Announcement Announcement Module
Collapse
No announcement yet.
Problem: SecureContextImpl reused in subsequent session Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem: SecureContextImpl reused in subsequent session

    I just joined a team working on an Acegi/CAS single sign on application, and for the most part things are working well. However, we have occasional problems in which a user logs out, opens up a new session, and is already authenticated. This most frequently happens when we run automated tests against the application that can quickly log in and log out serially.

    The application has a two stage logout: the first logout invalidates the session. The second logout removes the CAS cookie, thus requiring a new CAS login. Our app server has two request threads going. What is happening is that, regardless of whether the cookie is there or not, a new session is being created but the same instance of the SecureContextImpl from the previous session is somehow being attached to the new session.

    Below is the relevant section from a log4j DEBUG dump from HttpSessionContextIntegrationFilter. SecureContextImpl@85e57 is from the first session. Serial requests from the first session are alternately being handled by each thread. After the one thread sees that first session as invalidated, the new session is created and SecureContextImpl@1697d14 is created as well. However, the other thread attaches SecureContextImpl@85e57 to the new session and the new user is "automagically" authenticated (b/c 85e57 still has the authentication object with the credentials).

    We are still on version 0.8.3 but I did not see this problem addressed in 0.9.0. I apologize if it has already come up, but I did not see a mention of synchronization or threading issues with this filter in my searching.



