Results 1 to 4 of 4

Thread: strange remember-me behaviour

  1. May 3rd, 2008, 05:50 AM #1
    callisto
    callisto is offline Junior Member
    Join Date
    Jun 2007
    Posts
    14

    Default strange remember-me behaviour

    hi,

    I'm using spring security 2.0 in combination with JSF.

    There is a real strange behaviour when I'm trying to use the final step of the remember-me feature. Let me explain in more detail:

    1. I log in to my application successfully via a form; this brings me to the secured area
    2. I close the browser
    3. I successfully check that the cookie is set
    4a. I reopen the browser and try to get access to the secured area => this works

    LOG:
    Code:
    Authentication event AuthenticationSuccessEvent: user@test.com; details: org.springframework.security.ui.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null
Authentication event InteractiveAuthenticationSuccessEvent: user@test.com; details: org.springframework.security.ui.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null
Security authorized for authenticated principal: org.springframework.security.providers.rememberme.RememberMeAuthenticationToken@4f2c9185: Principal: org.springframework.security.userdetails.User@b07ed00: Username: user@test.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER, user; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_USER, user; secure object: FilterInvocation: URL: /profiles/index.jsf; configuration attributes: [ROLE_USER]
    5a. BUT: i have a managed bean that gets the username for me, so that i can write sth like this in facelet *.xhtml files of the secured area:

    Code:
    <p>Hello #{authenticationController.user.username}</p>
    The beans method is like this:

    Code:
    public User getUser() {
        final HttpServletRequest request = getRequest();
        SecurityContextImpl  securityContextHolder = (SecurityContextImpl) request.getSession().getAttribute( HttpSessionContextIntegrationFilter.SPRING_SECURITY_CONTEXT_KEY );
        Authentication auth = securityContextHolder.getAuthentication();
        return (User) auth.getPrincipal();
    }
    AND THIS delivers a NullPointerException (on securityContextHolder.getAuthentication().
    Note, that it does work when i do a normal login and then go to this page (Steps 1+2)


    4b. And here is another strange thing:
    After reopening the browser I tried to go to the public area first and then go to the secured area => Now this works (NO NullPointer anymore)

    really strange and I can't really figuere out why.

    I'd appreciate any hints!

    Thanks in advance


    My Securitycontext is like this:

    Code:
        <http auto-config="false" >
        <intercept-url pattern="/profiles/**" access="ROLE_USER"/>    
        <form-login login-page="/login.jsf"/>
        <logout />
        <remember-me key="rememberMeKey" user-service-ref="userService" />
    </http>

...
    Last edited by callisto; May 5th, 2008 at 06:44 AM.
  2. May 3rd, 2008, 07:14 AM #2
    callisto
    callisto is offline Junior Member
    Join Date
    Jun 2007
    Posts
    14

    Default

    I think, that the failure, the strange behaviour happens because of the invalid/not-present session (In the logs it says: "SessionId: null").

    Therefore the SecurityContextHolder can't be taken out of the session...

    But why is this? Why is there NO session present?

    Is there a possible workaround (say to initiate a session and link it to the RememberMeAuthenticationToken manully)?

    Again, thanks in advance
  3. May 9th, 2008, 06:16 AM #3
    callisto
    callisto is offline Junior Member
    Join Date
    Jun 2007
    Posts
    14

    Default

    I still have the same problem and massivly lacking of possible solutions now...

    Here is my full securityContext:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">  
    
    <http auto-config="false" session-fixation-protection="none">
        <intercept-url pattern="/profiles/**" access="ROLE_USER"/>    
        <form-login login-page="/login.jsf"/>
        <logout />
        <remember-me key="rememberMeKey" user-service-ref="userService" />
    </http>
    
    <authentication-provider user-service-ref="userService">
        <password-encoder hash="md5" />
    </authentication-provider>
    
    <beans:bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
        <beans:property name="resourceRef" value="false"/>
        <beans:property name="jndiName" value="pgdb" />
    </beans:bean>
    
    <beans:bean id="userService" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
        <beans:property name="dataSource" ref="dataSource" />
        <beans:property name="usersByUsernameQuery">
            <beans:value>
                SELECT email AS username, password, enabled FROM user WHERE email = ?
            </beans:value>
        </beans:property>
        <beans:property name="authoritiesByUsernameQuery">
            <beans:value>
                SELECT u.email AS username, r.userrole AS authority FROM user u JOIN user2userrole r ON (u.email = r.email) WHERE u.email = ?
            </beans:value>
        </beans:property>
    </beans:bean>
    
    <authentication-manager alias="authenticationManager"/>
    
    <beans:bean id="authenticationController" class="com.test.user.security.AuthenticationController" scope="session">
        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="rememberMeServices" ref="_rememberMeServices" />
    </beans:bean>
    
    
    <!-- This beans are optional; it isn't used by any other bean as it only listens and logs -->
    <beans:bean id="loggerListenerAuthentication" class="org.springframework.security.event.authentication.LoggerListener"/>
    <beans:bean id="loggerListenerAuthorization"  class="org.springframework.security.event.authorization.LoggerListener"/>
</beans:beans>
    Any hints?

    best regards
  4. May 15th, 2008, 10:43 AM #4
    callisto
    callisto is offline Junior Member
    Join Date
    Jun 2007
    Posts
    14

    Default it's working

    Finally, i got it working.

    Instead of getting the Authentication object out of the http session via

    Code:
    final HttpServletRequest request = getRequest();
SecurityContextImpl  securityContextHolder = (SecurityContextImpl) request.getSession().getAttribute( HttpSessionContextIntegrationFilter.SPRING_SECURITY_CONTEXT_KEY );
Authentication auth = securityContextHolder.getAuthentication();
    I now use the static method of SecurityContextHolder:

    Code:
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    which works fine.

    But there is still a question, that bothers me, since I'm using the first approach in another piece of code:

    What's the exact difference between those two?
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules