really strange problem with session

[a_wronski]

hello,

I've encountered a really strange problem in my webapp. I'm not sure if
it this is an acegi-related issue but I'd like to be sure about this.

I use acegi security filter to perform authentication and authorization
in my webapp. The problem is that very, very seldom (two times so far in
last weeks) one user was able to see the data of another user. Each user
has another request.getSession().getId(), so this is not a
session-hijacking issue.

It looks just like the object stored in SecureContext is replaced with
the data of another user. I've reviewed all of my code and I do not see
any place where this could happen. The object stored in
context.getAuthentication().getPrincipal() is loaded by Hibernate during
login process.

Does anybody have any ideas how it is possible that content of
context.getAuthentication().getPrincipal() is replaced with the data
from another http session?

Thans for help,
Artur Wronski

[Luke Taylor]

Do you have a load-testing setup you can use to hit the system and try to reproduce the problem more regularly? Without more to go on it's impossible to say what could be happening and there isn't any evidence here that information from one session is being replaced by that in another.

[Ben Alex]

Check your debug logs for HttpSessionContextIntegrationFilter, and check it's clearing the ContextHolder. It's written in a fail-safe way, so even if the ContextHolder contains something, it is still set to null again. See also http://opensource.atlassian.com/proj.../browse/SEC-20