Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring security 3.1 : session concurrency control not working, why?

I'm trying to use security concurent session with spring security 3.1.4. But it's not working i don't understand why. Tomcat https is configured to redirect http request but i don't know if it's playing a role in the actual problem.

Could you give me a hand on this ?

Thanks.

This is my spring security xml.

 <security:http auto-config="true" use-expressions="true" disable-url-rewriting="true">
     <security:intercept-url pattern="/Loginsucess*" access="isAuthenticated()"  />
     <security:intercept-url pattern="/Login" access="hasRole('ROLE_ANONYMOUS')" />   
     <security:intercept-url pattern="/Login/Error" access="hasRole('ROLE_ANONYMOUS')" />    
     <security:form-login  login-page="/Login"  login-processing-url="/j_spring_security_check"  authentication-failure-url="/Login/Error" default-target-url="/Loginsucess" />
     <security:logout logout-url="/j_spring_security_logout" logout-success-url="/Login" delete-cookies="JSESSIONID"  invalidate-session="true"/>
     <security:anonymous/>
     <security:session-management invalid-session-url="/Login" >
        <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"  />
     </security:session-management>
     <security:port-mappings>
      <security:port-mapping http="8086" https="8443"/>
     </security:port-mappings>
</security:http>

I already add this to my web.xml :

<listener>
<listener-class>
  org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>

EDIT :

FIRST LOGGIN ON 1 MACHINE :

