spring security 3.1 destroys existing session with active user logged in

I have an application with spring security 3.1 and Ldap integration. Below are the key points in the requirement and implementation so far:

The application will have multiple roles for single user but these roles does not exist in ldap, so the application authenticates only the username(or userid) from ldap.

The roles are stored separately in the database

Upon successful authentication from ldap, the userdetails and the roles are set into principal object custom userdetails object by implementing UserDetailsService

Problem:

User A logs in the application

User B logs in the application, User A session is getting destroyed(which should not have happened because User A has not logged out yet!)

User B logs out User A gets page not found, since its session is already destroyed when User B logged

The applicationContext-security.xml looks like this:

<beans:bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <beans:property name="loginFormUrl" value="/login.jsp" /> <beans:property name="forceHttps" value="true" /> </beans:bean> <beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> <beans:property name="sessionRegistry" ref="sessionRegistry" /> <beans:property name="expiredUrl" value="/login.jsp?login_error=2" /> </beans:bean> <beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <beans:constructor-arg value="/login.jsp" /> <beans:constructor-arg> <beans:list> <beans:ref bean="logoutEventBroadcaster" /> <beans:bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" /> </beans:list> </beans:constructor-arg> <beans:property name="filterProcessesUrl" value="/j_spring_security_logout" /> </beans:bean> <beans:bean id="myAuthFilter" class="com.*.security.CustomAuthenticationProcessingFilter"> <beans:property name="sessionAuthenticationStrategy" ref="sas" /> <beans:property name="authenticationManager" ref="authenticationManager" /> <beans:property name="authenticationFailureHandler" ref="failureHandler" /> <beans:property name="authenticationSuccessHandler" ref="successHandler" /> </beans:bean> <authentication-manager alias="authenticationManager"> <authentication-provider ref="adAuthenticationProvider" /> </authentication-manager> <beans:bean id="adAuthenticationProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider"> <beans:constructor-arg value="*.*.net" /> <beans:constructor-arg value="ldap://*.*.net:389/" /> <beans:property name="userDetailsContextMapper"> <beans:bean class="com.ezadvice.service.CustomUserDetailsContextMapper" /> </beans:property> <beans:property name="useAuthenticationRequestCredentials" value="true" /> </beans:bean> <beans:bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <beans:property name="defaultFailureUrl" value="/login.jsp?login_error=1" /> </beans:bean> <beans:bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"> <beans:property name="defaultTargetUrl" value="/home.do" /> <beans:property name="alwaysUseDefaultTargetUrl" value="true"/> </beans:bean> <beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <beans:property name="maximumSessions" value="1" /> <beans:property name="exceptionIfMaximumExceeded" value="true" /> <beans:property name="migrateSessionAttributes" value="false" /> </beans:bean> <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

The CustomAuthenticationProcessingFilter class looks like this:
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { String roleId = request.getParameter("roleId"); String username = request.getParameter("j_username"); TbEzaLoginHistory tbEzaLoginHistory = null; // check if the user has authority for the role TbEzaUser tbEzaUser = userManagementService.checkUserAndRole(roleId, username); if (null != tbEzaUser) { tbEzaLoginHistory = userManagementService.saveLoginHistory(tbEzaUser, roleId); request.setAttribute("loginHistoryId", tbEzaLoginHistory.getLoginKey()); request.setAttribute("roleId", roleId); request.setAttribute("j_username", username); if (UserTracker.increment(username, roleId)) { try{ Authentication attemptAuthentication = super.attemptAuthentication(request, response); if (null != attemptAuthentication) { CustomUser principal = (CustomUser) attemptAuthentication.getPrincipal(); if (null == principal && null != tbEzaLoginHistory) userManagementService.deleteFromLoginHistory(tbEzaLoginHistory.getLoginKey()); return attemptAuthentication; } } catch (CommunicationException e) { userManagementService.deleteFromLoginHistory(tbEzaLoginHistory.getLoginKey()); UserTracker.decrement(username, roleId); RequestDispatcher dispatcher = request.getRequestDispatcher("/login.jsp?login_error=5"); try { dispatcher.forward(request, response); } catch (ServletException se) { se.printStackTrace(); } catch (IOException ioe) { ioe.printStackTrace(); } LOGGER.debug("Connection Timeout error for UserName:"+username +"\n" + e); e.printStackTrace(); } }else { if (null != tbEzaLoginHistory) userManagementService.deleteFromLoginHistory(tbEzaLoginHistory.getLoginKey()); RequestDispatcher dispatcher = request.getRequestDispatcher("/login.jsp?login_error=4"); try { dispatcher.forward(request, response); } catch (ServletException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } } } else { RequestDispatcher dispatcher = request.getRequestDispatcher("/login.jsp?login_error=3"); try { dispatcher.forward(request, response); } catch (ServletException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } }

The UserTracker class looks like this:

@SuppressWarnings("unchecked") synchronized public static boolean increment(String userName, String roleId) { if(loggedInUsersDetails.add(userName.toLowerCase()+'~'+roleId)){ return true; }else return false; } synchronized public static void decrement(String userName, String roleId) { loggedInUsersDetails.remove(userName.toLowerCase()+'~'+roleId); }

Can anyone help me to find out, why the User A's session is getting destroyed ?

