SecurityContext In HttpSession after closing Browser with Spring Security

Anyone know why the SecurityContext would still be in session after closing the browser?  I'm not using remember me but the below cookies are being written.  If I clear the cookies then I get a null SecurityContext after closing and reopening the browser as expected.

**cookies:**
PREF=ID=00446c4b289785bd:U=0971ea0c82ca0d2a:FF=0:TM=1302338465:LM=1302338536:S=wgJ_uXt7h9mTRwf5

debug trace
01:58:41,315 DEBUG FilterChainProxy:375 - /auth/login.html at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
01:58:41,315 DEBUG HttpSessionSecurityContextRepository:166 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@d8371bf1: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d8371bf1: Principal: com.dc.api.model.Users@2d5574b5; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: 442623FAEEE4E7C326D938471ED0EA6F; Granted Authorities: com.dc.api.model.Authority@426551c1'

Open in new window



   
<?xml version="1.0" encoding="UTF-8"?>
    <beans:beans
        xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans"
        xmlns:util="http://www.springframework.org/schema/util"
        xmlns:context="http://www.springframework.org/schema/context"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/util
        http://www.springframework.org/schema/util/spring-util-3.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.0.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context-3.0.xsd">
        <context:annotation-config />
        <context:component-scan base-package="dc" />
        <global-method-security />
     	<http access-denied-page="/auth/denied.html">
     		 <intercept-url filters="none" pattern="/javax.faces.resource/**" />
             <intercept-url filters="none" pattern="/services/rest-api/1.0/**" />
             <intercept-url filters="none" pattern="/preregistered/*"/>
             <intercept-url
                pattern="/**/*.xhtml"
                access="ROLE_NONE_GETS_ACCESS" />
            <intercept-url
                pattern="/auth/**"
                access="ROLE_ANONYMOUS,ROLE_USER" />
             <intercept-url
                pattern="/auth/*"
                access="ROLE_ANONYMOUS" />
             <intercept-url
                pattern="/registered/*"
                access="ROLE_USER" />
        
            <form-login
                login-processing-url="/j_spring_security_check.html"
                login-page="/auth/login.html"
                default-target-url="/registered/home.html"
                authentication-failure-url="/auth/login.html" />
             <logout invalidate-session="true" 
    		      logout-url="/auth/logout.html" 
    		      success-handler-ref="DCLogoutSuccessHandler"/>
      
           
     	</http>
     	<!-- Configure the authentication provider -->
    	<authentication-manager alias="am">
    		<authentication-provider user-service-ref="userManager">
    		        <password-encoder ref="passwordEncoder" />
    		</authentication-provider>
    		<authentication-provider ref="xmlAuthenticationProvider" />
        </authentication-manager>
    </beans:beans>

Open in new window

cgray1223Asked:
Who is Participating?
 
cgray1223Author Commented:
this did the trick,   <session-management session-fixation-protection="none"/>
0
 
objectsCommented:
just closing the browser window does not send any request to the server not make any changes to cookies etc. so would not expect it to change anything
0
 
cgray1223Author Commented:
Hi objects...the problem seems to be switching from https (login form) to http (landing page after successful login).  I have my login page under https but then I want my
default-target-url to be under http but when I do this and my default-target-url is matched by Spring it has a null HttpSession and thusly a null SecurityContext and auths me as anonymous role instead of user.  When I have both under https its no problem.  Any ideas on how to support this?  Thanks for your help!

10:47:51,373 DEBUG DefaultListableBeanFactory:242 - Returning cached instance of singleton bean 'eventDispatcher'
10:47:51,374 DEBUG SessionFixationProtectionStrategy:84 - Invalidating session with Id '3DFFA5FE669496C0A83781B8B8672033' and migrating attributes.
10:47:51,375 DEBUG SessionFixationProtectionStrategy:94 - Started new session: BF8ECD94D1C4821381C8EED0284D1AE6
10:47:51,376 DEBUG UsernamePasswordAuthenticationFilter:289 - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@48ad5079: Principal: com.dc.api.model.Users@1f529f0; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 76.102.97.125; SessionId: 3DFFA5FE669496C0A83781B8B8672033; Granted Authorities: com.dc.api.model.Authority@1a1de34
10:47:51,377 DEBUG DefaultListableBeanFactory:242 - Returning cached instance of singleton bean 'eventDispatcher'
10:47:51,378 DEBUG SavedRequestAwareAuthenticationSuccessHandler:107 - Using default Url: /registered/home.html
10:47:51,378 DEBUG DefaultRedirectStrategy:36 - Redirecting to '/dreamcatcher/registered/home.html'
10:47:51,379 DEBUG HttpSessionSecurityContextRepository:360 - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@48ad5079: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@48ad5079: Principal: com.dc.api.model.Users@1f529f0; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 76.102.97.125; SessionId: 3DFFA5FE669496C0A83781B8B8672033; Granted Authorities: com.dc.api.model.Authority@1a1de34'

10:47:51,531 DEBUG DefaultFilterInvocationSecurityMetadataSource:200 - Candidate is: '/registered/home.html'; pattern is /registered/*; matched=true
10:47:51,532 DEBUG ChannelProcessingFilter:99 - Request: FilterInvocation: URL: /registered/home.html; ConfigAttributes: [REQUIRES_INSECURE_CHANNEL]
10:47:51,532 DEBUG FilterChainProxy:375 - /registered/home.html at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
10:47:51,532 DEBUG HttpSessionSecurityContextRepository:130 - No HttpSession currently exists
10:47:51,532 DEBUG HttpSessionSecurityContextRepository:88 - No SecurityContext was available from the HttpSession: null. A new one will be created.
10:47:51,533 DEBUG FilterChainProxy:375 - /registered/home.html at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
10:47:51,533 DEBUG FilterChainProxy:375 - /registered/home.html at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
10:47:51,533 DEBUG FilterChainProxy:375 - /registered/home.html at position 5 of 11 in additional filter chain; firing Filter: 'XMLAuthenticationFilter'
10:47:51,533 DEBUG FilterChainProxy:375 - /registered/home.html at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
10:47:51,534 DEBUG FilterChainProxy:375 - /registered/home.html at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
10:47:51,534 DEBUG FilterChainProxy:375 - /registered/home.html at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
10:47:51,534 DEBUG AnonymousAuthenticationFilter:67 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@d45589d8: Principal: guest; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 76.102.97.125; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'


config:

    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans
        xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans"
        xmlns:util="http://www.springframework.org/schema/util"
        xmlns:context="http://www.springframework.org/schema/context"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/util
        http://www.springframework.org/schema/util/spring-util-3.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.0.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context-3.0.xsd">
        <context:annotation-config />
        <context:component-scan base-package="dc" />
        <global-method-security />
           <http access-denied-page="/auth/denied.html">
                  <intercept-url filters="none" pattern="/javax.faces.resource/**" />
             <intercept-url filters="none" pattern="/services/rest-api/1.0/**" />
             <intercept-url filters="none" pattern="/preregistered/*"/>
             <intercept-url
                pattern="/**/*.xhtml"
                access="ROLE_NONE_GETS_ACCESS" />
             <intercept-url
                pattern="/auth/*"
                access="ROLE_ANONYMOUS,ROLE_USER" requires-channel="https"/>
             <intercept-url pattern="/j_spring_security_check" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
             <intercept-url
                pattern="/preregistered/*"
                access="ROLE_ANONYMOUS,ROLE_USER" requires-channel="http"/>
             <intercept-url
                pattern="/registered/*"
                access="ROLE_USER" requires-channel="http"/>
            <form-login
                login-processing-url="/j_spring_security_check.html"
                login-page="/auth/login.html"
                default-target-url="/registered/home.html"
                authentication-failure-url="/auth/login.html" />
             <logout invalidate-session="true"
                      logout-url="/auth/logout.html"
                      success-handler-ref="DCLogoutSuccessHandler"/>
            <anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
           </http>
           <!-- Configure the authentication provider -->
          <authentication-manager>
                <authentication-provider user-service-ref="userManager">
                        <password-encoder ref="passwordEncoder" />
                </authentication-provider>
        </authentication-manager>
    </beans:beans>
0
 
Kevin CrossChief Technology OfficerCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.