Help Me - Using PreAuthenticatedProcessingFilter Randomly picks user?
OK here is the problem.
I am using the spring security frameword and have it plugged in. here is my web.xml
here is my securityContext.xmlCode:<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <display-name>YAPrApp</display-name> <context-param> <param-name>contextConfigLocation</param-name> <param-value> classpath:com/sherwin/sd/product/yapr/applicationContext.xml classpath:com/sherwin/product/applicationContext.xml classpath:com/sherwin/sd/product/yapr/securityContext.xml </param-value> </context-param> <!-- START FILTERS --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> <listener> <listener-class> org.springframework.security.ui.session.HttpSessionEventPublisher </listener-class> </listener> </web-app>
my app allows anonymous users. so i hit the page first, without signing in. so my PreAuthenticatedProcessingFilter returns "0" which is the id of our anonymous users. this creates a context token for anonymous and i see it print out on my consoleCode:<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> <bean id="springSecurityFilterChain" class="com.sherwin.sd.security.PreAuthenticatedProcessingFilter"> <security:custom-filter position="PRE_AUTH_FILTER" /> <property name="principalRequestHeader" value="eid" /> <property name="authenticationManager" ref="authenticationManager" /> </bean> <bean id="authenticationProvider" class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider"> <security:custom-authentication-provider /> <property name="preAuthenticatedUserDetailsService"> <bean id="userDetailsServiceWrapper" class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper"> <property name="userDetailsService" ref="userDetailsService" /> </bean> </property> </bean> <bean id="userDetailsService" class="com.sherwin.sd.security.CustomUserDetailsService"> <property name="userTypeService" ref="userTypeService" /> <property name="userService" ref="userService" /> </bean> <security:authentication-manager alias="authenticationManager" /> </beans>
notice the username is "0" and the session id is some value.Code:2009-02-34+16:34:30 PreAuthenticatedProcessingFilter [DEBUG] Checking secure context token: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@86f7d3eb: Principal: com.sherwin.sd.security.CustomUserDetails@5e21800: Username: 0; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: anonymous; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@ffff6a82: RemoteIpAddress: 148.141.17.108; SessionId: wDb1JL4FKLYHfT4dJKsm5cVJtHN3f1JxybQ8wynPjp57RJQcQ3nM!1918274515!1233696869125; Granted Authorities: anonymous
NOW, i login. my login action is as follows. it invalidates the session and does what i think is logs out the current anonymous user.
this should log me out right? of my current spring security user?
anyway it creates a new context token as show below. and now in my console i spools off multple message of securecontext tokens existing.Code:SecurityContextLogoutHandler logoutHandler = new SecurityContextLogoutHandler(); logoutHandler.setInvalidateHttpSession(true); logoutHandler.logout(getServletRequest(), getServletResponse(), getSpringAuthentication());
i see this now but also my old one tooo, i though that go killed but i looks ok because its associated with a old sessionID right? wrong see problem below.
also notice there are more than one. whats the deal with that
THE PROBLEM.Code:2009-02-34+17:01:11 PreAuthenticatedProcessingFilter [DEBUG] Checking secure context token: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@d80b8408: Principal: com.sherwin.sd.security.CustomUserDetails@7c098000: Username: 390459036; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: BRAND_3m, DOMAIN_8, anonymous, brand_mgr, domain_mgr, sys_admin; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@ffffa64e: RemoteIpAddress: 148.141.17.108; SessionId: 8RnxJL9QwjpxtSR91qhn6qL5KwpMJGZrJ9v0QWgk4szjBJ1fzMhD!62980229!1233698192406; Granted Authorities: BRAND_3m, DOMAIN_8, anonymous, brand_mgr, domain_mgr, sys_admin 2009-02-34+17:01:11 PreAuthenticatedProcessingFilter [DEBUG] Checking secure context token: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@86f73101: Principal: com.sherwin.sd.security.CustomUserDetails@5e21800: Username: 0; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: anonymous; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 148.141.17.108; SessionId: QnpKJL2B99Fz2HBsZdPJCZvlGkl9JdlyND1PpnwhvDtr3HfDG2Jb!62980229!1233698369593; Granted Authorities: anonymous 2009-02-34+17:01:11 PreAuthenticatedProcessingFilter [DEBUG] Checking secure context token: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@86f75b73: Principal: com.sherwin.sd.security.CustomUserDetails@5e21800: Username: 0; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: anonymous; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@ffffe21a: RemoteIpAddress: 148.141.17.108; SessionId: B26CJL9JKng7VkBbvQBmd6wcJVQnJQn2N04YhXD8ZqXG45yHZRB0!62980229!1233698260343; Granted Authorities: anonymous 2009-02-34+17:01:11 PreAuthenticatedProcessingFilter [DEBUG] Checking secure context token: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@86f75b73: Principal: com.sherwin.sd.security.CustomUserDetails@5e21800: Username: 0; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: anonymous; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@ffffe21a: RemoteIpAddress: 148.141.17.108; SessionId: B26CJL9JKng7VkBbvQBmd6wcJVQnJQn2N04YhXD8ZqXG45yHZRB0!62980229!1233698260343; Granted Authorities: anonymous 2009-02-34+17:01:12 PreAuthenticatedProcessingFilter [DEBUG] Checking secure context token: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@86f75b73: Principal: com.sherwin.sd.security.CustomUserDetails@5e21800: Username: 0; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: anonymous; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@ffffe21a: RemoteIpAddress: 148.141.17.108; SessionId: B26CJL9JKng7VkBbvQBmd6wcJVQnJQn2N04YhXD8ZqXG45yHZRB0!62980229!1233698260343; Granted Authorities: anonymous
if i keep refreshing the page over and over again after logging in, it randomly gives me a content token of its choosing.
this is the code that returns at random a authentication user
so sometimes it registers me as my logged in user. and sometimes give me the anonymous user. BUT how is this possible because the anonymous user is registered with a session id I am nolonger part of. I checked my cookies and the anonymous user is for my old, not current session. why is this happening?Code:SecurityContext securityContext = SecurityContextHolder.getContext(); List <GrantedAuthority> authorities = Arrays.asList(securityContext.getAuthentication().getAuthorities());
