Using non standard user/role table structure problem

[robmonie]

I've implemented Acegi Security using a modified user/authoristies table structure with incremental PKs. For this i've modified my application context with the following to change th SQL queries for my user/roles tables.

Code:

<bean id="authenticationDao"
		class="net.sf.acegisecurity.providers.dao.jdbc.JdbcDaoImpl">
		<property name="dataSource">
			<ref bean="dataSource" />
		</property>
		<property name="usersByUsernameQuery">
			<value>SELECT UserId, Password, Enabled FROM Users WHERE UserName = ?</value>
		</property>
		<property name="authoritiesByUsernameQuery">
			<value>SELECT UserRoles.UserId, Roles.RoleName FROM UserRoles Inner Join Roles On UserRoles.RoleId=Roles.RoleId WHERE UserRoles.UserId = ?</value>
		</property>
	</bean>

The good news is that this is doing exactly what I want. I can log in fine and authorization is happening as expected. The strange thing is that after the app is idle for a few minutes (not sure exactly but under 5) I try to access a protected page and i'm asked to log in again. This is not a session timeout from what I can tell because firstly my authorize jsp tags are still recognising me as being logged in and the debug log output still shows my credentials (see below). For some reason though it redirects me to the login page anyway.

This only happens after a period of inactivity. If I repeatedly access pages without this period of inactivity I am able to continue accessing the protected pages.

Does anyone have any ideas on what may be causing this ? I'm thinking it might be related to this snippet but not sure why

Code:

DEBUG - EhCacheBasedUserCache.getUserFromCache(71) | Cache hit: false; username: 1
WARN - LoggerListener.onApplicationEvent(103) | Authentication failed due to nonexistent username: 1; details:

Full log output for problem http request is as follows...

Code:

DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(110) | Converted URL to lowercase, from: '/user.html?method=list'; to: '/user.html?method=list'
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(121) | Candidate is: '/user.html?method=list'; pattern is /**; matched=true
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /user.html?method=list at position 1 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter@d3d145'
DEBUG - HttpSessionContextIntegrationFilter.doFilter(183) | Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureContextImpl@1d0a8dc: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4f9c6d: Username: net.sf.acegisecurity.providers.dao.User@95949c: Username: 1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMINISTRATOR; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1bc9499: RemoteIpAddress: 127.0.0.1; SessionId: E90E1AF2D7394C28B24557763D40AD4D; Granted Authorities: ADMINISTRATOR'
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /user.html?method=list at position 2 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter@d060ac'
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /user.html?method=list at position 3 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter@7ad957'
DEBUG - AnonymousProcessingFilter.doFilter(147) | ContextHolder not replaced with anonymous token, as ContextHolder already contained: 'net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4f9c6d: Username: net.sf.acegisecurity.providers.dao.User@95949c: Username: 1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMINISTRATOR; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1bc9499: RemoteIpAddress: 127.0.0.1; SessionId: E90E1AF2D7394C28B24557763D40AD4D; Granted Authorities: ADMINISTRATOR'
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /user.html?method=list at position 4 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter@17750ef'
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(110) | Converted URL to lowercase, from: '/user.html?method=list'; to: '/user.html?method=list'
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(121) | Candidate is: '/user.html?method=list'; pattern is /user.html*; matched=true
DEBUG - AbstractSecurityInterceptor.beforeInvocation(348) | Secure object: FilterInvocation: URL: /user.html?method=list; ConfigAttributes: [ADMINISTRATOR]
DEBUG - ProviderManager.doAuthentication(156) | Authentication attempt using net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider
DEBUG - EhCacheBasedUserCache.getUserFromCache(71) | Cache hit: false; username: 1
WARN - LoggerListener.onApplicationEvent(103) | Authentication failed due to nonexistent username: 1; details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1bc9499: RemoteIpAddress: 127.0.0.1; SessionId: E90E1AF2D7394C28B24557763D40AD4D
DEBUG - SecurityEnforcementFilter.doFilter(189) | Authentication exception occurred; redirecting to authentication entry point
net.sf.acegisecurity.BadCredentialsException: Bad credentials presented
	at net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider.getUserFromBackend(DaoAuthenticationProvider.java:393)
	at net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider.authenticate(DaoAuthenticationProvider.java:225)
	at net.sf.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:159)
	at net.sf.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:49)
	at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:372)
	at net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:81)
	at net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter.doFilter(SecurityEnforcementFilter.java:182)
	at net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:303)
	at net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:153)
	at net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:303)
	at net.sf.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:305)
	at net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:303)
	at net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:225)
	at net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:303)
	at net.sf.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at net.sf.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:125)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:233)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:204)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:256)
	at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
	at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199)
	at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:509)
	at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:195)
	at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164)
	at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:156)
	at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
	at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972)
	at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:211)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:805)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:696)
	at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:605)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:677)
	at java.lang.Thread.run(Thread.java:534)
DEBUG - SecurityEnforcementFilter.sendStartAuthentication(249) | Authentication entry point being called; target URL added to Session: http://localhost/UserProfiles/user.html?method=list
DEBUG - AuthenticationProcessingFilterEntryPoint.commence(171) | Redirecting to: http://localhost/UserProfiles/login.jsp
DEBUG - HttpSessionContextIntegrationFilter.doFilter(271) | Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureContextImpl@1d0a8dc: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4f9c6d: Username: net.sf.acegisecurity.providers.dao.User@95949c: Username: 1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMINISTRATOR; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1bc9499: RemoteIpAddress: 127.0.0.1; SessionId: E90E1AF2D7394C28B24557763D40AD4D; Granted Authorities: ADMINISTRATOR'
DEBUG - HttpSessionContextIntegrationFilter.doFilter(280) | ContextHolder set to null as request processing completed
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(110) | Converted URL to lowercase, from: '/login.jsp'; to: '/login.jsp'
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(121) | Candidate is: '/login.jsp'; pattern is /**; matched=true
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /login.jsp at position 1 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter@d3d145'
DEBUG - HttpSessionContextIntegrationFilter.doFilter(183) | Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureContextImpl@1d0a8dc: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4f9c6d: Username: net.sf.acegisecurity.providers.dao.User@95949c: Username: 1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMINISTRATOR; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1bc9499: RemoteIpAddress: 127.0.0.1; SessionId: E90E1AF2D7394C28B24557763D40AD4D; Granted Authorities: ADMINISTRATOR'
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /login.jsp at position 2 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter@d060ac'
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /login.jsp at position 3 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter@7ad957'
DEBUG - AnonymousProcessingFilter.doFilter(147) | ContextHolder not replaced with anonymous token, as ContextHolder already contained: 'net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4f9c6d: Username: net.sf.acegisecurity.providers.dao.User@95949c: Username: 1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMINISTRATOR; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1bc9499: RemoteIpAddress: 127.0.0.1; SessionId: E90E1AF2D7394C28B24557763D40AD4D; Granted Authorities: ADMINISTRATOR'
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /login.jsp at position 4 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter@17750ef'
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(110) | Converted URL to lowercase, from: '/login.jsp'; to: '/login.jsp'
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(121) | Candidate is: '/login.jsp'; pattern is /user.html*; matched=false
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(121) | Candidate is: '/login.jsp'; pattern is /role.html*; matched=false
DEBUG - AbstractSecurityInterceptor.beforeInvocation(436) | Public object - authentication not attempted
DEBUG - AbstractSecurityInterceptor.beforeInvocation(449) | Authentication object detected and tagged as unauthenticated
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(288) | /login.jsp reached end of additional filter chain; proceeding with original chain
DEBUG - SecurityEnforcementFilter.doFilter(185) | Chain processed normally
DEBUG - HttpSessionContextIntegrationFilter.doFilter(271) | Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureContextImpl@1d0a8dc: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4f9c6d: Username: net.sf.acegisecurity.providers.dao.User@95949c: Username: 1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMINISTRATOR; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1bc9499: RemoteIpAddress: 127.0.0.1; SessionId: E90E1AF2D7394C28B24557763D40AD4D; Granted Authorities: ADMINISTRATOR'
DEBUG - HttpSessionContextIntegrationFilter.doFilter(280) | ContextHolder set to null as request processing completed
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(110) | Converted URL to lowercase, from: '/styles/global.css'; to: '/styles/global.css'
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(121) | Candidate is: '/styles/global.css'; pattern is /**; matched=true
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /styles/global.css at position 1 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter@d3d145'
