cgray1223
asked on
SecurityContext In HttpSession after closing Browser with Spring Security
Anyone know why the SecurityContext would still be in session after closing the browser? I'm not using remember me but the below cookies are being written. If I clear the cookies then I get a null SecurityContext after closing and reopening the browser as expected.
**cookies:**
PREF=ID=00446c4b289785bd:U =0971ea0c8 2ca0d2a:FF =0:TM=1302 338465:LM= 1302338536 :S=wgJ_uXt 7h9mTRwf5
debug trace
**cookies:**
PREF=ID=00446c4b289785bd:U
debug trace
01:58:41,315 DEBUG FilterChainProxy:375 - /auth/login.html at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
01:58:41,315 DEBUG HttpSessionSecurityContextRepository:166 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@d8371bf1: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d8371bf1: Principal: com.dc.api.model.Users@2d5574b5; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: 442623FAEEE4E7C326D938471ED0EA6F; Granted Authorities: com.dc.api.model.Authority@426551c1'
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:annotation-config />
<context:component-scan base-package="dc" />
<global-method-security />
<http access-denied-page="/auth/denied.html">
<intercept-url filters="none" pattern="/javax.faces.resource/**" />
<intercept-url filters="none" pattern="/services/rest-api/1.0/**" />
<intercept-url filters="none" pattern="/preregistered/*"/>
<intercept-url
pattern="/**/*.xhtml"
access="ROLE_NONE_GETS_ACCESS" />
<intercept-url
pattern="/auth/**"
access="ROLE_ANONYMOUS,ROLE_USER" />
<intercept-url
pattern="/auth/*"
access="ROLE_ANONYMOUS" />
<intercept-url
pattern="/registered/*"
access="ROLE_USER" />
<form-login
login-processing-url="/j_spring_security_check.html"
login-page="/auth/login.html"
default-target-url="/registered/home.html"
authentication-failure-url="/auth/login.html" />
<logout invalidate-session="true"
logout-url="/auth/logout.html"
success-handler-ref="DCLogoutSuccessHandler"/>
</http>
<!-- Configure the authentication provider -->
<authentication-manager alias="am">
<authentication-provider user-service-ref="userManager">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
<authentication-provider ref="xmlAuthenticationProvider" />
</authentication-manager>
</beans:beans>
just closing the browser window does not send any request to the server not make any changes to cookies etc. so would not expect it to change anything
ASKER
Hi objects...the problem seems to be switching from https (login form) to http (landing page after successful login). I have my login page under https but then I want my
default-target-url to be under http but when I do this and my default-target-url is matched by Spring it has a null HttpSession and thusly a null SecurityContext and auths me as anonymous role instead of user. When I have both under https its no problem. Any ideas on how to support this? Thanks for your help!
10:47:51,373 DEBUG DefaultListableBeanFactory :242 - Returning cached instance of singleton bean 'eventDispatcher'
10:47:51,374 DEBUG SessionFixationProtectionS trategy:84 - Invalidating session with Id '3DFFA5FE669496C0A83781B8B 8672033' and migrating attributes.
10:47:51,375 DEBUG SessionFixationProtectionS trategy:94 - Started new session: BF8ECD94D1C4821381C8EED028 4D1AE6
10:47:51,376 DEBUG UsernamePasswordAuthentica tionFilter :289 - Authentication success. Updating SecurityContextHolder to contain: org.springframework.securi ty.authent ication.Us ernamePass wordAuthen ticationTo ken@48ad50 79: Principal: com.dc.api.model.Users@1f5 29f0; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.securi ty.web.aut henticatio n.WebAuthe nticationD etails@0: RemoteIpAddress: 76.102.97.125; SessionId: 3DFFA5FE669496C0A83781B8B8 672033; Granted Authorities: com.dc.api.model.Authority @1a1de34
10:47:51,377 DEBUG DefaultListableBeanFactory :242 - Returning cached instance of singleton bean 'eventDispatcher'
10:47:51,378 DEBUG SavedRequestAwareAuthentic ationSucce ssHandler: 107 - Using default Url: /registered/home.html
10:47:51,378 DEBUG DefaultRedirectStrategy:36 - Redirecting to '/dreamcatcher/registered/ home.html'
10:47:51,379 DEBUG HttpSessionSecurityContext Repository :360 - SecurityContext stored to HttpSession: 'org.springframework.secur ity.core.c ontext.Sec urityConte xtImpl@48a d5079: Authentication: org.springframework.securi ty.authent ication.Us ernamePass wordAuthen ticationTo ken@48ad50 79: Principal: com.dc.api.model.Users@1f5 29f0; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.securi ty.web.aut henticatio n.WebAuthe nticationD etails@0: RemoteIpAddress: 76.102.97.125; SessionId: 3DFFA5FE669496C0A83781B8B8 672033; Granted Authorities: com.dc.api.model.Authority @1a1de34'
10:47:51,531 DEBUG DefaultFilterInvocationSec urityMetad ataSource: 200 - Candidate is: '/registered/home.html'; pattern is /registered/*; matched=true
10:47:51,532 DEBUG ChannelProcessingFilter:99 - Request: FilterInvocation: URL: /registered/home.html; ConfigAttributes: [REQUIRES_INSECURE_CHANNEL ]
10:47:51,532 DEBUG FilterChainProxy:375 - /registered/home.html at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenc eFilter'
10:47:51,532 DEBUG HttpSessionSecurityContext Repository :130 - No HttpSession currently exists
10:47:51,532 DEBUG HttpSessionSecurityContext Repository :88 - No SecurityContext was available from the HttpSession: null. A new one will be created.
