Security Session Issue in IE 8

[karteek72]

Hi,
We are using jboss 7, spring security 3.0.5. The security code works fine in firefox browser. But when I try to access the application throught IE8 code doesn't work. I debugged the issue and found that session information not available to IE8. i.e., after entering correct credentials details it redirects back to login page. I added a debug statement on my custom SavedRequestAwareAuthenticationSuccessHandler to log if user logged in successfully or not & it does log that user is logged in successfully. but IE 8 doesn't have that information and doesn't allow user to access any other pages to( I manually entered url address).

I deployed the same war file on myeclipse 8.1 internal tomcat server, it works fine in both IE8 and firefox.

Any Idea what might be the problem and any suggestion on how to fix it?

[arthomps]

I don't think this is going to be a browser issue or anything specific to jboss vs tomcat. We're talking about a session here... Similarly, there's nothing browser specific in spring security.

I would look at how your ie8 browser is configured with regards to security first and then look to see what customized code you might have on the jboss server as it relates to specific browsers. For example, I suspect localhost is probably configured to be trusted where your jboss server is not. Something like that.

[Rob Winch]

Please provide the logs from Spring Security. Also what do the request/responses look like? FYI you can use something like live headers or fidler to obtain the request and responses.

[karteek72]

Hi,
Thanks for your reply. I did try to run the application through fiddler in both IE8 & firefox 3.6.22 and I observed that JSESSIONID cookie is same for all the requests in firefox where as the JSESSIONID cookie value is different once the user is logged in successfully. I'm suspecting something problem with IE8 and Jboss 7 configuration regarding session problem.

Request header to post the user credentials

Code:

POST http://panther:8080/mapp/j_spring_security_check HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://panther:8080/mapp/Login;jsessionid=wty69fmarC-IP10LxzGGvgDC
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; Tablet PC 2.0; .NET4.0E)
Host: panther:8080
Content-Length: 41
Connection: Keep-Alive
Pragma: no-cache

ResponseHeader

Code:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5ml4Xn9XhcM2GLrnVaeko9WH; Version=1; Path="/mapp"
Accept-Charset: big5, big5-hkscs, compound_text..... (some long charsets)
Content-Type: application/json
Content-Length: 100

please let me know if it is something to be configured on JBOSS/IE8

[Rob Winch]

Can you provide all the request/responses from the request that triggers the login page to the response after login failed? Also what do the Spring Security logs look like for these requests/responses?

[karteek72]

I use Ajax based login. After successfull login I do redirect to next page(Dashboard page). The login doesn't fail. Jboss server does logs the User as logged in logs

Code:

10:49:09,375 INFO  [stdout] (http--127.0.0.1-9090-3) [ INFO] [http--127.0.0.1-9090-3 10:49:09] (AjaxAuthenticationSuccessHandler.java:onAuthenticationSuccess:75) *** User:superuser Logged in Successfully

Here are the request/response for redirect.


Request the redirect page

Code:

GET http://panther:8080/mapp/Dashboard HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; Tablet PC 2.0; .NET4.0E)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: panther:8080

response

Code:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: JSP/2.2
Cache-Control: no-store
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Transfer-Encoding: chunked
Date: Fri, 04 Nov 2011 16:34:28 GMT

[Rob Winch]

One more thing: take the request/response's in IE8 against tomcat and compare them against that of jboss's. What differs? Do either mark the cookie as HttpOnly? If that doesn't help please post the request for the login through the response for the dashboard for both Tomcat and Jboss clearly labeling both.

[karteek72]

Request/Response for Tomcat:
------------------------------------
1) Request Login Page Header

Code:

GET http://localhost:8080/mapp/Login HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; Tablet PC 2.0; .NET4.0E)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: localhost:8080
Cookie: JSESSIONID=F2DE899300146DB940E5AA4C81948FD5

Response

Code:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Access-Control-Allow-Headers: x-requested-with
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Transfer-Encoding: chunked
Date: Mon, 07 Nov 2011 16:07:53 GMT

2) Validate User Credentials Request

Code:

POST http://localhost:8080/mapp/j_spring_security_check HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://localhost:8080/mapp/Login
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; Tablet PC 2.0; .NET4.0E)
Host: localhost:8080
Content-Length: 41
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=F2DE899300146DB940E5AA4C81948FD5

j_username=abcde&j_password=abcde12

RESPONE

Code:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Charset: big5, big5-hkscs, euc-jp, euc-kr, gb18030, gb2312, gbk, ibm-thai, ibm00858, ibm01140, ibm01141, ibm01142, ibm01143, ibm01144, ibm01145, ibm01146, ibm01147, ibm01148, ibm01149, ibm037, ibm1026, ibm1047, ibm273, ibm277, ibm278, ibm280, ibm284, ibm285, ibm297, ibm420, ibm424, ibm437, ibm500, ibm775, ibm850, ibm852, ibm855, ibm857, ibm860, ibm861, ibm862, ibm863, ibm864, ibm865, ibm866, ibm868, ibm869, ibm870, ibm871, ibm918, iso-2022-cn, iso-2022-jp, iso-2022-jp-2, iso-2022-kr, iso-8859-1, iso-8859-13, iso-8859-15, iso-8859-2, iso-8859-3, iso-8859-4, iso-8859-5, iso-8859-6, iso-8859-7, iso-8859-8, iso-8859-9, jis_x0201, jis_x0212-1990, koi8-r, koi8-u, shift_jis, tis-620, us-ascii, utf-16, utf-16be, utf-16le, utf-32, utf-32be, utf-32le, utf-8, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257, windows-1258, windows-31j, x-big5-solaris, x-euc-jp-linux, x-euc-tw, x-eucjp-open, x-ibm1006, x-ibm1025, x-ibm1046, x-ibm1097, x-ibm1098, x-ibm1112, x-ibm1122, x-ibm1123, x-ibm1124, x-ibm1381, x-ibm1383, x-ibm33722, x-ibm737, x-ibm833, x-ibm834, x-ibm856, x-ibm874, x-ibm875, x-ibm921, x-ibm922, x-ibm930, x-ibm933, x-ibm935, x-ibm937, x-ibm939, x-ibm942, x-ibm942c, x-ibm943, x-ibm943c, x-ibm948, x-ibm949, x-ibm949c, x-ibm950, x-ibm964, x-ibm970, x-iscii91, x-iso-2022-cn-cns, x-iso-2022-cn-gb, x-iso-8859-11, x-jis0208, x-jisautodetect, x-johab, x-macarabic, x-maccentraleurope, x-maccroatian, x-maccyrillic, x-macdingbat, x-macgreek, x-machebrew, x-maciceland, x-macroman, x-macromania, x-macsymbol, x-macthai, x-macturkish, x-macukraine, x-ms932_0213, x-ms950-hkscs, x-mswin-936, x-pck, x-sjis_0213, x-utf-16le-bom, x-utf-32be-bom, x-utf-32le-bom, x-windows-50220, x-windows-50221, x-windows-874, x-windows-949, x-windows-950, x-windows-iso2022jp
Content-Type: application/json
Content-Length: 100
Date: Mon, 07 Nov 2011 16:08:05 GMT

3) Redirect to Dashboard page after successful login

Code:

GET http://localhost:8080/mapp/Dashboard HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://localhost:8080/mapp/Login
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; Tablet PC 2.0; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: localhost:8080
Connection: Keep-Alive
Cookie: JSESSIONID=F2DE899300146DB940E5AA4C81948FD5

Reponse

Code:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Access-Control-Allow-Headers: x-requested-with
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Transfer-Encoding: chunked
Date: Mon, 07 Nov 2011 16:08:05 GMT

[karteek72]

------------------------------------------------------------------------------------------------------------------------
Request/Response for JBOSS 7:
------------------------------------
1) Request Login Page Header

Code:

GET http://localhost:9090/mapp/Login HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; Tablet PC 2.0; .NET4.0E)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: localhost:9090
Cookie: JSESSIONID=F2DE899300146DB940E5AA4C81948FD5

Response

Code:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: JSP/2.2
Set-Cookie: JSESSIONID=-sYWpiq9yiwoqUn5hYPYLJQz; Version=1; Path="/mapp"
Cache-Control: no-store
Access-Control-Allow-Headers: x-requested-with
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Transfer-Encoding: chunked
Date: Mon, 07 Nov 2011 16:21:07 GMT