> 17:57:17,116 DEBUG FilterChainProxy:337 - /j_spring_security_check at
> position 1 of 11 in additional filter chain; firing Filter:
> 'SecurityContextPersistenceFilter' 17:57:17,117 DEBUG
> HttpSessionSecurityContextRepository:139 - HttpSession returned null
> object for SPRING_SECURITY_CONTEXT 17:57:17,117 DEBUG
> HttpSessionSecurityContextRepository:85 - No SecurityContext was
> available from the HttpSession:
> org.apache.catalina.session.StandardSessionFacade@1a60232c. A new one
> will be created. 17:57:17,117 DEBUG FilterChainProxy:337 -
> /j_spring_security_check at position 2 of 11 in additional filter
> chain; firing Filter: 'ConcurrentSessionFilter' 17:57:17,117 DEBUG
> FilterChainProxy:337 - /j_spring_security_check at position 3 of 11 in
> additional filter chain; firing Filter: 'LogoutFilter' 17:57:17,117
> DEBUG FilterChainProxy:337 - /j_spring_security_check at position 4 of
> 11 in additional filter chain; firing Filter:
> 'UsernamePasswordAuthenticationFilter' 17:57:17,117 DEBUG
> UsernamePasswordAuthenticationFilter:189 - Request is to process
> authentication 17:57:17,118 DEBUG ProviderManager:152 - Authentication
> attempt using
> org.springframework.security.authentication.dao.DaoAuthenticationProvider
> Hibernate: select user0_.id as id1_13_, user0_.username as
> username2_13_, user0_.firstname as firstnam3_13_, user0_.lastname as
> lastname4_13_, user0_.password as password5_13_, user0_.email as
> email6_13_, user0_.enabled as enabled7_13_ from biomoltracker.LOG_user
> user0_ where user0_.username=? Hibernate: select roles1_.role_name as
> col_0_0_ from biomoltracker.LOG_user user0_ inner join
> biomoltracker.LOG_role roles1_ on user0_.id=roles1_.id_user_fk where
> user0_.id=? 17:57:17,355 DEBUG ConcurrentSessionControlStrategy:88 -
> Invalidating session with Id '4A09DE3E6ACDE04373284600DACDBE39' and
> migrating attributes. 17:57:17,355 DEBUG HttpSessionEventPublisher:83
> - Publishing event: org.springframework.security.web.session.HttpSessionDestroyedEvent[source=org.apache.catalina.session.StandardSessionFacade@1a60232c]
> 17:57:17,356 DEBUG HttpSessionEventPublisher:66 - Publishing event:
> org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@60e9ebe1]
> 17:57:17,356 DEBUG ConcurrentSessionControlStrategy:98 - Started new
> session: 7431CCBD3008FC59A2AF1C44632F33F0 17:57:17,356 DEBUG
> SessionRegistryImpl:107 - Registering session
> 7431CCBD3008FC59A2AF1C44632F33F0, for principal
> com.clb.genomic.lyon.model.User@654f8017 17:57:17,356 DEBUG
> UsernamePasswordAuthenticationFilter:317 - Authentication success.
> Updating SecurityContextHolder to contain:
> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@ff2ffd00:
> Principal: com.clb.genomic.lyon.model.User@654f8017; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@0:
> RemoteIpAddress: 192.168.154.18; SessionId:
> 4A09DE3E6ACDE04373284600DACDBE39; Granted Authorities: ROLE_ADMIN_NGS,
> ROLE_GUEST_CGH, ROLE_ADMIN 17:57:17,357 DEBUG
> SavedRequestAwareAuthenticationSuccessHandler:107 - Using default Url:
> /Loginsucess 17:57:17,357 DEBUG DefaultRedirectStrategy:36 -
> Redirecting to '/Lyric/Loginsucess' 17:57:17,357 DEBUG
> HttpSessionSecurityContextRepository:292 - SecurityContext stored to
> HttpSession:
> 'org.springframework.security.core.context.SecurityContextImpl@ff2ffd00:
> Authentication:
> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@ff2ffd00:
> Principal: com.clb.genomic.lyon.model.User@654f8017; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@0:
> RemoteIpAddress: 192.168.154.18; SessionId:
> 4A09DE3E6ACDE04373284600DACDBE39; Granted Authorities: ROLE_ADMIN_NGS,
> ROLE_GUEST_CGH, ROLE_ADMIN' 17:57:17,357 DEBUG
> SecurityContextPersistenceFilter:97 - SecurityContextHolder now
> cleared, as request processing completed 17:57:17,360 DEBUG
> FilterChainProxy:337 - /Loginsucess at position 1 of 11 in additional
> filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 17:57:17,361 DEBUG HttpSessionSecurityContextRepository:158 - Obtained
> a valid SecurityContext from SPRING_SECURITY_CONTEXT:
> 'org.springframework.security.core.context.SecurityContextImpl@ff2ffd00:
> Authentication:
> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@ff2ffd00:
> Principal: com.clb.genomic.lyon.model.User@654f8017; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@0:
> RemoteIpAddress: 192.168.154.18; SessionId:
> 4A09DE3E6ACDE04373284600DACDBE39; Granted Authorities: ROLE_ADMIN_NGS,
> ROLE_GUEST_CGH, ROLE_ADMIN' 17:57:17,361 DEBUG FilterChainProxy:337 -
> /Loginsucess at position 2 of 11 in additional filter chain; firing
> Filter: 'ConcurrentSessionFilter' 17:57:17,361 DEBUG
> FilterChainProxy:337 - /Loginsucess at position 3 of 11 in additional
> filter chain; firing Filter: 'LogoutFilter' 17:57:17,361 DEBUG
> FilterChainProxy:337 - /Loginsucess at position 4 of 11 in additional
> filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
> 17:57:17,361 DEBUG FilterChainProxy:337 - /Loginsucess at position 5
> of 11 in additional filter chain; firing Filter:
> 'BasicAuthenticationFilter' 17:57:17,361 DEBUG FilterChainProxy:337 -
> /Loginsucess at position 6 of 11 in additional filter chain; firing
> Filter: 'RequestCacheAwareFilter' 17:57:17,362 DEBUG
> FilterChainProxy:337 - /Loginsucess at position 7 of 11 in additional
> filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
> 17:57:17,362 DEBUG FilterChainProxy:337 - /Loginsucess at position 8
> of 11 in additional filter chain; firing Filter:
> 'AnonymousAuthenticationFilter' 17:57:17,362 DEBUG
> AnonymousAuthenticationFilter:107 - SecurityContextHolder not
> populated with anonymous token, as it already contained:
> 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@ff2ffd00:
> Principal: com.clb.genomic.lyon.model.User@654f8017; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@0:
> RemoteIpAddress: 192.168.154.18; SessionId:
> 4A09DE3E6ACDE04373284600DACDBE39; Granted Authorities: ROLE_ADMIN_NGS,
> ROLE_GUEST_CGH, ROLE_ADMIN' 17:57:17,362 DEBUG FilterChainProxy:337 -
> /Loginsucess at position 9 of 11 in additional filter chain; firing
> Filter: 'SessionManagementFilter' 17:57:17,362 DEBUG
> FilterChainProxy:337 - /Loginsucess at position 10 of 11 in additional
> filter chain; firing Filter: 'ExceptionTranslationFilter' 17:57:17,362
> DEBUG FilterChainProxy:337 - /Loginsucess at position 11 of 11 in
> additional filter chain; firing Filter: 'FilterSecurityInterceptor'
> 17:57:17,362 DEBUG AntPathRequestMatcher:116 - Checking match of
> request : '/loginsucess'; against '/loginsucess*' 17:57:17,363 DEBUG
> FilterSecurityInterceptor:194 - Secure object: FilterInvocation: URL:
> /Loginsucess; Attributes: [isAuthenticated()] 17:57:17,363 DEBUG
> FilterSecurityInterceptor:310 - Previously Authenticated:
> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@ff2ffd00:
> Principal: com.clb.genomic.lyon.model.User@654f8017; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@0:
> RemoteIpAddress: 192.168.154.18; SessionId:
> 4A09DE3E6ACDE04373284600DACDBE39; Granted Authorities: ROLE_ADMIN_NGS,
> ROLE_GUEST_CGH, ROLE_ADMIN 17:57:17,363 DEBUG AffirmativeBased:65 -
> Voter:
> org.springframework.security.web.access.expression.WebExpressionVoter@6479b43f,
> returned: 1 17:57:17,363 DEBUG FilterSecurityInterceptor:215 -
> Authorization successful 17:57:17,363 DEBUG
> FilterSecurityInterceptor:227 - RunAsManager did not change
> Authentication object 17:57:17,364 DEBUG FilterChainProxy:323 -
> /Loginsucess reached end of additional filter chain; proceeding with
> original chain 17:57:17,469 DEBUG ExceptionTranslationFilter:115 -
> Chain processed normally 17:57:17,469 DEBUG
> SecurityContextPersistenceFilter:97 - SecurityContextHolder now
> cleared, as request processing completed

When second user with the same (username/password) login from another machine .

> 8:01:47,309 DEBUG FilterChainProxy:337 - /j_spring_security_check at
> position 1 of 11 in additional filter chain; firing Filter:
> 'SecurityContextPersistenceFilter' 18:01:47,310 DEBUG
> HttpSessionSecurityContextRepository:139 - HttpSession returned null
> object for SPRING_SECURITY_CONTEXT 18:01:47,310 DEBUG
> HttpSessionSecurityContextRepository:85 - No SecurityContext was
> available from the HttpSession:
> org.apache.catalina.session.StandardSessionFacade@67a53697. A new one
> will be created. 18:01:47,310 DEBUG FilterChainProxy:337 -
> /j_spring_security_check at position 2 of 11 in additional filter
> chain; firing Filter: 'ConcurrentSessionFilter' 18:01:47,310 DEBUG
> FilterChainProxy:337 - /j_spring_security_check at position 3 of 11 in
> additional filter chain; firing Filter: 'LogoutFilter' 18:01:47,310
> DEBUG FilterChainProxy:337 - /j_spring_security_check at position 4 of
> 11 in additional filter chain; firing Filter:
> 'UsernamePasswordAuthenticationFilter' 18:01:47,310 DEBUG
> UsernamePasswordAuthenticationFilter:189 - Request is to process
> authentication 18:01:47,310 DEBUG ProviderManager:152 - Authentication
> attempt using
> org.springframework.security.authentication.dao.DaoAuthenticationProvider
> Hibernate: select user0_.id as id1_13_, user0_.username as
> username2_13_, user0_.firstname as firstnam3_13_, user0_.lastname as
> lastname4_13_, user0_.password as password5_13_, user0_.email as
> email6_13_, user0_.enabled as enabled7_13_ from biomoltracker.LOG_user
> user0_ where user0_.username=? Hibernate: select roles1_.role_name as
> col_0_0_ from biomoltracker.LOG_user user0_ inner join
> biomoltracker.LOG_role roles1_ on user0_.id=roles1_.id_user_fk where
> user0_.id=? 18:01:47,317 DEBUG ConcurrentSessionControlStrategy:88 -
> Invalidating session with Id 'E644740185BC8E28272BD4F80751D445' and
> migrating attributes. 18:01:47,318 DEBUG HttpSessionEventPublisher:83
> - Publishing event: org.springframework.security.web.session.HttpSessionDestroyedEvent[source=org.apache.catalina.session.StandardSessionFacade@67a53697]
> 18:01:47,318 DEBUG HttpSessionEventPublisher:66 - Publishing event:
> org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@65447c32]
> 18:01:47,318 DEBUG ConcurrentSessionControlStrategy:98 - Started new
> session: 3694308C7FCA68AC5FFD1E442464FE50 18:01:47,318 DEBUG
> SessionRegistryImpl:107 - Registering session
> 3694308C7FCA68AC5FFD1E442464FE50, for principal
> com.clb.genomic.lyon.model.User@1b2c4d8f 18:01:47,319 DEBUG
> UsernamePasswordAuthenticationFilter:317 - Authentication success.
> Updating SecurityContextHolder to contain:
> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@7eb37c04:
> Principal: com.clb.genomic.lyon.model.User@1b2c4d8f; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c:
> RemoteIpAddress: 192.168.154.20; SessionId:
> E644740185BC8E28272BD4F80751D445; Granted Authorities: ROLE_ADMIN_NGS,
> ROLE_GUEST_CGH, ROLE_ADMIN 18:01:47,319 DEBUG
> SavedRequestAwareAuthenticationSuccessHandler:107 - Using default Url:
> /Loginsucess 18:01:47,319 DEBUG DefaultRedirectStrategy:36 -
> Redirecting to '/Lyric/Loginsucess' 18:01:47,319 DEBUG
> HttpSessionSecurityContextRepository:292 - SecurityContext stored to
> HttpSession:
> 'org.springframework.security.core.context.SecurityContextImpl@7eb37c04:
> Authentication:
> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@7eb37c04:
> Principal: com.clb.genomic.lyon.model.User@1b2c4d8f; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c:
> RemoteIpAddress: 192.168.154.20; SessionId:
> E644740185BC8E28272BD4F80751D445; Granted Authorities: ROLE_ADMIN_NGS,
> ROLE_GUEST_CGH, ROLE_ADMIN' 18:01:47,320 DEBUG
> SecurityContextPersistenceFilter:97 - SecurityContextHolder now
> cleared, as request processing completed 18:01:47,324 DEBUG
> FilterChainProxy:337 - /Loginsucess at position 1 of 11 in additional
> filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 18:01:47,324 DEBUG HttpSessionSecurityContextRepository:158 - Obtained
> a valid SecurityContext from SPRING_SECURITY_CONTEXT:
> 'org.springframework.security.core.context.SecurityContextImpl@7eb37c04:
> Authentication:
> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@7eb37c04:
> Principal: com.clb.genomic.lyon.model.User@1b2c4d8f; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c:
> RemoteIpAddress: 192.168.154.20; SessionId:
> E644740185BC8E28272BD4F80751D445; Granted Authorities: ROLE_ADMIN_NGS,
> ROLE_GUEST_CGH, ROLE_ADMIN' 18:01:47,324 DEBUG FilterChainProxy:337 -
> /Loginsucess at position 2 of 11 in additional filter chain; firing
> Filter: 'ConcurrentSessionFilter' 18:01:47,324 DEBUG
> FilterChainProxy:337 - /Loginsucess at position 3 of 11 in additional
> filter chain; firing Filter: 'LogoutFilter' 18:01:47,325 DEBUG
> FilterChainProxy:337 - /Loginsucess at position 4 of 11 in additional
> filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
> 18:01:47,325 DEBUG FilterChainProxy:337 - /Loginsucess at position 5
> of 11 in additional filter chain; firing Filter:
> 'BasicAuthenticationFilter' 18:01:47,325 DEBUG FilterChainProxy:337 -
> /Loginsucess at position 6 of 11 in additional filter chain; firing
> Filter: 'RequestCacheAwareFilter' 18:01:47,325 DEBUG
> FilterChainProxy:337 - /Loginsucess at position 7 of 11 in additional
> filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
> 18:01:47,325 DEBUG FilterChainProxy:337 - /Loginsucess at position 8
> of 11 in additional filter chain; firing Filter:
> 'AnonymousAuthenticationFilter' 18:01:47,325 DEBUG
> AnonymousAuthenticationFilter:107 - SecurityContextHolder not
> populated with anonymous token, as it already contained:
> 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@7eb37c04:
> Principal: com.clb.genomic.lyon.model.User@1b2c4d8f; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c:
> RemoteIpAddress: 192.168.154.20; SessionId:
> E644740185BC8E28272BD4F80751D445; Granted Authorities: ROLE_ADMIN_NGS,
> ROLE_GUEST_CGH, ROLE_ADMIN' 18:01:47,326 DEBUG FilterChainProxy:337 -
> /Loginsucess at position 9 of 11 in additional filter chain; firing
> Filter: 'SessionManagementFilter' 18:01:47,326 DEBUG
> FilterChainProxy:337 - /Loginsucess at position 10 of 11 in additional
> filter chain; firing Filter: 'ExceptionTranslationFilter' 18:01:47,326
> DEBUG FilterChainProxy:337 - /Loginsucess at position 11 of 11 in
> additional filter chain; firing Filter: 'FilterSecurityInterceptor'
> 18:01:47,326 DEBUG AntPathRequestMatcher:116 - Checking match of
> request : '/loginsucess'; against '/loginsucess*' 18:01:47,326 DEBUG
> FilterSecurityInterceptor:194 - Secure object: FilterInvocation: URL:
> /Loginsucess; Attributes: [isAuthenticated()] 18:01:47,326 DEBUG
> FilterSecurityInterceptor:310 - Previously Authenticated:
> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@7eb37c04:
> Principal: com.clb.genomic.lyon.model.User@1b2c4d8f; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c:
> RemoteIpAddress: 192.168.154.20; SessionId:
> E644740185BC8E28272BD4F80751D445; Granted Authorities: ROLE_ADMIN_NGS,
> ROLE_GUEST_CGH, ROLE_ADMIN 18:01:47,327 DEBUG AffirmativeBased:65 -
> Voter:
> org.springframework.security.web.access.expression.WebExpressionVoter@6479b43f,
> returned: 1 18:01:47,327 DEBUG FilterSecurityInterceptor:215 -
> Authorization successful 18:01:47,327 DEBUG
> FilterSecurityInterceptor:227 - RunAsManager did not change
> Authentication object 18:01:47,327 DEBUG FilterChainProxy:323 -
> /Loginsucess reached end of additional filter chain; proceeding with
> original chain 18:01:47,427 DEBUG ExceptionTranslationFilter:115 -
> Chain processed normally 18:01:47,427 DEBUG
> SecurityContextPersistenceFilter:97 - SecurityContextHolder now
> cleared, as request processing completed 18:01:56,039 DEBUG
> FilterChainProxy:337 - /j_spring_security_logout at position 1 of 11
> in additional filter chain; firing Filter:
> 'SecurityContextPersistenceFilter' 18:01:56,040 DEBUG
> HttpSessionSecurityContextRepository:158 - Obtained a valid
> SecurityContext from SPRING_SECURITY_CONTEXT:
> 'org.springframework.security.core.context.SecurityContextImpl@7eb37c04:
> Authentication:
> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@7eb37c04:
> Principal: com.clb.genomic.lyon.model.User@1b2c4d8f; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c:
> RemoteIpAddress: 192.168.154.20; SessionId:
> E644740185BC8E28272BD4F80751D445; Granted Authorities: ROLE_ADMIN_NGS,
> ROLE_GUEST_CGH, ROLE_ADMIN' 18:01:56,040 DEBUG FilterChainProxy:337 -
> /j_spring_security_logout at position 2 of 11 in additional filter
> chain; firing Filter: 'ConcurrentSessionFilter' 18:01:56,040 DEBUG
> FilterChainProxy:337 - /j_spring_security_logout at position 3 of 11
> in additional filter chain; firing Filter: 'LogoutFilter' 18:01:56,040
> DEBUG LogoutFilter:93 - Logging out user
> 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@7eb37c04:
> Principal: com.clb.genomic.lyon.model.User@1b2c4d8f; Credentials:
> [PROTECTED]; Authenticated: true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c:
> RemoteIpAddress: 192.168.154.20; SessionId:
> E644740185BC8E28272BD4F80751D445; Granted Authorities: ROLE_ADMIN_NGS,
> ROLE_GUEST_CGH, ROLE_ADMIN' and transferring to logout destination
> 18:01:56,040 DEBUG SecurityContextLogoutHandler:62 - Invalidating
> session: 3694308C7FCA68AC5FFD1E442464FE50 18:01:56,040 DEBUG
> HttpSessionEventPublisher:83 - Publishing event:
> org.springframework.security.web.session.HttpSessionDestroyedEvent[source=org.apache.catalina.session.StandardSessionFacade@65447c32]
> 18:01:56,041 DEBUG SessionRegistryImpl:156 - Removing session
> 3694308C7FCA68AC5FFD1E442464FE50 from principal's set of registered
> sessions 18:01:56,041 DEBUG SessionRegistryImpl:164 - Removing
> principal com.clb.genomic.lyon.model.User@1b2c4d8f from registry
> 18:01:56,041 DEBUG SimpleUrlLogoutSuccessHandler:107 - Using default
> Url: /Login 18:01:56,041 DEBUG DefaultRedirectStrategy:36 -
> Redirecting to '/Lyric/Login' 18:01:56,041 DEBUG
> HttpSessionSecurityContextRepository:269 - SecurityContext is empty or
> contents are anonymous - context will not be stored in HttpSession.
> 18:01:56,042 DEBUG SecurityContextPersistenceFilter:97 -
> SecurityContextHolder now cleared, as request processing completed
> 18:01:56,045 DEBUG FilterChainProxy:337 - /Login at position 1 of 11
> in additional filter chain; firing Filter:
> 'SecurityContextPersistenceFilter' 18:01:56,045 DEBUG
> HttpSessionSecurityContextRepository:127 - No HttpSession currently
> exists 18:01:56,045 DEBUG HttpSessionSecurityContextRepository:85 - No
> SecurityContext was available from the HttpSession: null. A new one
> will be created. 18:01:56,046 DEBUG FilterChainProxy:337 - /Login at
> position 2 of 11 in additional filter chain; firing Filter:
> 'ConcurrentSessionFilter' 18:01:56,046 DEBUG FilterChainProxy:337 -
> /Login at position 3 of 11 in additional filter chain; firing Filter:
> 'LogoutFilter' 18:01:56,046 DEBUG FilterChainProxy:337 - /Login at
> position 4 of 11 in additional filter chain; firing Filter:
> 'UsernamePasswordAuthenticationFilter' 18:01:56,046 DEBUG
> FilterChainProxy:337 - /Login at position 5 of 11 in additional filter
