SS 3.1.3 Error after relogin
Hello. I have the next configuration for spring security:
The situation is:Code:<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <http access-denied-page="/index.html"> <intercept-url pattern="/errors/**" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" /> <intercept-url pattern="/extjs/**" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" /> <intercept-url pattern="/locale/**" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" /> <intercept-url pattern="/pkgs/**" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" /> <intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" /> <intercept-url pattern="/tinymce/**" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" /> <intercept-url pattern="/ulmart-constants.js" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" /> <intercept-url pattern="/app-ulmart-login.js" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" /> <intercept-url pattern="/UlmartExtJSListener" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" /> <intercept-url pattern="/UlmartFileUploader" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" /> <intercept-url pattern="/index.html*" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_ulmart_user" /> <intercept-url pattern="/**" access="ROLE_ulmart_user" /> <form-login login-page="/index.html" authentication-failure-handler-ref="loginFailureHandler" authentication-success-handler-ref="loginSuccessHandler" always-use-default-target="true"/> <logout invalidate-session="true" delete-cookies="JSESSIONID" success-handler-ref="logoutSuccessHandler"/> <remember-me key="rememberMeUlmartKey" services-ref="ulmartIPTokenBasedRememberMeServicesBean" /> <session-management invalid-session-url="/index.html"> <concurrency-control max-sessions="1" /> </session-management> </http> <authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="userService"> <password-encoder ref="ulmartPasswordEncoder"> <salt-source ref="ulmartSaltSource" /> </password-encoder> </authentication-provider> </authentication-manager> <beans:bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="ulmartSaltSource"> <beans:property name="userPropertyToUse" value="username" /> </beans:bean> <beans:bean class="ru.ulmart.web.admin.security.IPTokenBasedRememberMeServices" name="ulmartIPTokenBasedRememberMeServicesBean"> <beans:property name="key"> <beans:value>rememberMeUlmartKey</beans:value> </beans:property> <beans:property name="userDetailsService" ref="userService" /> </beans:bean> <beans:bean class="ru.ulmart.web.admin.security.PasswordEncoder" id="ulmartPasswordEncoder" /> <beans:bean id="loginFailureHandler" class="ru.ulmart.web.admin.security.LoginFailureHandler" /> <beans:bean id="loginSuccessHandler" class="ru.ulmart.web.admin.security.LoginSuccessHandler" /> <beans:bean id="logoutSuccessHandler" class="ru.ulmart.web.admin.security.LogoutSuccessHandler" /> <beans:bean id="userService" class="ru.ulmart.web.admin.security.UserManagerDaoImpl"> <beans:property name="sessionFactory" ref="sessionFactory"/> </beans:bean> </beans:beans>
0. Login as User2 without role ROLE_ulmart_user - dont have access to main.html- OK;
1. Login as User1 with role ROLE_ulmart_user - have access to main.html- OK;
2. Logout;
3. Login as User1 with role ROLE_ulmart_user - have access to main.html- OK;
4. Logout;
5. Login with User2 without role ROLE_ulmart_user - have access to main.html - BAD!!!!; Why it have access?
6. Try to login as User1 - get access denied - Whe dont have access - it must have it;
Reply With Quote