HttpInvoker and Session closing

[zonski]

I'm trying to get Spring-Security to play nice with HttpInvoker remoting (called via Swing application, but that's fairly irrelevant).

I've got the basics working more or less how I want it using HTTP Basic authentication. However, I see this warning every time I call the server:

Code:

23/12/2009 23:25:40 org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper createNewSessionIfAllowed
WARNING: Failed to create a session, as response has been committed. Unable to store SecurityContext.

I'm about to try and do some more fancy stuff that will involve the session (I have a crazy plan that might just allow me to not use the aweful http basic stuff), so I'd like to fix this first. Does anyone know why I would be getting this, or what to do about it?

Even though I get this error, everything works perfectly. I suspect this is because with HTTP basic, I'm passing up the credentials everytime so the absence of the session is not a problem.

My main application context is:

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation=
               "http://www.springframework.org/schema/beans
               http://www.springframework.org/schema/beans/spring-beans.xsd
               http://www.springframework.org/schema/security
               http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <bean id="secureService"
          class="com.j2md.playtime.spring.security.server.SecureServiceImpl">
        <property name="authenticationManager" ref="authenticationManager"/>
    </bean>    

    <security:global-method-security pre-post-annotations="enabled">
    </security:global-method-security>

    <security:http use-expressions="true">
        <security:http-basic/>
    </security:http>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider>
            <security:user-service>
                <security:user name="testuser1" password="password"
                          authorities="ROLE_USER"/>
                <security:user name="testuser2" password="password"
                          authorities="ROLE_ADMIN"/>
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>
</beans>

My servlet application context exposes the service as an HttpInvoker:

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:sec="http://www.springframework.org/schema/security"
       xsi:schemaLocation=
               "http://www.springframework.org/schema/beans
               http://www.springframework.org/schema/beans/spring-beans.xsd
               http://www.springframework.org/schema/security
               http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <bean name="/**/SecureService"
          class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter">
        <property name="service" ref="secureService"/>
        <property name="serviceInterface" value="com.j2md.playtime.spring.security.server.SecureService"/>
    </bean>

</beans>

The underlying service is pretty unexciting. Just a hello-world-like POJO with some PreAuthorisation annotations on it.

My web.xml looks like this

Code:

<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

    <display-name>Spring Security Experiment</display-name>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/applicationContext.xml</param-value>
    </context-param>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/service/*</url-pattern>
    </filter-mapping>
    
    <servlet>
        <servlet-name>serviceExporter</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/serviceExporter-servlet.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>serviceExporter</servlet-name>
        <url-pattern>/service/*</url-pattern>
    </servlet-mapping>

</web-app>

[Luke Taylor]

Use

Code:

<http session-creation='never'>

If your application is stateless.

[zonski]

Thanks for the quick reply Luke!

Using session-create='never' made the warning go away and works well for the standard HTTP Basic authentication.

I do want a session however, since I'm replacing HTTP Basic with a LoginService POJO (much more desktop-client friendly, none of that nasty web stuff and I don't have to pass the creds on every call). Using session-create='always' seems to do the job. I can't see any major drawbacks to this.

I've now just got to figure out how to stop spring-security complaining that I have no AuthenticationEntryPoint configured once I turn off HTTP Basic. I guess I could just leave Basic on, since it doesn't do any harm. Something to look at after xmas

Cheers for your help!
Daniel.

Use

Code:

<http session-creation='never'>

If your application is stateless.