First off let me thank Ben and the team for an awesome job.
I have been using acegi with CAS 2 for a while now and today I decided to implement concurrent login restriction.

I use the stock CasAuthenticationProvider supplied with acegi and tie it to the authenticationManager.

I upgraded to Acegi ver 1.0 RC2 and configured the concurrentSessionFilter, HtttpSessionEventPublisher and added the concurrentSessionController bean appropriately as outlined in the docs: http://acegisecurity.org/docbook/acegi.html#security-authentication-concurrent-login

However, I got an IllegalStateException (Authentication.getDetails()) when I tried to login, throws from SessionRegistryUtils.
Upon digging further I found that the CasAuthenticationToken does not override the method getDetails, and hence the getDetails() is getting invoked from its parent class - AbstractAuthenticationToken. Unfortunately, the CASAuthentication token's constructor does not update the details object of the parent and hence, it comes out as a null. Is this intentional?
For now, I have overridden the method in CasAuthenticationToken to return the appropriate UserDetails Object and it is working as desiered.

Hi,

Thanks for reporting this. I've opened a JIRA issue:

http://opensource2.atlassian.com/projects/spring/browse/SEC-192

Sorry for bumping this back up... but it seems the same problem exists with the TokenBasedRememberMeServices too.

Using Acegi 1.0 RC2 + Spring 2.0M3.

After the browser received the remember me cookie, when I tried to access the webapp again (the resources which are guarded by Acegi), I received an IllegalArgumentException, saying Authentication.getDetails() required.

The server log said: [trimmed to show meaningful lines only]


java.lang.IllegalArgumentException: Authentication.getDetails() required
at org.springframework.util.Assert.notNull(Assert.jav a:116)
at org.acegisecurity.concurrent.SessionRegistryUtils. obtainSessionIdFromAuthentication(SessionRegistryU tils.java:48)
at org.acegisecurity.concurrent.ConcurrentSessionCont rollerImpl.checkAuthenticationAllowed(ConcurrentSe ssionControllerImpl.java:100)
at org.acegisecurity.providers.ProviderManager.doAuth entication(ProviderManager.java:209)
at org.acegisecurity.AbstractAuthenticationManager.au thenticate(AbstractAuthenticationManager.java:49)
at org.acegisecurity.ui.rememberme.RememberMeProcessi ngFilter.doFilter(RememberMeProcessingFilter.java: 131)
at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:303)
at org.acegisecurity.ui.AbstractProcessingFilter.doFi lter(AbstractProcessingFilter.java:246)
at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:303)
at org.acegisecurity.context.HttpSessionContextIntegr ationFilter.doFilter(HttpSessionContextIntegration Filter.java:220)
at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:303)
at org.acegisecurity.util.FilterChainProxy.doFilter(F ilterChainProxy.java:173)
at org.acegisecurity.util.FilterToBeanProxy.doFilter( FilterToBeanProxy.java:120)


I suppose the Remember me services and AuthenticationFilter are configured properly.

Any ideas? I missed something? The problem with Spring 2 (don't know, as I'm adding remember me recently)? Or just the same problem as above?

TIA

Probably the same, or a similar, problem. We did look at these areas of the code post-RC2 and think we got them all. If you could maybe try with CVS HEAD and report back your success, we can be sure if it has been fully corrected. TIA.

Hello,

I am using CAS combined with Acegi and I m facing a similar issue to this one. I get the following exception



java.lang.IllegalArgumentException: Authentication.getDetails() required

at org.springframework.util.Assert.notNull(Assert.jav a:112)
at org.acegisecurity.concurrent.SessionRegistryUtils. obtainSessionIdFromAuthentication(SessionRegistryU tils.java:47)
at org.acegisecurity.concurrent.ConcurrentSessionCont rollerImpl.checkAuthenticationAllowed(ConcurrentSe ssionControllerImpl.java:90)
at org.acegisecurity.providers.ProviderManager.doAuth entication(ProviderManager.java:189)
at org.acegisecurity.AbstractAuthenticationManager.au thenticate(AbstractAuthenticationManager.java:45)
at org.acegisecurity.ui.cas.CasProcessingFilter.attem ptAuthentication(CasProcessingFilter.java:76)
at org.acegisecurity.ui.AbstractProcessingFilter.doFi lter(AbstractProcessingFilter.java:199)



I checked the code quickly and something is odd. The "AbstractAuthenticationManager" performs the "authenticate" method as follow



Authentication authResult = doAuthentication(authRequest);
copyDetails(authRequest, authResult);


However if I follow the "doAuthentication" call I endup with the SessionRegistryUtils testing if the "details" is not null (as you can see from the trace).

The problem is that (at least it seems to me) the details is only populated in the copyDetails method which has not yet been called.

Hope my explanantions were clear :D
Thanks for your help.

Hello,

I'm facing the same issue as poster before. Seems like the problem still exists in 1.0.5.

Best regards,
Wadim

What AuthenticationProvider are you using? This will control whether the authentication details object is transferred from the authentication request to the successful authentication token.

Luke,

thanks for your reply. I'm using CasAuthenticationProvider, with DaoCasAuthoritiesPopulator and my own userDetailsService implementation.

Here are the details of that implementation:
http://forum.springframework.org/showthread.php?t=47094

Without concurrentSessionController everything works fine.

Best regards,
Wadim

Looks like this is a problem with providers which aren't based on AbstractUserDetailsAuthenticationProvider. I've opened an issue for it to be investigated further:

http://opensource.atlassian.com/projects/spring/browse/SEC-618

A temporary workaround would be to extends the provider class and override the doAuthentication() method to call the superclass and the copy the authentication details object across to the returned authentication object.