Announcement Announcement Module
Collapse
No announcement yet.
Using pre-auth scenario, user details in SS does NOT change when user logs out. Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using pre-auth scenario, user details in SS does NOT change when user logs out.

    In our company we have a filter that implements security and puts information like username and granted authorities as header values. I've written a custom RequestHeaderAuthenticationFilter and UserDetailsService to extract this information from the HttpRequestHeader and put it in the UserDetails object. This is my applicationContext-security file:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans 
    	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
    	<http use-expressions="true">
    		<intercept-url pattern="/showaddmsgtype.htm"
    			access="hasRole('weText.update')" />
    		<intercept-url pattern="/addmsgtype.htm"
    			access="hasRole('weText.update')" />
    		<intercept-url pattern="/modmsgtype.htm"
    			access="hasRole('weText.update')" />
    		<intercept-url pattern="/delmsgtype.htm"
    			access="hasRole('weText.update')" />
    		<intercept-url pattern="/authenticator/authenticatorFailed.html" filters="none" />
    		<intercept-url pattern="/authenticator/personalKeyFailed.html" filters="none" />
    		<intercept-url pattern="/authenticator/userLocked.html" filters="none" />
    		<intercept-url pattern="/authenticator/userNotAuthorized.html" filters="none" />
    		<intercept-url pattern="/authenticator/userPwdIncorrect.html" filters="none" />
    		<intercept-url pattern="/authenticator/userInactive.html" filters="none" />
    		<intercept-url pattern="/authenticator/images/**" filters="none" />
    		<intercept-url pattern="/images/**" filters="none" />
    		<intercept-url pattern="/scripts/**" filters="none" />
    		<intercept-url pattern="/styles/**" filters="none" />
    		<intercept-url pattern="/Logout" filters="none" />
    		<intercept-url pattern="/servlet/walgreens.authenticator.webclient.AuthContentServlet/**" filters="none" />
    		<intercept-url pattern="/servlet/walgreens.authenticator.webclient.AuthenticatorClientProperties/**" filters="none" />
    		<intercept-url pattern="/servlet/walgreens.authenticator.webclient.AuthenticatorCookieGateway/**" filters="none" />
    		<intercept-url pattern="/servlet/walgreens.authenticator.webclient.ReloadFileIndexMap/**" filters="none" />
    		<intercept-url pattern="/servlet/walgreens.authenticator.webclient.LogFileServlet/**" filters="none" />
    		<intercept-url pattern="/servlet/walgreens.authenticator.webclient.SynchServlet/**" filters="none" />
    		<intercept-url pattern="/servlet/walgreens.authenticator.webclient.CheckChangePasswordServlet/**" filters="none" />
    		<intercept-url pattern="/servlet/walgreens.authenticator.webclient.CheckLoginServlet" filters="none" />
    		<intercept-url pattern="/**" access="permitAll" />
    		<custom-filter position="PRE_AUTH_FILTER" ref="authenticatorFilter" />
    		<form-login />
    
    	</http>
    
    	<beans:bean id="authenticatorFilter"
    		class="walgreens.user.details.WalgreensRequestHeaderAuthenticationFilter">
    		<beans:property name="authenticationManager"
    			ref="authenticationManager" />
    	</beans:bean>
    
    	<beans:bean id="preauthAuthProvider"
    		class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    		<beans:property name="preAuthenticatedUserDetailsService">
    			<beans:bean id="userDetailsServiceWrapper"
    				class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
    				<beans:property name="userDetailsService"
    					ref="userDetailsService" />
    			</beans:bean>
    		</beans:property>
    	</beans:bean>
    
    	<beans:bean id="userDetailsService" class="walgreens.user.details.WalgreensUserDetailsService" />
    
    	<authentication-manager alias="authenticationManager">
    		<authentication-provider ref="preauthAuthProvider" />
    	</authentication-manager>
    
    </beans:beans>
    The intercept-url's at the beginning are for various pages and servlets that our own authentication software needs.

    This works just great when you log in. However, log out (using our own servlet for the purpose, which works with our own security and knows nothing about Spring Security) then log back in as someone else and the user details for the previous user is what you get. I know there is supposed to be a filter that clears this stuff out at the end of the request but I was under the impression that the namespace would put this filter in automatically.

    What do I need to do to make my custom filter run on each and every request and how do I configure the applicationContext-security.xml to accomplish this?

  • #2
    It depends what you mean by "log out ". If you are handling logging out, it's up to you to make sure the session is invalidated. If it isn't, then you are still using the same security context on a subsequent request.

    If you want to detect whether the principal changes within the same session, then set the checkForPrincipalChanges property to true.

    Comment


    • #3
      Originally posted by Luke Taylor View Post
      It depends what you mean by "log out ". If you are handling logging out, it's up to you to make sure the session is invalidated. If it isn't, then you are still using the same security context on a subsequent request.

      If you want to detect whether the principal changes within the same session, then set the checkForPrincipalChanges property to true.
      Thanks. I set the properties to check for principal change and invalidate the session when it does and that did the trick.

      Comment

      Working...
      X