> chain; firing Filter: 'BasicAuthenticationFilter' 18:01:56,046 DEBUG
> FilterChainProxy:337 - /Login at position 6 of 11 in additional filter
> chain; firing Filter: 'RequestCacheAwareFilter' 18:01:56,046 DEBUG
> FilterChainProxy:337 - /Login at position 7 of 11 in additional filter
> chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
> 18:01:56,046 DEBUG FilterChainProxy:337 - /Login at position 8 of 11
> in additional filter chain; firing Filter:
> 'AnonymousAuthenticationFilter' 18:01:56,047 DEBUG
> AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder
> with anonymous token:
> 'org.springframework.security.authentication.AnonymousAuthenticationToken@90554a14:
> Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated:
> true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc:
> RemoteIpAddress: 192.168.154.20; SessionId: null; Granted Authorities:
> ROLE_ANONYMOUS' 18:01:56,047 DEBUG FilterChainProxy:337 - /Login at
> position 9 of 11 in additional filter chain; firing Filter:
> 'SessionManagementFilter' 18:01:56,047 DEBUG FilterChainProxy:337 -
> /Login at position 10 of 11 in additional filter chain; firing Filter:
> 'ExceptionTranslationFilter' 18:01:56,047 DEBUG FilterChainProxy:337 -
> /Login at position 11 of 11 in additional filter chain; firing Filter:
> 'FilterSecurityInterceptor' 18:01:56,047 DEBUG
> AntPathRequestMatcher:116 - Checking match of request : '/login';
> against '/loginsucess*' 18:01:56,047 DEBUG AntPathRequestMatcher:116 -
> Checking match of request : '/login'; against '/login' 18:01:56,048
> DEBUG FilterSecurityInterceptor:194 - Secure object: FilterInvocation:
> URL: /Login; Attributes: [hasRole('ROLE_ANONYMOUS')] 18:01:56,048
> DEBUG FilterSecurityInterceptor:310 - Previously Authenticated:
> org.springframework.security.authentication.AnonymousAuthenticationToken@90554a14:
> Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated:
> true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc:
> RemoteIpAddress: 192.168.154.20; SessionId: null; Granted Authorities:
> ROLE_ANONYMOUS 18:01:56,048 DEBUG AffirmativeBased:65 - Voter:
> org.springframework.security.web.access.expression.WebExpressionVoter@6479b43f,
> returned: 1 18:01:56,048 DEBUG FilterSecurityInterceptor:215 -
> Authorization successful 18:01:56,049 DEBUG
> FilterSecurityInterceptor:227 - RunAsManager did not change
> Authentication object 18:01:56,049 DEBUG FilterChainProxy:323 - /Login
> reached end of additional filter chain; proceeding with original chain
> 18:01:56,145 DEBUG HttpSessionEventPublisher:66 - Publishing event:
> org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@2fa28842]
> 18:01:56,152 DEBUG HttpSessionSecurityContextRepository:269 -
> SecurityContext is empty or contents are anonymous - context will not
> be stored in HttpSession. 18:01:56,152 DEBUG
> ExceptionTranslationFilter:115 - Chain processed normally 18:01:56,152
> DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now
> cleared, as request processing completed
like image 231
ZheFrench Avatar asked Oct 11 '13 13:10

ZheFrench


1 Answers

You have a custom principal object (of type com.clb.genomic.lyon.model.User) which will be used as the SessionRegistry key. The most likely reason for what you're seeing is that you haven't implemented hashcode and equals for this class and thus the registry doesn't know that the two instances are for the same principal.

The best way to do this without causing any problems is to implement the methods using the username as the only data (see the default User object for an example).

You should probably also implement toString to at least output the username as it will make reading debug logs easier.

like image 84
Shaun the Sheep Avatar answered Oct 13 '22 18:10

Shaun the Sheep