SecurityContext is lost

**janblankenhorn** · Jan 15th, 2008, 07:43 AM

Hi,

i got a strange problem here.

I am using JSF 1.1 (Myfaces), Spring 2.0.5 and acegi 1.0.5

When i restart my JBOSS Server, and then first login over my login Page i get logged in, but the SecurityContext is lost when i move to another page.

If i log in a second time, the SecurityContext doesn't get lost again.

Also, after restarting JBOSS, if i first click on a "normal" page and then log in, i don't have any problems at all.

Thanks

Here are my configuration Files

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

	<bean id="authenticationManager"
		class="org.acegisecurity.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref bean="authenticationProvider" />
			</list>
		</property>
	</bean>

	<bean id="authenticationProvider"
		class="com.weiglewilczek.wfoerd.sks.user.authentication.SksUserDetailsAuthenticationProvider">
		<property name="userDetailsService" ref="userDetailsManager" />
		<property name="forcePrincipalAsString" value="false" />
	</bean>

	<bean id="accessDecisionManager"
		class="org.acegisecurity.vote.ConsensusBased">
		<property name="allowIfAllAbstainDecisions" value="false" />
		<property name="decisionVoters">
			<list>
				<bean class="org.acegisecurity.vote.RoleVoter"/>
			</list>
		</property>
	</bean>

	<bean id="autoProxyCreator"
		class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
		<property name="interceptorNames">
			<list>
				<value>securityInterceptor</value>
			</list>
		</property>
		<property name="beanNames">
			<list>
				<value>searchFactory</value>
			</list>
		</property>
		<property name="proxyTargetClass" value="true" />
	</bean>

	<bean id="securityInterceptor"
		class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
		<property name="validateConfigAttributes">
			<value>false</value>
		</property>
		<property name="authenticationManager">
			<ref bean="authenticationManager" />
		</property>
		<property name="accessDecisionManager">
			<ref bean="accessDecisionManager" />
		</property>
<!-- 
		<property name="runAsManager">
			<ref bean="runAsManager" />
		</property> 
-->
<!--
		<property name="objectDefinitionSource">
			<value>
				com.weiglewilczek.wfoerd.sks.search.SearchFactory.saveSearch=ROLE_INSERENT
			</value>
		</property>
-->
		<property name="objectDefinitionSource" ref="objectDefinitionSource"/>
	</bean>

 
	<bean id="objectDefinitionSource"
		class="org.acegisecurity.intercept.method.MethodDefinitionAttributes">
		<property name="attributes">
			<ref bean="attributes" />
		</property>
	</bean>


	<bean id="attributes"
		class="org.springframework.metadata.commons.CommonsAttributes" />
</beans>

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

	<bean id="filterChainProxy"
		class="org.acegisecurity.util.FilterChainProxy">
		<property name="filterInvocationDefinitionSource">
			<value>
				<![CDATA[
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/**=channelProcessingFilter,httpSessionContextIntegrationFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,logoutFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
			]]>
			</value>
		</property>
	</bean>

	<!--  ============== -->
	<!--  AUTHENTICATION -->
	<!--  ============== -->
	<bean id="authenticationEntryPoint"
		class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
		<property name="loginFormUrl" value="/login.xhtml" />
		<property name="forceHttps" value="true" />
	</bean>

	<bean id="httpSessionContextIntegrationFilter"
		class="org.acegisecurity.context.HttpSessionContextIntegrationFilter" />

	<bean id="logoutFilter"
		class="org.acegisecurity.ui.logout.LogoutFilter">
		<constructor-arg value="/index.xhtml" />
		<constructor-arg>
			<list>
				<ref bean="rememberMeServices" />
				<bean
					class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler" />
			</list>
		</constructor-arg>
		<property name="filterProcessesUrl" value="/j_acegi_logout" />
	</bean>

	<bean id="authenticationProcessingFilter"
		class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
		<property name="authenticationManager"
			ref="authenticationManager" />
		<property name="authenticationFailureUrl" value="/login.xhtml" />
		<property name="defaultTargetUrl" value="/" />
		<property name="filterProcessesUrl"
			value="/j_acegi_security_check" />
		<property name="rememberMeServices" ref="rememberMeServices" />
	</bean>

	<bean id="securityContextHolderAwareRequestFilter"
		class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter" />

	<bean id="rememberMeProcessingFilter"
		class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
		<property name="authenticationManager"
			ref="authenticationManager" />
		<property name="rememberMeServices" ref="rememberMeServices" />
	</bean>

	<bean id="anonymousProcessingFilter"
		class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
		<property name="key" value="changeThis" />
		<property name="userAttribute"
			value="anonymousUser,ROLE_ANONYMOUS" />
	</bean>

	<bean id="exceptionTranslationFilter"
		class="org.acegisecurity.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint"
			ref="authenticationEntryPoint" />
		<property name="accessDeniedHandler">
			<bean
				class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
				<property name="errorPage" value="/error.xhtml" />
			</bean>
		</property>
	</bean>

