Announcement Announcement Module
Collapse
No announcement yet.
Flex Client + SecurityContext problem Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Flex Client + SecurityContext problem

    I'm having problems with method invocations from flex client.
    If I try to invoke few methods in a row, first time everything works great, but if I do that again, I get:

    Code:
    An Authentication object was not found in the SecurityContext
    Basically, we have an flex app containing a number of master detail screens.
    After we log in, we can open one of the mentioned screens, which automatically call few methods exposed through spring.
    If I close that screen (not the page or browser - everything happens inside flex app) and try to open it again, I get the error...

    I've looked for similar questions posted here, but the posts I've seen did not help...

    This is the trace from the first, successful call:

    Code:
    DEBUG 15-11 15:10:10 Converted URL to lowercase, from: '/messagebroker/amf'; to: '/messagebroker/amf'  (DefaultFilterInvocationSecurityMetadataSource.java:173) 
    DEBUG 15-11 15:10:10 Public object - authentication not attempted  (AbstractSecurityInterceptor.java:182) 
    DEBUG 15-11 15:05:12 /messagebroker/amf reached end of additional filter chain; proceeding with original chain  (FilterChainProxy.java:339)  
    DEBUG 15-11 15:05:12 DispatcherServlet with name 'FlexSide' processing POST request for [/dev-app/messagebroker/amf]  (DispatcherServlet.java:690) 
    DEBUG 15-11 15:05:12 Mapping [/amf] to handler 'flex.messaging.MessageBroker@2e42fe'  (AbstractUrlHandlerMapping.java:220) 
    INFO  15-11 15:05:12 Channel endpoint my-amf received request.  (MessageBrokerHandlerAdapter.java:99) 
    DEBUG 15-11 15:05:12 Secure object: flex.messaging.endpoints.AMFEndpoint@1427381; Attributes: [ROLE_USER]  (AbstractSecurityInterceptor.java:191) 
    DEBUG 15-11 15:05:12 Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@407536a1: Principal: org.springframework.security.core.userdetails.User@4699200: Username: ADMIN; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER  (AbstractSecurityInterceptor.java:292) 
    DEBUG 15-11 15:05:12 Voter: org.springframework.security.access.vote.RoleVoter@616915, returned: 1  (AffirmativeBased.java:53) 
    DEBUG 15-11 15:05:12 Authorization successful  (AbstractSecurityInterceptor.java:213)
    ...
    ...and this is the trace when the same method is called again, this time unsuccessfuly...

    Code:
    DEBUG 15-11 15:08:23 Converted URL to lowercase, from: '/messagebroker/amf'; to: '/messagebroker/amf'  (DefaultFilterInvocationSecurityMetadataSource.java:173) 
    DEBUG 15-11 15:08:23 Public object - authentication not attempted  (AbstractSecurityInterceptor.java:182) 
    DEBUG 15-11 15:08:23 /messagebroker/amf reached end of additional filter chain; proceeding with original chain  (FilterChainProxy.java:339) 
    DEBUG 15-11 15:08:23 DispatcherServlet with name 'FlexSide' processing POST request for [/dev-app/messagebroker/amf]  (DispatcherServlet.java:690) 
    DEBUG 15-11 15:08:23 Mapping [/amf] to handler 'flex.messaging.MessageBroker@2e42fe'  (AbstractUrlHandlerMapping.java:220) 
    INFO  15-11 15:08:23 Channel endpoint my-amf received request.  (MessageBrokerHandlerAdapter.java:99) 
    DEBUG 15-11 15:08:23 Secure object: flex.messaging.endpoints.AMFEndpoint@1427381; Attributes: [ROLE_USER]  (AbstractSecurityInterceptor.java:191) 
    DEBUG 15-11 15:08:23 Found handler for exception of type [java.lang.Throwable]: public void org.springframework.flex.core.ExceptionTranslationAdvice.afterThrowing(java.lang.Throwable) throws java.lang.Throwable  (ThrowsAdviceInterceptor.java:117) 
    ERROR 15-11 15:08:23 Exception message:org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext  (FlexExceptionTranslator.java:24)

