Announcement Announcement Module
Collapse
No announcement yet.
Cannot re-authenticate in the same session Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cannot re-authenticate in the same session

    Hi,

    I am using Spring Security with Spring BlazeDS integration 1.0.0.M2 and I have a following problem. When user don't logout properly from flex client by triggering channelSet.logout (most probably just closing the browser tab) and tries to login again login command fails with the following fault: faultString = "Cannot re-authenticate in the same session."

    How should I handle this situation?

  • #2
    Am I really only one who has problem with this? I know there's per-client-authentication attribute on secured tag which should solve my problem but it is not yet supported.

    If someone have any suggestion please tell me because I think this is kind of a show stopper for us for going to production with our new flex client.

    Comment


    • #3
      Per-client authentication might get you around the issue, but I'd be careful to consider whether per-client is the most desirable behavior for your users.

      You should only be seeing that error if a login is attempted in the same browser session with different login credentials. If the user logs in again in the same browser session, with the same credentials, the BlazeDS AuthenticationService still returns a "success" event. Is that not what's happening in your case? If there is something more complex going on in your scenario, could you provide more details of your configuration?

      When using session-based authentication, I would think the expected behavior when re-opening the app within the same browser session would be to see the app in an authenticated state...i.e., not be presented with a login dialog in the first place. Unfortunately, the Flex APIs don't provide any particularly direct way to check whether the user principal has already been set for a given session. Fortunately, it's easy enough to call a Spring service over RPC to do a check each time the Flex client starts and return any pertinent info if the user is already authenticated.

      Alternately, if you wanted to ensure a clean authentication any time the client is started, it would be just as simple to do something to force logout. You've got several options there...you could do something low-level like using the HttpService to call the Spring Security logout link, or you could make an RPC call to a Spring bean that forces logout through the MessageBroker API. (If you go that route, messageBroker.getLoginManager() would get you headed in the right direction.)

      Comment


      • #4
        Originally posted by jeremyg484 View Post

        When using session-based authentication, I would think the expected behavior when re-opening the app within the same browser session would be to see the app in an authenticated state...i.e., not be presented with a login dialog in the first place.
        That would not be suitable for us because because different users may use same computer and getting someone else's session would not be acceptable.

        Originally posted by jeremyg484 View Post
        Alternately, if you wanted to ensure a clean authentication any time the client is started, it would be just as simple to do something to force logout. You've got several options there...you could do something low-level like using the HttpService to call the Spring Security logout link, or you could make an RPC call to a Spring bean that forces logout through the MessageBroker API. (If you go that route, messageBroker.getLoginManager() would get you headed in the right direction.)
        Thanks for the tip. I logout now in applicationComplete event by using RPC call. But why doesn't straight call to channelset.logout in client work?

        Thank you one more time, you saved my day

        Comment


        • #5
          Following should also work:

          Code:
          <!-- Bootstraps and exposes the BlazeDS MessageBroker -->
          <flex:message-broker>	
          	<flex:secured per-client-authentication="true" /> <!-- default is false -->
          </flex:message-broker>

          Comment


          • #6
            I have the following configured:

            Code:
             <flex:message-broker>
            		<flex:message-service default-channels="emp-maint-amf" />
            		<flex:secured per-client-authentication="true" />
            	</flex:message-broker>
            But still get the Cannot re-authenticate in the same session error when I try to login as someone else after I do a logout.

            This really has me troubled. I'm new to Flex and using BlazeDS and Spring, and am looking to find where this login/logout is covered in a decent example? Logging in and out of an application are common things so I think a best practice should be shown somewhere. Right now the only login/logout behavior I can find in the examples is in the testdrive app - but that uses channelset.logout(), yet this doesn't end up in what I think most users would expect -When I logout of gmail or yahoo, I can login again as a different user, but apparently this in the case when using channelset.logout() (you can only login again as the same user.)

            Comment


            • #7
              Hopefully this will become a little clearer in the updated "secured" sample. You should definitely be able to login/logout with different users, and the sample walks you through doing exactly that.

              Comment


              • #8
                Hello Jeremy,

                I have experienced this behaviour and, after reading this post, I followed your advice and added a service method to execute this:

                messageTemplate.getMessageBroker().getLoginManager ().logout();

                If I was logged in and then hit a brower REFRESH, I got that reauthentication error.

                Now, on my login view, I just execute that logic and everything( the security context ) is cleaned successfully.

                Since this post is some months old, I'd like to ask you if there is another cleaner way of getting this same target.

                Thanks in advance Jeremy.

                A.

                Comment


                • #9
                  I've removed that messageTemplate.getMessageBroker().getLoginManager ().logout() RPC call for a plain channel.logout() at Flex initialization. Works 100%.

                  Cheers.

                  Comment

                  Working...
                  X