    2005-10-07 12:51:41,421 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@85e57: Authentication: net.sf.acegisecurity.providers.cas.CasAuthenticati onToken@178e13f: Username: gravesjp; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_EVERYONE, ROLE_MERGER, ROLE_UNMASK_SSN, ROLE_ADMIN; Credentials (Service/Proxy Ticket): ST-16156-ghO6nNjh1m32O6NA4b3j; Proxy-Granting Ticket IOU: ; Proxy List: []'
    2005-10-07 12:51:41,421 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@85e57: Authentication: net.sf.acegisecurity.providers.cas.CasAuthenticati onToken@178e13f: Username: gravesjp; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_EVERYONE, ROLE_MERGER, ROLE_UNMASK_SSN, ROLE_ADMIN; Credentials (Service/Proxy Ticket): ST-16156-ghO6nNjh1m32O6NA4b3j; Proxy-Granting Ticket IOU: ; Proxy List: []'
    2005-10-07 12:51:41,421 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - ContextHolder set to null as request processing completed
    2005-10-07 12:51:41,609 [HttpRequestHandler-18229916] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@85e57: Authentication: net.sf.acegisecurity.providers.cas.CasAuthenticati onToken@178e13f: Username: gravesjp; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_EVERYONE, ROLE_MERGER, ROLE_UNMASK_SSN, ROLE_ADMIN; Credentials (Service/Proxy Ticket): ST-16156-ghO6nNjh1m32O6NA4b3j; Proxy-Granting Ticket IOU: ; Proxy List: []'
    2005-10-07 12:51:41,609 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@85e57: Authentication: net.sf.acegisecurity.providers.cas.CasAuthenticati onToken@178e13f: Username: gravesjp; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_EVERYONE, ROLE_MERGER, ROLE_UNMASK_SSN, ROLE_ADMIN; Credentials (Service/Proxy Ticket): ST-16156-ghO6nNjh1m32O6NA4b3j; Proxy-Granting Ticket IOU: ; Proxy List: []'
    2005-10-07 12:51:41,671 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session
    2005-10-07 12:51:41,671 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - ContextHolder set to null as request processing completed
    2005-10-07 12:51:41,687 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - HttpSession returned null object for ACEGI_SECURITY_CONTEXT
    2005-10-07 12:51:41,687 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - As ContextHolder null, setup ContextHolder with a fresh new instance: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,687 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,687 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - ContextHolder set to null as request processing completed
    2005-10-07 12:51:41,687 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,703 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,703 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - ContextHolder set to null as request processing completed
    2005-10-07 12:51:41,703 [HttpRequestHandler-18229916] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@85e57: Authentication: net.sf.acegisecurity.providers.cas.CasAuthenticati onToken@178e13f: Username: gravesjp; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_EVERYONE, ROLE_MERGER, ROLE_UNMASK_SSN, ROLE_ADMIN; Credentials (Service/Proxy Ticket): ST-16156-ghO6nNjh1m32O6NA4b3j; Proxy-Granting Ticket IOU: ; Proxy List: []'
    2005-10-07 12:51:41,703 [HttpRequestHandler-18229916] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - ContextHolder set to null as request processing completed
    2005-10-07 12:51:41,703 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,703 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,703 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - ContextHolder set to null as request processing completed
    2005-10-07 12:51:41,703 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,703 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,703 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - ContextHolder set to null as request processing completed
    2005-10-07 12:51:41,703 [HttpRequestHandler-18229916] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,703 [HttpRequestHandler-18229916] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,703 [HttpRequestHandler-18229916] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - ContextHolder set to null as request processing completed
    2005-10-07 12:51:41,703 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,703 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,703 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - ContextHolder set to null as request processing completed
    2005-10-07 12:51:41,703 [HttpRequestHandler-18229916] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,703 [HttpRequestHandler-18229916] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,703 [HttpRequestHandler-18229916] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - ContextHolder set to null as request processing completed
    2005-10-07 12:51:41,703 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,703 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,703 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - ContextHolder set to null as request processing completed
    2005-10-07 12:51:41,703 [HttpRequestHandler-18229916] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,703 [HttpRequestHandler-18229916] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1697d14: Null authentication'
    2005-10-07 12:51:41,703 [HttpRequestHandler-18229916] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - ContextHolder set to null as request processing completed
    2005-10-07 12:51:41,718 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@85e57: Authentication: net.sf.acegisecurity.providers.cas.CasAuthenticati onToken@178e13f: Username: gravesjp; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_EVERYONE, ROLE_MERGER, ROLE_UNMASK_SSN, ROLE_ADMIN; Credentials (Service/Proxy Ticket): ST-16156-ghO6nNjh1m32O6NA4b3j; Proxy-Granting Ticket IOU: ; Proxy List: []'
    2005-10-07 12:51:41,718 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@85e57: Authentication: net.sf.acegisecurity.providers.cas.CasAuthenticati onToken@178e13f: Username: gravesjp; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_EVERYONE, ROLE_MERGER, ROLE_UNMASK_SSN, ROLE_ADMIN; Credentials (Service/Proxy Ticket): ST-16156-ghO6nNjh1m32O6NA4b3j; Proxy-Granting Ticket IOU: ; Proxy List: []'
    2005-10-07 12:51:41,718 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - ContextHolder set to null as request processing completed
    2005-10-07 12:51:41,734 [HttpRequestHandler-18229916] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@85e57: Authentication: net.sf.acegisecurity.providers.cas.CasAuthenticati onToken@178e13f: Username: gravesjp; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_EVERYONE, ROLE_MERGER, ROLE_UNMASK_SSN, ROLE_ADMIN; Credentials (Service/Proxy Ticket): ST-16156-ghO6nNjh1m32O6NA4b3j; Proxy-Granting Ticket IOU: ; Proxy List: []'
    2005-10-07 12:51:41,734 [HttpRequestHandler-18229916] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@85e57: Authentication: net.sf.acegisecurity.providers.cas.CasAuthenticati onToken@178e13f: Username: gravesjp; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_EVERYONE, ROLE_MERGER, ROLE_UNMASK_SSN, ROLE_ADMIN; Credentials (Service/Proxy Ticket): ST-16156-ghO6nNjh1m32O6NA4b3j; Proxy-Granting Ticket IOU: ; Proxy List: []'
    2005-10-07 12:51:41,734 [HttpRequestHandler-18229916] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - ContextHolder set to null as request processing completed
    2005-10-07 12:51:41,765 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@85e57: Authentication: net.sf.acegisecurity.providers.cas.CasAuthenticati onToken@178e13f: Username: gravesjp; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_EVERYONE, ROLE_MERGER, ROLE_UNMASK_SSN, ROLE_ADMIN; Credentials (Service/Proxy Ticket): ST-16156-ghO6nNjh1m32O6NA4b3j; Proxy-Granting Ticket IOU: ; Proxy List: []'
    2005-10-07 12:51:41,765 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@85e57: Authentication: net.sf.acegisecurity.providers.cas.CasAuthenticati onToken@178e13f: Username: gravesjp; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_EVERYONE, ROLE_MERGER, ROLE_UNMASK_SSN, ROLE_ADMIN; Credentials (Service/Proxy Ticket): ST-16156-ghO6nNjh1m32O6NA4b3j; Proxy-Granting Ticket IOU: ; Proxy List: []'
    2005-10-07 12:51:41,765 [HttpRequestHandler-26567569] DEBUG net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter - ContextHolder set to null as request processing completed

  • #2
    Rather than invalidate HttpSession, perhaps try setting the ContextHolder to null. Also, is this an issue with the current CVS version, as a lot of refactoring of HttpSession to ThreadLocal behaviour has been committed.

    Comment


    • #3
      Problem: SecureContextImpl reused in subsequent session

      It does work to clear out the ContextHolder, or to set the authentication to null on the current Context associated with the Thread before invalidating the session (my workaround).

      We have not moved to 0.9.0 yet at my organization, so I will test this when we get there.

      Comment

      Working...
      X