Losing SecurityContext

[tbriers]

Hi All,

We have a web-application and from time to time when a user clicks on a link we seem to lose the securityContext. Spring-security then automatically redirects to the login page.

This is the securityContext when everything is correct:

Code:

timestamp=[01/Jun/2012:14:55:11 +0200] sessionId=3351B849FA8F455938587DB103B12DE6 uri="/obfuscated/history.action" org.springframework.security.core.context.SecurityContextImpl@33e50dc8: Authentication:  ...

This is the securityContext when we lose the context:

Code:

timestamp=[01/Jun/2012:14:55:25 +0200] sessionId=3351B849FA8F455938587DB103B12DE6 uri="/obfuscated/summary.action" org.springframework.security.core.context.SecurityContextImpl@ffffffff: Null authentication

As you can see there is only 14 seconds between two clicks so no timeout has occured.

This problem is really annoying because we can't reproduce this at will so finding a solution is really hard.

Here is some more information.
The application runs in jboss 5.1 GA

The xml file is as follows:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <http use-expressions="true">
	    
            <anonymous enabled="false" />
	    <!-- Static content mapping -->
	    <intercept-url pattern="/images/**" access="permitAll" filters="none"/>
	    <intercept-url pattern="/struts/**" access="permitAll" filters="none"/>
	    
	    <!-- other mappings -->
        <session-management invalid-session-url="/timeout.action"/> 

        <logout logout-url="/logout" logout-success-url="${logout.url}"/>
 
 	<form-login login-page="/login/login.action" />
        
        <access-denied-handler ref="accessDeniedHandler"/>

    </http>

    <beans:bean id="acceptAllAuthenticationProvider" class="com.obfuscated.AcceptAllAuthenticationProvider" />
    
    <beans:bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
        <beans:property name="errorPage" value="/accessDenied.action"/>
    </beans:bean>
    
    <authentication-manager alias="authenticationManager">
    	<authentication-provider ref="acceptAllAuthenticationProvider" />
    </authentication-manager>    
</beans:beans>

The is the filter chain (DelegatingFilterProxy line 167):

Code:

[ApplicationFilterConfig[name=CommonHeadersFilter, filterClass=org.jboss.web.tomcat.filters.ReplyHeaderFilter], 
ApplicationFilterConfig[name=springSecurityFilterChain, filterClass=org.springframework.web.filter.DelegatingFilterProxy], 
ApplicationFilterConfig[name=securedHttpFilter, filterClass=com.obfuscated.SecuredHttpFilter],
ApplicationFilterConfig[name=CacheOffFilter, filterClass=com.obfuscated.CacheOffFilter], 
ApplicationFilterConfig[name=encodingFilter, filterClass=org.springframework.web.filter.CharacterEncodingFilter], 
ApplicationFilterConfig[name=struts2, filterClass=org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter], null, null, null, null]

The is the delegateToUse (DelegatingFilterProxy line 167):

Code:

FilterChainProxy[ UrlMatcher = org.springframework.security.web.util.AntUrlPathMatcher[requiresLowerCase='true']; 
Filter Chains: {/images/**=[], /struts/**=[], /css/**=[], /js/**=[], /favicon.ico=[], /index.html=[], /login.jsp=[], /timeout.action=[], /illegalcharacter.action=[], /login/**=[], /poll/**=[], /**=
[org.springframework.security.web.context.SecurityContextPersistenceFilter@147e1, 
org.springframework.security.web.authentication.logout.LogoutFilter@163b25, 
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@18538c1, 
org.springframework.security.web.savedrequest.RequestCacheAwareFilter@1512c9c, 
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@47db5e, 
org.springframework.security.web.session.SessionManagementFilter@19331e8, 
org.springframework.security.web.access.ExceptionTranslationFilter@b1b6c0, 
org.springframework.security.web.access.intercept.FilterSecurityInterceptor@1551d8f]}]

We don't use the spring-security mechanism to log in but when the user successfully connected we execute the following piece of code:

Code:

SecurityContextHolder.getContext().setAuthentication(token);
putSessionObject(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());

Am I missing something somewhere in order for this to work correctly?

If you need more information, please ask.

Regards,

Tom.

[tbriers]

I believe this might be related to the following thread:
http://forum.springsource.org/showth...been-delivered
And the following jira:
https://jira.springsource.org/browse/SEC-2005

I'll try to check during new stress-tests.