp ?

          Comment


          • #6
            I mean a page that required you to be logged in.

            Comment


            • #7
              Originally posted by rwinch View Post
              I mean a page that required you to be logged in.
              So sorry, i think i should reply it more earlier, but other things make me can't continue that time.

              i tried but when accessing the page, i was kicked out to the login page.

              now i updated to 2.0.6 and got the problem resolved, thanks a lot.

              Comment

              Working...
              X