Security Context problem with multiple threads

[rc123]

Hi I am using spring security 2.0.6 , I see that when many requests are send continuously, then what I see is that for a particular user the security context value is been changed and when I retrieve the user from the security context I get a different user which was authenticated.

Let me give scenario, we are firing continuously requests with a constant username and if a simultaneous request with a different user is fired then we are facing this problem.

Note:This scenario is not reproduced for all requests, but its intermittent.

Could you please help me with this issue,that would be very helpful

Thanks,



My XML configuration

Code:

<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:security="http://www.springframework.org/schema/security"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">



	<!-- ****** START Spring Security Configuration ******* -->
	<!-- ======================== FILTER CHAIN ======================= -->

	<!-- <security:global-method-security secured-annotations="enabled" /> -->
	
		<bean id="customAuthProvider" class="controllers.UserDetailsAuthenticationProvider">
    <security:custom-authentication-provider/>
	</bean>
	<bean id="myWebAuthenticationDetailsSource" class="controllers.MyWebAuthenticationDetailsSource"/>
	

	<security:http
		entry-point-ref="basicProcessingFilterEntryPoint">
		<!-- Restrict URLs based on role -->

		<security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />



	</security:http>

	<security:authentication-manager alias="authenticationManager" />

<!-- 	<security:authentication-provider>
		<security:user-service id="userDetailsService">
		<security:user name="anto" password="anto" authorities="ROLE_USER, ROLE_ADMIN" />
		<security:user name="bob" password="bob" authorities="ROLE_USER" />
		</security:user-service>
	</security:authentication-provider> -->

	<bean id="basicProcessingFilter"
		class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
		<security:custom-filter  position="BASIC_PROCESSING_FILTER" /> 
		<property name="authenticationDetailsSource" ref="myWebAuthenticationDetailsSource" />
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="authenticationEntryPoint" ref="basicProcessingFilterEntryPoint" />
	</bean>

	<bean id="basicProcessingFilterEntryPoint"
		class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
		<property name="realmName" value="MyRealm" />
	</bean>


	<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
	<security:filter-chain-map path-type="ant">
		<security:filter-chain pattern="/**" filters="
			httpSessionContextIntegrationFilterWithASCTrue,
			basicProcessingFilter, exceptionTranslationFilter,
		    filterSecurityInterceptor " />
	</security:filter-chain-map>
	
	</bean>
	

	<bean id="httpSessionContextIntegrationFilterWithASCTrue"
		class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
		<property name="allowSessionCreation" value="true" />
	</bean>


	<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">

	<property name="authenticationEntryPoint">
		<ref bean="basicProcessingFilterEntryPoint" />
	</property>

	<property name="accessDeniedHandler">
		<bean class="org.springframework.security.ui.AccessDeniedHandlerImpl" />
	</property>

	</bean>
	



	<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">

		<property name="authenticationManager" ref="authenticationManager" />
		<property name="accessDecisionManager" ref="accessDecisionManager" />
		<property name="objectDefinitionSource">
		
		<security:filter-invocation-definition-source>
			<security:intercept-url pattern="/**"
				access="ROLE_USER,ROLE_ADMIN" />
		</security:filter-invocation-definition-source>
	
		</property>
	</bean>


	<bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
		<property name="decisionVoters">
			<list>
				<ref local="roleVoter" />
				<bean class="org.springframework.security.vote.AuthenticatedVoter" />
			</list>
		</property>
	</bean>

	<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter" />

	<!-- ****** END SPRING Security Configuration ******* -->

	<bean id="dataSource"
		class="org.springframework.jdbc.datasource.DriverManagerDataSource">
		<property name="driverClassName">
			<value>com.mysql.jdbc.Driver</value>
		</property>
		<property name="url">
			<value>jdbc:mysql://localhost:3306/springacegi</value>
		</property>
		<property name="username">
			<value>root</value>
		</property>
		<property name="password">
			<value>root</value>
		</property>
	</bean>



</beans>