    My web.xml config:

    Code:
    <!-- Flex + Spring Security -->
    <filter>
    	<filter-name>springSecurityFilterChain</filter-name>
    	<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    
    <servlet>
    	<servlet-name>FlexSide</servlet-name>
    	<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    	<load-on-startup>1</load-on-startup>
    </servlet>
    
    <filter-mapping>
    	<filter-name>springSecurityFilterChain</filter-name>
    	<url-pattern>/*</url-pattern>
    </filter-mapping>
    
    <servlet-mapping>
    	<servlet-name>FlexSide</servlet-name>
    	<url-pattern>/messagebroker/*</url-pattern>
    </servlet-mapping>
    Flex part of app config:
    Code:
    <flex:message-broker>
    	<flex:exception-translator ref="FlexExceptionTranslator" />
    
    	<flex:message-service default-channels="my-amf, my-secure-amf, my-http, my-polling-amf" />
    
    	<flex:secured>
    		<flex:secured-channel access="ROLE_USER"
    			channel="my-amf" />
    		<flex:secured-channel access="ROLE_USER"
    			channel="my-secure-amf" />
    		<flex:secured-channel access="ROLE_USER"
    			channel="my-http" />
    		<flex:secured-channel access="ROLE_USER"
    			channel="my-polling-amf" />
    	</flex:secured>
    
    </flex:message-broker>
    Security:

    Code:
    <security:http>
    	<security:session-management
    		session-fixation-protection="newSession" invalid-session-url="/sessionTimeout.htm">
    	</security:session-management>
    
    	<security:form-login login-page="/index.html"
    		default-target-url="/index.html" authentication-failure-url="/index.html" />
    
    	<security:port-mappings>
    		<security:port-mapping http="8400" https="9400" />
    	</security:port-mappings>
    
    
    </security:http>
    
    <security:global-method-security>
    
    	<security:protect-pointcut access="ROLE_USER"
    		expression="execution(* hr.abcinfo.facade.impl.*.*Facade.*(..))" />
    </security:global-method-security>

    I have spring core and security 3.0.2 and spring-flex 1.0.3

    Greetings,
    Antonio

  • #2
    Strange. I wonder if perhaps your http session is not getting restored properly. Can you try turning debug logging on for org.springframework.security.web.context.HttpSessi onSecurityContext as well? This should show whether the SecurityContext is getting properly re-bound to the session or not.

    Comment


    • #3
      Originally posted by jeremyg484 View Post
      Strange. I wonder if perhaps your http session is not getting restored properly. Can you try turning debug logging on for org.springframework.security.web.context.HttpSessi onSecurityContext as well? This should show whether the SecurityContext is getting properly re-bound to the session or not.
      I suppose you mean HttpSessionSecurityContextRepository ?

      Here is the log from the first request:
      Code:
      DEBUG 15-11 20:39:59 Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: '[email protected]536a1: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@407536a1: Principal: org.springframework.security.core.userdetails.User@4699200: Username: ADMIN; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER'  (HttpSessionSecurityContextRepository.java:165)
      ...and this is when I close/open the screen again and send a request to server...

      Code:
      DEBUG 15-11 20:49:25 SecurityContext stored to HttpSession: '[email protected]fffff: Null authentication'  (HttpSessionSecurityContextRepository.java:351)
      SecurityContext is definetly empty, it must be invalidated or emptied for some reason...

      I've noticed that closing/opening the screen changes the SESSIONID in request which leads me to the conclusion that there's probably something wrong on the client side of the app...

      Comment


      • #4
        Originally posted by AntPort View Post
        I suppose you mean HttpSessionSecurityContextRepository ?
        Yes, sorry, cut and paste error.

        Originally posted by AntPort View Post
        SecurityContext is definetly empty, it must be invalidated or emptied for some reason...

        I've noticed that closing/opening the screen changes the SESSIONID in request which leads me to the conclusion that there's probably something wrong on the client side of the app...
        Right, a new SESSIONID would correlate with a new session having been created. Tracking down why you're getting a new session when you close/open the screen would be the key.

        Comment

        Working...
        X