Mozilla Firefox allows me to login automatically. Why?

[rbl_bd]

I have downloaded the acegi security 1.0.6 and deployed the "acegi-security-samples-tutorial-1.0.6.war" into tomcat-5.0.30. Everything is working fine except that the authentication is remembered by the browser. Let me explain the steps to reproduce the behavior below.

Note: Following scenario is applicable only for Mozilla Firefox (in my case version is 2.0.0.12). I tested with IE. It works fine with IE.

1. deploy the war
2. Browse the link "http://localhost:8080/acegi-security-samples-tutorial-1.0.6/secure/index.jsp". A successful login will take us to the page.
3. Close the browser and reopen a new one.
4. Browse the above link again.

The secured page will be displayed without any authentication again. But I think this should not happen since I am not using Remember me option while login. I tried to disable the remember me part from the configuration file. But no luck.

Please explain what is wrong. ...

Thanks in advance

[gehel]

You might just have a page in the browser's cache ...

To know more about it, turn on logging and see exactly what happens. If you cant figure what the logs means, send them here ...

[rbl_bd]

You might just have a page in the browser's cache ...

To know more about it, turn on logging and see exactly what happens. If you cant figure what the logs means, send them here ...

I have checked that already... It is sending a new request to the server.

[gehel]

And what do you have in the logs ? Can you post them ? And please use the [code] tag ...

[rbl_bd]

And what do you have in the logs ? Can you post them ? And please use the [code] tag ...

Following are the messages that print for second attempt to access the protected resource.

Code:

