• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Paul Clapham
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Liutauras Vilda
Saloon Keepers:
  • Tim Holloway
  • Carey Brown
  • Roland Mueller
  • Piet Souris
Bartenders:

spring security 3.1 destroys existing session with active user logged in

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have an application with spring security 3.1 and Ldap integration. Below are the key points in the requirement and implementation so far:
  • The application will have multiple roles for single user but these roles does not exist in ldap, so the application authenticates only the username(or userid) from ldap.
  • The roles are stored separately in the database
  • Upon successful authentication from ldap, the userdetails and the roles are set into principal object custom userdetails object by implementing UserDetailsService


  • Problem:
  • User A logs in the application
  • User B logs in the application, User A session is getting destroyed(which should not have happened because User A has not logged out yet!)
  • User B logs out User A gets page not found, since its session is already destroyed when User B logged


  • The applicationContext-security.xml looks like this:



    The CustomAuthenticationProcessingFilter class looks like this:


    The UserTracker class looks like this:



    Can anyone help me to find out, why the User A's session is getting destroyed ?
     
    ranger
    Posts: 17347
    11
    Mac IntelliJ IDE Spring
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Why did you write a custom CustomAuthenticationProcessingFilter

    Instead of just a custom UserDetailsService. In which you extend the LDap UserDetailsService then add code to look up the roles from the database.

    I am thinking you have an error of some kind in your custom filter that is deleting the other user's security context.

    Mark
     
    Pushpa Kushwaha
    Greenhorn
    Posts: 4
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    I had written CustomAuthenticationProcessingFilter class because spring-security's concurrency control was not working.
    Also, I had to check whether the username and their role had access to login to the application.

    But, forgetting the above problems, I have even tried removing CustomAuthenticationProcessingFilter class
    completely(replacing by class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" in context file)
    and having only custom implementation of UserDetailsService(for DB Access) & UserDetailsContextMapper(for Ldap Access), still the problem persists.
    The User's A session is getting destroyed as soon as User B is logging in the application.
     
    Mark Spritzler
    ranger
    Posts: 17347
    11
    Mac IntelliJ IDE Spring
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    I am sorry. But I just still don't understand why you seem to be making it more complex than it needs to be. It sounds like you are using the latest version of Spring Security but trying to do some older style of configuration usage of it.

    For instance, you say "(replacing by class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" in context file) "

    Why would you even have to know that class or use it directly in the context file?

    If you create a custom UserDetailsService and use it your configuration is very basic, you don't need to know any Spring Security class in your configuration. Just using the security namespace.

    In you web.xml you just deploy the DelegatingFilterProxy and map it to all the URLs in your web app.

    Then in a security-config.xml file use

    <security:http>
    </security:http>

    And then map your incloming URLs to roles.

    For setting up the custom UserDetailsService you would have

    <security:authentication-provider user-details-service="yourCustomUDSBean"/>

    Maybe wrapped inside <security:authenitication-manager> tags

    What does your configuration file look like?

    Mark
     
    Pushpa Kushwaha
    Greenhorn
    Posts: 4
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    As suggested, I have rewritten the security context with basic configuration and now facing the concurency control problem.
    My application-security looks like this:

     
    Pushpa Kushwaha
    Greenhorn
    Posts: 4
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Finally found the solution to the above problem. There were multiple causes:


  • While testing the above problem I was making a mistake, that I was trying to achieve concurrency control when users opens the application in a tabbed browser.



  • Spring internally stores the ip address of the machine to prevent multiple users to login from same machine. Thus had to make code changes so that user's having multiple roles are not allowed to login from the same machine.


  •  
    reply
      Bookmark Topic Watch Topic
    • New Topic