	<bean id="filterInvocationInterceptor"
		class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager"
			ref="authenticationManager" />
		<property name="accessDecisionManager">
			<bean class="org.acegisecurity.vote.AffirmativeBased">
				<property name="allowIfAllAbstainDecisions"
					value="false" />
				<property name="decisionVoters">
					<list>
						<bean class="org.acegisecurity.vote.RoleVoter" />
						<bean
							class="org.acegisecurity.vote.AuthenticatedVoter" />
					</list>
				</property>
			</bean>
		</property>
		<property name="objectDefinitionSource">
			<value>
				<![CDATA[
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/secure/extra/**=ROLE_ADMIN
				/mysks/**=IS_AUTHENTICATED_REMEMBERED
				/**=IS_AUTHENTICATED_ANONYMOUSLY
			]]>
			</value>
		</property>
	</bean>

	<bean id="rememberMeServices"
		class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
		<property name="userDetailsService" ref="userDetailsManager" />
		<property name="key" value="changeThis" />
	</bean>

	<!-- channelProcessingFilter -->
	<bean id="channelProcessingFilter"
		class="org.acegisecurity.securechannel.ChannelProcessingFilter">
		<property name="channelDecisionManager"
			ref="channelDecisionManager" />
		<property name="filterInvocationDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/login.xhtml=REQUIRES_SECURE_CHANNEL
				/mysks/**=REQUIRES_SECURE_CHANNEL
				/j_acegi_security_check*=REQUIRES_SECURE_CHANNEL
				/**=REQUIRES_INSECURE_CHANNEL
			</value>
		</property>
	</bean>

	<bean id="channelDecisionManager"
		class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl">
		<property name="channelProcessors">
			<list>
				<ref local="secureChannelProcessor" />
				<ref local="insecureChannelProcessor" />
			
			</list>
		</property>
	</bean>


	<!--SecureChannelProcessor -->
	<bean id="secureChannelProcessor"
		class="org.acegisecurity.securechannel.SecureChannelProcessor">
		<property name="entryPoint">
			<ref local="retryWithHttpsEntryPoint" />
		</property>
	</bean>
	<bean id="retryWithHttpsEntryPoint"
		class="org.acegisecurity.securechannel.RetryWithHttpsEntryPoint">
		<property name="portMapper">
			<ref local="portMapperImpl" />
		</property>
	</bean>

	<!--InsecureChannelProcessor -->
	<bean id="insecureChannelProcessor"
		class="org.acegisecurity.securechannel.InsecureChannelProcessor">
		<property name="entryPoint">
			<ref local="retryWithHttpEntryPoint" />
		</property>
	</bean>
	<bean id="retryWithHttpEntryPoint"
		class="org.acegisecurity.securechannel.RetryWithHttpEntryPoint">
		<property name="portMapper">
			<ref local="portMapperImpl" />
		</property>
	</bean>

	<bean id="portMapperImpl"
		class="org.acegisecurity.util.PortMapperImpl">
		<property name="portMappings">
			<map>
				<entry key="${sks.server.webport}">
					<value>${sks.server.sslport}</value>
				</entry>
			</map>
		</property>
	</bean>
			
	<bean id="imageCaptchaService" class="com.octo.captcha.service.image.DefaultManageableImageCaptchaService" />


</beans>

**janblankenhorn** · Jan 15th, 2008, 08:00 AM

a little Note:

I just found out that when i first use the login page the Security Context is this instance:
org.acegisecurity.context.SecurityContextImpl@9057 2420

After logging in it is this one:
org.acegisecurity.context.SecurityContextImpl@dac3 681f

After going one (when the Context is lost) it is this one.
org.acegisecurity.context.SecurityContextImpl@9055 e4a6

Shouln't this be the first again?

**janblankenhorn** · Jan 17th, 2008, 07:35 AM

no idea anyone?

**Marten Deinum** · Jan 17th, 2008, 07:48 AM

I'm not sure but your context is serialized/deserialized to whatever you configured in your server for your session management. So after reloading your instance it has a different memory address.

**janblankenhorn** · Jan 18th, 2008, 04:24 AM

sorry, i made a mistake above ...

this is how the 3 SecurityContexts look like

first one (after directly going to my login page)

org.acegisecurity.context.SecurityContextImpl@9055 71d8:
Authentication: org.acegisecurity.providers.anonymous.AnonymousAut henticationToken@905571d8:
Username: anonymousUser; Password: [PROTECTED]; Authenticated: true;
Details: org.acegisecurity.ui.WebAuthenticationDetails@0:
RemoteIpAddress: 127.0.0.1; SessionId: 859E1BD27BA816F3341EDEA873814891; Granted Authorities: ROLE_ANONYMOUS

beeing logged in

org.acegisecurity.context.SecurityContextImpl@dbd8 f64a:
Authentication: org.acegisecurity.providers.UsernamePasswordAuthen ticationToken@dbd8f64a:
Username: com.weiglewilczek.wfoerd.sks.user.authentication.S ksUserDetails@1f60800: Username: jan; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_INSERENT; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_INSERENT

after loosing SecurityContext

org.acegisecurity.context.SecurityContextImpl@9055 e4a6:
Authentication: org.acegisecurity.providers.anonymous.AnonymousAut henticationToken@9055e4a6:
Username: anonymousUser; Password: [PROTECTED]; Authenticated: true;
Details: org.acegisecurity.ui.WebAuthenticationDetails@957e :
RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS

Thread: SecurityContext is lost

Thread Tools

Display

SecurityContext is lost

Posting Permissions