[DEBUG,AbstractSecurityInterceptor,http-8080-Processor25] RunAsManager did not change Authentication object
[DEBUG,FilterChainProxy,http-8080-Processor25] /secure/index.jsp reached end of additional filter chain; proceeding with original chain
[DEBUG,ExceptionTranslationFilter,http-8080-Processor25] Chain processed normally
[DEBUG,HttpSessionContextIntegrationFilter,http-8080-Processor25] SecurityContextHolder now cleared, as request processing completed
[DEBUG,PathBasedFilterInvocationDefinitionMap,http-8080-Processor24] Converted URL to lowercase, from: '/secure/index.jsp'; to: '/secure/index.jsp'
[DEBUG,PathBasedFilterInvocationDefinitionMap,http-8080-Processor24] Candidate is: '/secure/index.jsp'; pattern is /**; matched=true
[DEBUG,FilterChainProxy,http-8080-Processor24] /secure/index.jsp at position 1 of 8 in additional filter chain; firing Filter: 'org.acegisecurity.context.HttpSessionContextIntegrationFilter@57ae58'
[DEBUG,HttpSessionContextIntegrationFilter,http-8080-Processor24] Obtained a valid SecurityContext from ACEGI_SECURITY_CONTEXT to associate with SecurityContextHolder: 'org.acegisecurity.context.SecurityContextImpl@af4a015b: Authentication: org.acegisecurity.providers.UsernamePasswordAuthenticationT
oken@af4a015b: Username: org.acegisecurity.userdetails.User@bc4300: Username: marissa; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERVISOR; Password: [PROTECTED]; Authenticated: true; Details: org.ac
egisecurity.ui.WebAuthenticationDetails@12afc: RemoteIpAddress: 127.0.0.1; SessionId: BFB56E5341C13D8D10CB9D461ED14A9E; Granted Authorities: ROLE_SUPERVISOR'
[DEBUG,HttpSessionContextIntegrationFilter,http-8080-Processor24] Obtained a valid SecurityContext from ACEGI_SECURITY_CONTEXT to associate with SecurityContextHolder: 'org.acegisecurity.context.SecurityContextImpl@af4a015b: Authentication: org.acegisecurity.providers.UsernamePasswordAuthenticationT
oken@af4a015b: Username: org.acegisecurity.userdetails.User@bc4300: Username: marissa; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERVISOR; Password: [PROTECTED]; Authenticated: true; Details: org.ac
egisecurity.ui.WebAuthenticationDetails@12afc: RemoteIpAddress: 127.0.0.1; SessionId: BFB56E5341C13D8D10CB9D461ED14A9E; Granted Authorities: ROLE_SUPERVISOR'
[DEBUG,FilterChainProxy,http-8080-Processor24] /secure/index.jsp at position 2 of 8 in additional filter chain; firing Filter: 'org.acegisecurity.ui.webapp.AuthenticationProcessingFilter@13c550f'
[DEBUG,FilterChainProxy,http-8080-Processor24] /secure/index.jsp at position 3 of 8 in additional filter chain; firing Filter: 'org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter@1f488f1'
[DEBUG,FilterChainProxy,http-8080-Processor24] /secure/index.jsp at position 4 of 8 in additional filter chain; firing Filter: 
[DEBUG,SavedRequestAwareWrapper,http-8080-Processor24] Wrapper not replaced; SavedRequest was: null
[DEBUG,FilterChainProxy,http-8080-Processor24] /secure/index.jsp at position 5 of 8 in additional filter chain; firing Filter: 'org.acegisecurity.ui.rememberme.RememberMeProcessingFilter@11b86c7'
[DEBUG,FilterChainProxy,http-8080-Processor24] /secure/index.jsp at position 5 of 8 in additional filter chain; firing Filter: 'org.acegisecurity.ui.rememberme.RememberMeProcessingFilter@11b86c7'
[DEBUG,RememberMeProcessingFilter,http-8080-Processor24] SecurityContextHolder not populated with remember-me token, as it already contained: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@af4a015b: Username: org.acegisecurity.userdetails.User@bc4300: Username: marissa; Password: [
PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERVISOR; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@12afc: RemoteIpAddress: 127.0.0.1; SessionId: BFB56E5341C1
3D8D10CB9D461ED14A9E; Granted Authorities: ROLE_SUPERVISOR'
[DEBUG,RememberMeProcessingFilter,http-8080-Processor24] SecurityContextHolder not populated with remember-me token, as it already contained: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@af4a015b: Username: org.acegisecurity.userdetails.User@bc4300: Username: marissa; Password: [
PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERVISOR; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@12afc: RemoteIpAddress: 127.0.0.1; SessionId: BFB56E5341C1
3D8D10CB9D461ED14A9E; Granted Authorities: ROLE_SUPERVISOR'
[DEBUG,FilterChainProxy,http-8080-Processor24] /secure/index.jsp at position 6 of 8 in additional filter chain; firing Filter: 'org.acegisecurity.providers.anonymous.AnonymousProcessingFilter@2da5a6'
[DEBUG,AnonymousProcessingFilter,http-8080-Processor24] SecurityContextHolder not populated with anonymous token, as it already contained: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@af4a015b: Username: org.acegisecurity.userdetails.User@bc4300: Username: marissa; Password: [PRO
TECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERVISOR; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@12afc: RemoteIpAddress: 127.0.0.1; SessionId: BFB56E5341C13D8
D10CB9D461ED14A9E; Granted Authorities: ROLE_SUPERVISOR'
[DEBUG,FilterChainProxy,http-8080-Processor24] /secure/index.jsp at position 7 of 8 in additional filter chain; firing Filter:'org.acegisecurity.ui.ExceptionTranslationFilter@d647d8'
[DEBUG,FilterChainProxy,http-8080-Processor24] /secure/index.jsp at position 8 of 8 in additional filter chain; firing Filter: 'org.acegisecurity.intercept.web.FilterSecurityInterceptor@6cef4'
[DEBUG,PathBasedFilterInvocationDefinitionMap,http-8080-Processor24] Converted URL to lowercase, from: '/secure/index.jsp'; to: '/secure/index.jsp'
[DEBUG,PathBasedFilterInvocationDefinitionMap,http-8080-Processor24] Candidate is: '/secure/index.jsp'; pattern is /secure/extreme/**; matched=false
[DEBUG,PathBasedFilterInvocationDefinitionMap,http-8080-Processor24] Candidate is: '/secure/index.jsp'; pattern is /secure/**; matched=true
[DEBUG,AbstractSecurityInterceptor,http-8080-Processor24] Secure object: FilterInvocation: URL: /secure/index.jsp; ConfigAttributes: [IS_AUTHENTICATED_REMEMBERED]
[DEBUG,AbstractSecurityInterceptor,http-8080-Processor24] Previously Authenticated: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@af4a015b: Username: org.acegisecurity.userdetails.User@bc4300: Username: marissa; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credent
ialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERVISOR; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@12afc: RemoteIpAddress: 127.0.0.1; SessionId: BFB56E5341C13D8D10CB9D461ED14A9E; Granted Authorities: ROLE_SUPERVISOR
[DEBUG,AbstractSecurityInterceptor,http-8080-Processor24] Authorization successful
[DEBUG,AbstractSecurityInterceptor,http-8080-Processor24] RunAsManager did not change Authentication object
[DEBUG,FilterChainProxy,http-8080-Processor24] /secure/index.jsp reached end of additional filter chain; proceeding with original chain
[DEBUG,ExceptionTranslationFilter,http-8080-Processor24] Chain processed normally
[DEBUG,HttpSessionContextIntegrationFilter,http-8080-Processor24] SecurityContextHolder now cleared, as request processing completed

[gehel]

And could you please also post your ACEGI configuration (and other relevant bits if there is any) ?

[rbl_bd]

And could you please also post your ACEGI configuration (and other relevant bits if there is any) ?

Please find the attached configuration file

[Runt888]

Hello,

Did you ever get this figured out? I'm having the same issue.

Thanks!

Kelly

[rbl_bd]

Hello,

Did you ever get this figured out? I'm having the same issue.

Thanks!

Kelly

No my friend. Not yet.

Thanks

[Runt888]

I actually figured it out. It looks like firefox shares one session between all open windows. I had a firefox window minimized, so it was keeping the session open when I went back to my site. Once I closed all of the windows, it behaved like I expected.

Kelly