10:47:51,533 DEBUG FilterChainProxy:375 - /registered/home.html at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
10:47:51,533 DEBUG FilterChainProxy:375 - /registered/home.html at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthentic ationFilte r'
10:47:51,533 DEBUG FilterChainProxy:375 - /registered/home.html at position 5 of 11 in additional filter chain; firing Filter: 'XMLAuthenticationFilter'
10:47:51,533 DEBUG FilterChainProxy:375 - /registered/home.html at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
10:47:51,534 DEBUG FilterChainProxy:375 - /registered/home.html at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwar eRequestFi lter'
10:47:51,534 DEBUG FilterChainProxy:375 - /registered/home.html at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFi lter'
10:47:51,534 DEBUG AnonymousAuthenticationFil ter:67 - Populated SecurityContextHolder with anonymous token: 'org.springframework.secur ity.authen tication.A nonymousAu thenticati onToken@d4 5589d8: Principal: guest; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.securi ty.web.aut henticatio n.WebAuthe nticationD etails@0: RemoteIpAddress: 76.102.97.125; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
config:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:annotation-config />
<context:component-scan base-package="dc" />
<global-method-security />
<http access-denied-page="/auth/ denied.htm l">
<intercept-url filters="none" pattern="/javax.faces.reso urce/**" />
<intercept-url filters="none" pattern="/services/rest-ap i/1.0/**" />
<intercept-url filters="none" pattern="/preregistered/*" />
<intercept-url
pattern="/**/*.xhtml"
access="ROLE_NONE_GETS_ACC ESS" />
<intercept-url
pattern="/auth/*"
access="ROLE_ANONYMOUS,ROL E_USER" requires-channel="https"/>
<intercept-url pattern="/j_spring_securit y_check" access="IS_AUTHENTICATED_A NONYMOUSLY " requires-channel="https"/>
<intercept-url
pattern="/preregistered/*"
access="ROLE_ANONYMOUS,ROL E_USER" requires-channel="http"/>
<intercept-url
pattern="/registered/*"
access="ROLE_USER" requires-channel="http"/>
<form-login
login-processing-url="/j_s pring_secu rity_check .html"
login-page="/auth/login.ht ml"
default-target-url="/regis tered/home .html"
authentication-failure-url ="/auth/lo gin.html" />
<logout invalidate-session="true"
logout-url="/auth/logout.h tml"
success-handler-ref="DCLog outSuccess Handler"/>
<anonymous username="guest" granted-authority="ROLE_AN ONYMOUS"/>
</http>
<!-- Configure the authentication provider -->
<authentication-manager>
<authentication-provider user-service-ref="userMana ger">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
</beans:beans>
default-target-url to be under http but when I do this and my default-target-url is matched by Spring it has a null HttpSession and thusly a null SecurityContext and auths me as anonymous role instead of user. When I have both under https its no problem. Any ideas on how to support this? Thanks for your help!
10:47:51,373 DEBUG DefaultListableBeanFactory
10:47:51,374 DEBUG SessionFixationProtectionS
10:47:51,375 DEBUG SessionFixationProtectionS
10:47:51,376 DEBUG UsernamePasswordAuthentica
10:47:51,377 DEBUG DefaultListableBeanFactory
10:47:51,378 DEBUG SavedRequestAwareAuthentic
10:47:51,378 DEBUG DefaultRedirectStrategy:36
10:47:51,379 DEBUG HttpSessionSecurityContext
10:47:51,531 DEBUG DefaultFilterInvocationSec
10:47:51,532 DEBUG ChannelProcessingFilter:99
10:47:51,532 DEBUG FilterChainProxy:375 - /registered/home.html at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenc
10:47:51,532 DEBUG HttpSessionSecurityContext
10:47:51,532 DEBUG HttpSessionSecurityContext
10:47:51,533 DEBUG FilterChainProxy:375 - /registered/home.html at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
10:47:51,533 DEBUG FilterChainProxy:375 - /registered/home.html at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthentic
10:47:51,533 DEBUG FilterChainProxy:375 - /registered/home.html at position 5 of 11 in additional filter chain; firing Filter: 'XMLAuthenticationFilter'
10:47:51,533 DEBUG FilterChainProxy:375 - /registered/home.html at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
10:47:51,534 DEBUG FilterChainProxy:375 - /registered/home.html at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwar
10:47:51,534 DEBUG FilterChainProxy:375 - /registered/home.html at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFi
10:47:51,534 DEBUG AnonymousAuthenticationFil
config:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:annotation-config
<context:component-scan base-package="dc" />
<global-method-security />
<http access-denied-page="/auth/
<intercept-url filters="none" pattern="/javax.faces.reso
<intercept-url filters="none" pattern="/services/rest-ap
<intercept-url filters="none" pattern="/preregistered/*"
<intercept-url
pattern="/**/*.xhtml"
access="ROLE_NONE_GETS_ACC
<intercept-url
pattern="/auth/*"
access="ROLE_ANONYMOUS,ROL
<intercept-url pattern="/j_spring_securit
<intercept-url
pattern="/preregistered/*"
access="ROLE_ANONYMOUS,ROL
<intercept-url
pattern="/registered/*"
access="ROLE_USER" requires-channel="http"/>
<form-login
login-processing-url="/j_s
login-page="/auth/login.ht
default-target-url="/regis
authentication-failure-url
<logout invalidate-session="true"
logout-url="/auth/logout.h
success-handler-ref="DCLog
<anonymous username="guest" granted-authority="ROLE_AN
</http>
<!-- Configure the authentication provider -->
<authentication-manager>
<authentication-provider user-service-ref="userMana
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
</beans:beans>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.