I'm using spring security 3.0.2. All the application pages are secured, so you must be authenticated to see them.
I'm using https protocol.
I have a strange problem: after successful login and going to the requested page, when I tried to open any link to other pages in the application the session is invalidated or lost and the user becomes anonymous and redirected to the login page. I got this from debugging:
No HttpSession currently exists
No SecurityContext was available from the HttpSession: null. A new one will be created.
After reviewing the code many times, nothing in the code is invalidating the session. Any ideas? Why might something like this might happen?
Could be an cookie domain or cookie path problem. Is you're https login page on the same path/domain?
I had the same problem. I migrate from Jboss 7.0 to Wildfly 8.0, in Jboss 7.0 the behavior was OK (login success and redirect to index page), but in Wilfly the login was success, redirect to index page but later the session was lost and Spring Security redirect to login page again.
I saw the cookies in web navigator (chrome) and there two cookies JSESSIONID in the same domain (127.0.0.1) with diferent values. I deleted all cookies and did the procedure of logging again, and this was ok.
app-security,xml:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<global-method-security pre-post-annotations="enabled">
</global-method-security>
<http use-expressions="true" disable-url-rewriting="true">
<remember-me token-repository-ref="tokenRepository"
token-validity-seconds="1209600"/>
<access-denied-handler error-page="/error.jsp"/>
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/**/images/**" filters="none" />
<intercept-url pattern="/**/files/**" filters="none" />
<intercept-url pattern="/images/**" filters="none" />
<intercept-url pattern="/scripts/**" filters="none" />
<intercept-url pattern="/styles/**" filters="none" />
<intercept-url pattern="/p/login" filters="none" />
<intercept-url pattern="/p/register" filters="none" />
<intercept-url pattern="/p/forgotPassword" filters="none" />
<intercept-url pattern="/p/changePassword" filters="none" />
<intercept-url pattern="/p/**" access="isAuthenticated()" />
<custom-filter position="LAST" ref="rememberMeFilter"/>
<form-login
login-processing-url="/j_spring_security_check"
login-page="/p/login"
authentication-failure-url="/p/login?login_error=1"
authentication-success-handler-ref="myAuthenticationHandler"
/>
<logout />
</http>
<beans:bean id="myAuthenticationHandler" class="com.myAuthenticationHandler" />
<beans:bean id="rememberMeFilter" class="com.rememberMeFilter" />
<beans:bean id="tokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
<beans:property name="dataSource" ref="dataSource"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<password-encoder hash="md5"/>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT u.username,u.password,u.enabled
FROM Users u where u.username=lower(?)"
authorities-by-username-query="SELECT a.username,a.authority
FROM Users u, authorities a
WHERE u.username=a.username
and u.username=lower(?) and enabled=1"/>
</authentication-provider>
</authentication-manager>
</beans:beans>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With