2) Validate User Credentials Request

Code:

POST http://localhost:9090/mapp/j_spring_security_check HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://localhost:9090/mapp/Login
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; Tablet PC 2.0; .NET4.0E)
Host: localhost:9090
Content-Length: 41
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=F2DE899300146DB940E5AA4C81948FD5

RESPONSE

Code:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=P99fzDIXopRLomeg+ap8+Gyo; Version=1; Path="/mapp"
Accept-Charset: big5, big5-hkscs, euc-jp, euc-kr, gb18030, gb2312, gbk, ibm-thai, ibm00858, ibm01140, ibm01141, ibm01142, ibm01143, ibm01144, ibm01145, ibm01146, ibm01147, ibm01148, ibm01149, ibm037, ibm1026, ibm1047, ibm273, ibm277, ibm278, ibm280, ibm284, ibm285, ibm297, ibm420, ibm424, ibm437, ibm500, ibm775, ibm850, ibm852, ibm855, ibm857, ibm860, ibm861, ibm862, ibm863, ibm864, ibm865, ibm866, ibm868, ibm869, ibm870, ibm871, ibm918, iso-2022-cn, iso-2022-jp, iso-2022-jp-2, iso-2022-kr, iso-8859-1, iso-8859-13, iso-8859-15, iso-8859-2, iso-8859-3, iso-8859-4, iso-8859-5, iso-8859-6, iso-8859-7, iso-8859-8, iso-8859-9, jis_x0201, jis_x0212-1990, koi8-r, koi8-u, shift_jis, tis-620, us-ascii, utf-16, utf-16be, utf-16le, utf-32, utf-32be, utf-32le, utf-8, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257, windows-1258, windows-31j, x-big5-solaris, x-euc-jp-linux, x-euc-tw, x-eucjp-open, x-ibm1006, x-ibm1025, x-ibm1046, x-ibm1097, x-ibm1098, x-ibm1112, x-ibm1122, x-ibm1123, x-ibm1124, x-ibm1381, x-ibm1383, x-ibm33722, x-ibm737, x-ibm833, x-ibm834, x-ibm856, x-ibm874, x-ibm875, x-ibm921, x-ibm922, x-ibm930, x-ibm933, x-ibm935, x-ibm937, x-ibm939, x-ibm942, x-ibm942c, x-ibm943, x-ibm943c, x-ibm948, x-ibm949, x-ibm949c, x-ibm950, x-ibm964, x-ibm970, x-iscii91, x-iso-2022-cn-cns, x-iso-2022-cn-gb, x-iso-8859-11, x-jis0208, x-jisautodetect, x-johab, x-macarabic, x-maccentraleurope, x-maccroatian, x-maccyrillic, x-macdingbat, x-macgreek, x-machebrew, x-maciceland, x-macroman, x-macromania, x-macsymbol, x-macthai, x-macturkish, x-macukraine, x-ms932_0213, x-ms950-hkscs, x-mswin-936, x-pck, x-sjis_0213, x-utf-16le-bom, x-utf-32be-bom, x-utf-32le-bom, x-windows-50220, x-windows-50221, x-windows-874, x-windows-949, x-windows-950, x-windows-iso2022jp
Content-Type: application/json
Content-Length: 100
Date: Mon, 07 Nov 2011 16:21:17 GMT

3) Redirect to Dashboard page after successful login

Code:

GET http://localhost:9090/mapp/Dashboard HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://localhost:9090/mapp/Login
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C; Tablet PC 2.0; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: localhost:9090
Connection: Keep-Alive
Cookie: JSESSIONID=F2DE899300146DB940E5AA4C81948FD5

RESPONSE

Code:

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=LBaJ9vi7v1n1D7+R8Kv-bw1i; Version=1; Path="/mapp"
Location: http://localhost:9090/mapp/Login
Content-Length: 0
Date: Mon, 07 Nov 2011 16:21:19 GMT

[karteek72]

I got this issue resolved. The root cause was problem with session creation in JBOSS 7.0.0.
Jboss was considering each request as new & creating a new session when request is made through IE8/9. Upgrading to latest version of JBoss 7.0.2 resolved this Issue.

Thank you for your quick response.