Authentication manager and database concurrency
Hi guys,
As Luke suggested in http://forum.springsource.org/showthread.php?t=79341 I have stopped defining my own _authenticationManager bean, and defined a security:authentication-manager like this
Does this look correct, or am I missing something or doing something wrong?Code:<security:authentication-manager alias="authenticationManager"> <security:authentication-provider user-service-ref="userService"> <security:password-encoder hash="plaintext"/> </security:authentication-provider> </security:authentication-manager> <security:http auto-config="true"> <security:http-basic/> <security:intercept-url pattern="/restricted/my/**" filters="ROLE_ADMIN,ROLE_USER"/> </security:http>
I use Spring Core and Spring Security 3.0.0.RC1, and my REST controllers usually have the sequence of using SecurityContextHolder.getContext().getAuthenticati on().getName() to look up the user in the UserDAO and check that it has access to this resource. If it has that, do the required actions of using other services (that use other DAOs) to perform the desired action. Does this sound all right?
My userService.lookupUser(String name) is simply "return DAO.read(name);"
My controller function thus looks like this:
Running this by itself works great, I get the data back in a hurry and the data are correct and if I authenticate with a user that doesn't have access, he is denied.Code:@RequestMapping(value="my/path/{ID}", method = RequestMethod.GET) public ModelAndView getMyPathWithID(@PathVariable Integer ID) { ModelAndView mav = new ModelAndView(jsonView); if(userService.lookupUser(SecurityContextHolder.getContext().getAuthentication().getName()).canAccess(ID)) { .... } else mav.addObject("Error", "Access denied"); return mav; }
But! When running two identical requests at the same time, one will work as expected, and one will fail, apparently by having its database connection closed during execution:
It happens that I get other, similar errors. The following exception is from the { ... } code where I simply look up the paths for this user using the PathService, and limit it by ID. Again it is quite simple,Code:java.util.ConcurrentModificationException at java.util.LinkedHashMap$LinkedHashIterator.nextEntry(LinkedHashMap.java:373) at java.util.LinkedHashMap$ValueIterator.next(LinkedHashMap.java:388) at org.hibernate.engine.StatefulPersistenceContext.afterTransactionCompletion(StatefulPersistenceContext.java:253) at org.hibernate.impl.SessionImpl.afterTransactionCompletion(SessionImpl.java:450) at org.hibernate.jdbc.JDBCContext.afterNontransactionalQuery(JDBCContext.java:271) at org.hibernate.impl.SessionImpl.afterOperation(SessionImpl.java:444) at org.hibernate.impl.SessionImpl.list(SessionImpl.java:1604) at org.hibernate.impl.CriteriaImpl.list(CriteriaImpl.java:306) at tld.mydomain.business.UserServiceImpl.lookupUser(UserServiceImpl.java:35) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy22.lookupUser(Unknown Source)
But this fails and gives a simliar error to the one just mentionedCode:return DAO.getSession().createCriteria(Path.class).setResultTransformer(Criteria.DISTINCT_ROOT_ENTITY).addOrder(Order.asc("pathName")).add(Restrictions.isNotEmpty("items")).list();
When I used my _authenticationManager, this worked great, but now I seem to be closing database sessions too often, even though I don't have any of my own code closing any as far as I'm aware. Any suggestions to what is going on and what I can do about it?Code:org.hibernate.SessionException: Session is closed! at org.hibernate.impl.AbstractSessionImpl.errorIfClosed(AbstractSessionImpl.java:72) at org.hibernate.impl.SessionImpl.getBatcher(SessionImpl.java:287) at org.hibernate.loader.Loader.doQuery(Loader.java:749) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:259) at org.hibernate.loader.Loader.doList(Loader.java:2228) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2125) at org.hibernate.loader.Loader.list(Loader.java:2120) at org.hibernate.loader.criteria.CriteriaLoader.list(CriteriaLoader.java:118) at org.hibernate.impl.SessionImpl.list(SessionImpl.java:1596) at org.hibernate.impl.CriteriaImpl.list(CriteriaImpl.java:306) at org.hibernate.impl.CriteriaImpl$Subcriteria.list(CriteriaImpl.java:481) at tld.mydomain.business.PathServiceImpl.pathsForSingleUser(PathServiceImpl.java:65) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy24.vejeWithByggesag(Unknown Source) at tld.mydomain.view.web.controller.RestrictedController.getMyPathViaID(RestrictedController.java:79) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
The rest of my config files are quite similar to what can be found in my sample app: http://github.com/niklassaers/Sample...bRoot/WEB-INF/
Cheers
Nik