DEBUG - HttpSessionContextIntegrationFilter.doFilter(183) | Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureContextImpl@1d0a8dc: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4f9c6d: Username: net.sf.acegisecurity.providers.dao.User@95949c: Username: 1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMINISTRATOR; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1bc9499: RemoteIpAddress: 127.0.0.1; SessionId: E90E1AF2D7394C28B24557763D40AD4D; Granted Authorities: ADMINISTRATOR'
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /styles/global.css at position 2 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter@d060ac'
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /styles/global.css at position 3 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter@7ad957'
DEBUG - AnonymousProcessingFilter.doFilter(147) | ContextHolder not replaced with anonymous token, as ContextHolder already contained: 'net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4f9c6d: Username: net.sf.acegisecurity.providers.dao.User@95949c: Username: 1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMINISTRATOR; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1bc9499: RemoteIpAddress: 127.0.0.1; SessionId: E90E1AF2D7394C28B24557763D40AD4D; Granted Authorities: ADMINISTRATOR'
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /styles/global.css at position 4 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter@17750ef'
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(110) | Converted URL to lowercase, from: '/styles/global.css'; to: '/styles/global.css'
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(121) | Candidate is: '/styles/global.css'; pattern is /user.html*; matched=false
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(121) | Candidate is: '/styles/global.css'; pattern is /role.html*; matched=false
DEBUG - AbstractSecurityInterceptor.beforeInvocation(436) | Public object - authentication not attempted
DEBUG - AbstractSecurityInterceptor.beforeInvocation(449) | Authentication object detected and tagged as unauthenticated
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(288) | /styles/global.css reached end of additional filter chain; proceeding with original chain
DEBUG - SecurityEnforcementFilter.doFilter(185) | Chain processed normally
DEBUG - HttpSessionContextIntegrationFilter.doFilter(271) | Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureContextImpl@1d0a8dc: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4f9c6d: Username: net.sf.acegisecurity.providers.dao.User@95949c: Username: 1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMINISTRATOR; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1bc9499: RemoteIpAddress: 127.0.0.1; SessionId: E90E1AF2D7394C28B24557763D40AD4D; Granted Authorities: ADMINISTRATOR'
DEBUG - HttpSessionContextIntegrationFilter.doFilter(280) | ContextHolder set to null as request processing completed
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(110) | Converted URL to lowercase, from: '/scripts/selectbox.js'; to: '/scripts/selectbox.js'
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(121) | Candidate is: '/scripts/selectbox.js'; pattern is /**; matched=true
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /scripts/selectbox.js at position 1 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter@d3d145'
DEBUG - HttpSessionContextIntegrationFilter.doFilter(183) | Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureContextImpl@1d0a8dc: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4f9c6d: Username: net.sf.acegisecurity.providers.dao.User@95949c: Username: 1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMINISTRATOR; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1bc9499: RemoteIpAddress: 127.0.0.1; SessionId: E90E1AF2D7394C28B24557763D40AD4D; Granted Authorities: ADMINISTRATOR'
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /scripts/selectbox.js at position 2 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter@d060ac'
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /scripts/selectbox.js at position 3 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter@7ad957'
DEBUG - AnonymousProcessingFilter.doFilter(147) | ContextHolder not replaced with anonymous token, as ContextHolder already contained: 'net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4f9c6d: Username: net.sf.acegisecurity.providers.dao.User@95949c: Username: 1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMINISTRATOR; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1bc9499: RemoteIpAddress: 127.0.0.1; SessionId: E90E1AF2D7394C28B24557763D40AD4D; Granted Authorities: ADMINISTRATOR'
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /scripts/selectbox.js at position 4 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter@17750ef'
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(110) | Converted URL to lowercase, from: '/scripts/selectbox.js'; to: '/scripts/selectbox.js'
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(121) | Candidate is: '/scripts/selectbox.js'; pattern is /user.html*; matched=false
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(121) | Candidate is: '/scripts/selectbox.js'; pattern is /role.html*; matched=false
DEBUG - AbstractSecurityInterceptor.beforeInvocation(436) | Public object - authentication not attempted
DEBUG - AbstractSecurityInterceptor.beforeInvocation(449) | Authentication object detected and tagged as unauthenticated
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(288) | /scripts/selectbox.js reached end of additional filter chain; proceeding with original chain
DEBUG - SecurityEnforcementFilter.doFilter(185) | Chain processed normally
DEBUG - HttpSessionContextIntegrationFilter.doFilter(271) | Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureContextImpl@1d0a8dc: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4f9c6d: Username: net.sf.acegisecurity.providers.dao.User@95949c: Username: 1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMINISTRATOR; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1bc9499: RemoteIpAddress: 127.0.0.1; SessionId: E90E1AF2D7394C28B24557763D40AD4D; Granted Authorities: ADMINISTRATOR'
DEBUG - HttpSessionContextIntegrationFilter.doFilter(280) | ContextHolder set to null as request processing completed
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(110) | Converted URL to lowercase, from: '/scripts/general.js'; to: '/scripts/general.js'
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(121) | Candidate is: '/scripts/general.js'; pattern is /**; matched=true
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /scripts/general.js at position 1 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter@d3d145'
DEBUG - HttpSessionContextIntegrationFilter.doFilter(183) | Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureContextImpl@1d0a8dc: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4f9c6d: Username: net.sf.acegisecurity.providers.dao.User@95949c: Username: 1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMINISTRATOR; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1bc9499: RemoteIpAddress: 127.0.0.1; SessionId: E90E1AF2D7394C28B24557763D40AD4D; Granted Authorities: ADMINISTRATOR'
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /scripts/general.js at position 2 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter@d060ac'
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /scripts/general.js at position 3 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter@7ad957'
DEBUG - AnonymousProcessingFilter.doFilter(147) | ContextHolder not replaced with anonymous token, as ContextHolder already contained: 'net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4f9c6d: Username: net.sf.acegisecurity.providers.dao.User@95949c: Username: 1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMINISTRATOR; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1bc9499: RemoteIpAddress: 127.0.0.1; SessionId: E90E1AF2D7394C28B24557763D40AD4D; Granted Authorities: ADMINISTRATOR'
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(297) | /scripts/general.js at position 4 of 4 in additional filter chain; firing Filter: 'net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter@17750ef'
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(110) | Converted URL to lowercase, from: '/scripts/general.js'; to: '/scripts/general.js'
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(121) | Candidate is: '/scripts/general.js'; pattern is /user.html*; matched=false
DEBUG - PathBasedFilterInvocationDefinitionMap.lookupAttributes(121) | Candidate is: '/scripts/general.js'; pattern is /role.html*; matched=false
DEBUG - AbstractSecurityInterceptor.beforeInvocation(436) | Public object - authentication not attempted
DEBUG - AbstractSecurityInterceptor.beforeInvocation(449) | Authentication object detected and tagged as unauthenticated
DEBUG - FilterChainProxy$VirtualFilterChain.doFilter(288) | /scripts/general.js reached end of additional filter chain; proceeding with original chain
DEBUG - SecurityEnforcementFilter.doFilter(185) | Chain processed normally
DEBUG - HttpSessionContextIntegrationFilter.doFilter(271) | Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureContextImpl@1d0a8dc: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4f9c6d: Username: net.sf.acegisecurity.providers.dao.User@95949c: Username: 1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMINISTRATOR; Password: [PROTECTED]; Authenticated: false; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1bc9499: RemoteIpAddress: 127.0.0.1; SessionId: E90E1AF2D7394C28B24557763D40AD4D; Granted Authorities: ADMINISTRATOR'
DEBUG - HttpSessionContextIntegrationFilter.doFilter(280) | ContextHolder set to null as request processing completed

[/code]

[robmonie]

Ok I think I know the reason why this is happening but I can't figure out how to deal with it.

I believe that the first time a user authenticates, the username is passed to the "usersByUsernameQuery" which then returns the UserId to be used by the "authoritiesByUsernameQuery" to query the table containing all user roles (authorities). This all works fine.

In case it isn't clear from the queries above, my tables are as follows:

Users
+userId
userName (unique)
password
enabled

Roles
+roleId
roleName (unique)
description

UserRoles
+userId
+roleId


The problem appears to be that once the cache dries up and a new query to the database is required, the username that was entered through the ui by the user logging in is substituted with the username of '1' which is really the user id. This is passed back to the query which is now looking for a username of '1' rather than that which the user orignally entered therefor no user is found.

My question is how do I get around this with the data model. Is it possible ?

[Ben Alex]

I've modified JdbcDaoImpl to support this. It's now in CVS with a new property:

Code:

    /**
     * If <code>true</code> &#40;the default&#41;, indicates the &#123;@link
     * #getUsersByUsernameMapping&#40;&#41;&#125; returns a username in response to a
     * query. If <code>false</code>, indicates that a primary key is used
     * instead. If set to <code>true</code>, the class will use the
     * database-derived username in the returned <code>UserDetails</code>. If
     * <code>false</code>, the class will use the &#123;@link
     * #loadUserByUsername&#40;String&#41;&#125; derived username in the returned
     * <code>UserDetails</code>.
     *
     * @param usernameBasedPrimaryKey <code>true</code> if the mapping queries
     *        return the username <code>String</code>, or <code>false</code>
     *        if the mapping returns a database primary key.
     */
    public void setUsernameBasedPrimaryKey&#40;boolean usernameBasedPrimaryKey&#41; &#123;
        this.usernameBasedPrimaryKey = usernameBasedPrimaryKey;
    &#125;

[robmonie]

That's great, thanks Ben. I've since changed my table structure to use an assigned PK of the username as it was looking like a few more changes would be required than just overriding a couple of methods in JdbcDaoImpl.

Now that you've made them I may change this back once the next release of acegi security comes out. It's great to have this flexibility now so users can change their usernames.

thanks again!
rob

[David Carter]

It's great to have this flexibility now so users can change their usernames.

This is one of the reasons it's generally recommended that ALL database tables have synthetic primary keys rather than using the unique business key (username in this case) as the primary key.

Kudos to the Acegi team for such a quick fix!