Using pre-auth scenario, user details in SS does NOT change when user logs out.

**jdsimmons** · Mar 8th, 2011, 03:14 PM

In our company we have a filter that implements security and puts information like username and granted authorities as header values. I've written a custom RequestHeaderAuthenticationFilter and UserDetailsService to extract this information from the HttpRequestHeader and put it in the UserDetails object. This is my applicationContext-security file:

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-3.0.xsd">

	<http use-expressions="true">
		<intercept-url pattern="/showaddmsgtype.htm"
			access="hasRole('weText.update')" />
		<intercept-url pattern="/addmsgtype.htm"
			access="hasRole('weText.update')" />
		<intercept-url pattern="/modmsgtype.htm"
			access="hasRole('weText.update')" />
		<intercept-url pattern="/delmsgtype.htm"
			access="hasRole('weText.update')" />
		<intercept-url pattern="/authenticator/authenticatorFailed.html" filters="none" />
		<intercept-url pattern="/authenticator/personalKeyFailed.html" filters="none" />
		<intercept-url pattern="/authenticator/userLocked.html" filters="none" />
		<intercept-url pattern="/authenticator/userNotAuthorized.html" filters="none" />
		<intercept-url pattern="/authenticator/userPwdIncorrect.html" filters="none" />
		<intercept-url pattern="/authenticator/userInactive.html" filters="none" />
		<intercept-url pattern="/authenticator/images/**" filters="none" />
		<intercept-url pattern="/images/**" filters="none" />
		<intercept-url pattern="/scripts/**" filters="none" />
		<intercept-url pattern="/styles/**" filters="none" />
		<intercept-url pattern="/Logout" filters="none" />
		<intercept-url pattern="/servlet/walgreens.authenticator.webclient.AuthContentServlet/**" filters="none" />
		<intercept-url pattern="/servlet/walgreens.authenticator.webclient.AuthenticatorClientProperties/**" filters="none" />
		<intercept-url pattern="/servlet/walgreens.authenticator.webclient.AuthenticatorCookieGateway/**" filters="none" />
		<intercept-url pattern="/servlet/walgreens.authenticator.webclient.ReloadFileIndexMap/**" filters="none" />
		<intercept-url pattern="/servlet/walgreens.authenticator.webclient.LogFileServlet/**" filters="none" />
		<intercept-url pattern="/servlet/walgreens.authenticator.webclient.SynchServlet/**" filters="none" />
		<intercept-url pattern="/servlet/walgreens.authenticator.webclient.CheckChangePasswordServlet/**" filters="none" />
		<intercept-url pattern="/servlet/walgreens.authenticator.webclient.CheckLoginServlet" filters="none" />
		<intercept-url pattern="/**" access="permitAll" />
		<custom-filter position="PRE_AUTH_FILTER" ref="authenticatorFilter" />
		<form-login />

	</http>

	<beans:bean id="authenticatorFilter"
		class="walgreens.user.details.WalgreensRequestHeaderAuthenticationFilter">
		<beans:property name="authenticationManager"
			ref="authenticationManager" />
	</beans:bean>

	<beans:bean id="preauthAuthProvider"
		class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
		<beans:property name="preAuthenticatedUserDetailsService">
			<beans:bean id="userDetailsServiceWrapper"
				class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
				<beans:property name="userDetailsService"
					ref="userDetailsService" />
			</beans:bean>
		</beans:property>
	</beans:bean>

	<beans:bean id="userDetailsService" class="walgreens.user.details.WalgreensUserDetailsService" />

	<authentication-manager alias="authenticationManager">
		<authentication-provider ref="preauthAuthProvider" />
	</authentication-manager>

</beans:beans>

The intercept-url's at the beginning are for various pages and servlets that our own authentication software needs.

This works just great when you log in. However, log out (using our own servlet for the purpose, which works with our own security and knows nothing about Spring Security) then log back in as someone else and the user details for the previous user is what you get. I know there is supposed to be a filter that clears this stuff out at the end of the request but I was under the impression that the namespace would put this filter in automatically.

What do I need to do to make my custom filter run on each and every request and how do I configure the applicationContext-security.xml to accomplish this?

**Luke Taylor** · Mar 8th, 2011, 04:40 PM

It depends what you mean by "log out ". If you are handling logging out, it's up to you to make sure the session is invalidated. If it isn't, then you are still using the same security context on a subsequent request.

If you want to detect whether the principal changes within the same session, then set the checkForPrincipalChanges property to true.

**jdsimmons** · Mar 10th, 2011, 09:05 AM

Originally Posted by Luke Taylor

It depends what you mean by "log out ". If you are handling logging out, it's up to you to make sure the session is invalidated. If it isn't, then you are still using the same security context on a subsequent request.

If you want to detect whether the principal changes within the same session, then set the checkForPrincipalChanges property to true.

Thanks. I set the properties to check for principal change and invalidate the session when it does and that did the trick.

Thread: Using pre-auth scenario, user details in SS does NOT change when user logs out.

Thread Tools

Display

Using pre-auth scenario, user details in SS does NOT change when user logs out.

Tags for this Thread

Posting Permissions