Why did you write a custom CustomAuthenticationProcessingFilter

Instead of just a custom UserDetailsService. In which you extend the LDap UserDetailsService then add code to look up the roles from the database.

I am thinking you have an error of some kind in your custom filter that is deleting the other user's security context.

Mark

I had written CustomAuthenticationProcessingFilter class because spring-security's concurrency control was not working.
Also, I had to check whether the username and their role had access to login to the application.

But, forgetting the above problems, I have even tried removing CustomAuthenticationProcessingFilter class
completely(replacing by class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" in context file)
and having only custom implementation of UserDetailsService(for DB Access) & UserDetailsContextMapper(for Ldap Access), still the problem persists.
The User's A session is getting destroyed as soon as User B is logging in the application.

I am sorry. But I just still don't understand why you seem to be making it more complex than it needs to be. It sounds like you are using the latest version of Spring Security but trying to do some older style of configuration usage of it.

For instance, you say "(replacing by class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" in context file) "

Why would you even have to know that class or use it directly in the context file?

If you create a custom UserDetailsService and use it your configuration is very basic, you don't need to know any Spring Security class in your configuration. Just using the security namespace.

In you web.xml you just deploy the DelegatingFilterProxy and map it to all the URLs in your web app.

Then in a security-config.xml file use

<security:http>
</security:http>

And then map your incloming URLs to roles.

For setting up the custom UserDetailsService you would have

<security:authentication-provider user-details-service="yourCustomUDSBean"/>

Maybe wrapped inside <security:authenitication-manager> tags

What does your configuration file look like?

Mark

As suggested, I have rewritten the security context with basic configuration and now facing the concurency control problem.
My application-security looks like this:

<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <global-method-security secured-annotations="enabled" pre-post-annotations="enabled"> </global-method-security> <http pattern="/login.jsp*" security="none" /> <http pattern="/css" security="none" /> <http pattern="/dwr" security="none" /> <http pattern="/images" security="none" /> <http pattern="/resources" security="none" /> <http auto-config="true" use-expressions="true"> <session-management invalid-session-url="/login.jsp?login_error=2" /> <intercept-url pattern="/login.jsp*" access="permitAll" requires-channel="https" /> <intercept-url pattern="/" access="isAuthenticated()" /> <intercept-url pattern="/accessDenied.jsp" access="permitAll" /> <intercept-url pattern="/*.do" access="isAuthenticated()" /> <form-login login-page="/login.jsp" authentication-failure-handler-ref="failureHandler" authentication-success-handler-ref="successHandler" authentication-failure-url="/login.jsp?login_error=1" /> <access-denied-handler error-page="/accessDenied.jsp" /> <logout invalidate-session="true" logout-success-url="/login.jsp" logout-url="/j_spring_security_logout" /> <session-management session-authentication-strategy-ref="sas" /> </http> <beans:bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"> <beans:property name="defaultTargetUrl" value="/home.do" /> <beans:property name="alwaysUseDefaultTargetUrl" value="true"></beans:property> </beans:bean> <beans:bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <beans:property name="defaultFailureUrl" value="/login.jsp?login_error=1" /> </beans:bean> <beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <beans:property name="maximumSessions" value="1" /> <beans:property name="exceptionIfMaximumExceeded" value="true" /> <beans:property name="migrateSessionAttributes" value="false" /> </beans:bean> <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> <beans:bean id="logoutEventBroadcaster" class="com.elearn.security.LogoutEventBroadcaster"> </beans:bean> <beans:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener" /> <authentication-manager alias="authenticationManager"> <authentication-provider ref="adAuthenticationProvider" /> </authentication-manager> <beans:bean id="adAuthenticationProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider"> <beans:constructor-arg value="*.*.net" /> <beans:constructor-arg value="ldap://*.*.net:389/" /> <beans:property name="userDetailsContextMapper"> <beans:bean class="com.*.*.CustomADSUserDetailsContextMapper" /> </beans:property> <beans:property name="useAuthenticationRequestCredentials" value="true" /> </beans:bean> </beans:beans>

Finally found the solution to the above problem. There were multiple causes:

While testing the above problem I was making a mistake, that I was trying to achieve concurrency control when users opens the application in a tabbed browser.

Spring internally stores the ip address of the machine to prevent multiple users to login from same machine. Thus had to make code changes so that user's having multiple roles are not allowed to login from the same machine.