i forgot to mention the special case when this exception occurs:
the server send automated emails via localhost(postfix)
when a remembered user is trying to access any link from the email after a period of time
the exception occurs
Junior Member
i forgot to mention the special case when this exception occurs:
the server send automated emails via localhost(postfix)
when a remembered user is trying to access any link from the email after a period of time
the exception occurs
Junior Member
there's something iam missing too
is how is the cookie is saved in the user's pc when using the persistent token approach?
i noticed that the cookie is inserted automatically in the persistent_logins table when the user hits remember me,but what about the user's pc?
Junior Member
the documentation says:
Note that both implemementations(Simple Hash-Based Token Approach,Persistent Token Approach) require a UserDetailsService and iam using a jdbc-user-service is that might cause the problem?
Code:<authentication-manager alias="authenticationManager"> <authentication-provider> <password-encoder hash="md5"/> <jdbc-user-service data-source-ref="dataSource"/> </authentication-provider> </authentication-manager>
Senior Member
Please attach logs as requested
Peter Mularien | Blog
Author, Spring Security 3 (Book) - Packt Publishing, Available in print and eBook form
SCJP 5, Oracle DBA
Any postings are my own opinion, and should not be attributed to my employer or clients.
Member
the log shows only the exception:
but you didn't tell me,isn't using jdbc user service is the userDetailsSerivce the tutorial recommended(both implemementations require a UserDetailsService) ?Code:org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack. org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:90) org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices.autoLogin(AbstractRememberMeServices.java:87) org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:77) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:188) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149) org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
and should i include any other attributes in the remember me element?
Senior Member
No, your configuration looks fine, as far as I can tell. Please enable DEBUG logging and post the logs. Can you confirm that you have only one Spring Sec application deployed to this app server?
Peter Mularien | Blog
Author, Spring Security 3 (Book) - Packt Publishing, Available in print and eBook form
SCJP 5, Oracle DBA
Any postings are my own opinion, and should not be attributed to my employer or clients.
Junior Member
the tomcat app server is containing more than on application that uses it's own spring security
i tried testing the application on a separate tomcat app server that contains only my application and it works fine,so what's your opinion of what was causing this exception?
Senior Member
Did you look at this bug? Did you upgrade ALL applications on this server to Spr Sec 3.0.2?Originally Posted by pmularien
Peter Mularien | Blog
Author, Spring Security 3 (Book) - Packt Publishing, Available in print and eBook form
SCJP 5, Oracle DBA
Any postings are my own opinion, and should not be attributed to my employer or clients.
Junior Member
ok i will test updating all the apps
and this is the debug info when the exception occurs:
iam using a custom filter its position is last and it check for some data in the session if it's exist? is that might cause the problem?Code:DEBUG http-8082-2 org.springframework.security.web.FilterChainProxy - /p/message?mId=1 at position 1 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@560be823' DEBUG http-8082-2 org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists DEBUG http-8082-2 org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created. DEBUG http-8082-2 org.springframework.security.web.FilterChainProxy - /p/message?mId=1 at position 2 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@34a45fc1' DEBUG http-8082-2 org.springframework.security.web.FilterChainProxy - /p/message?mId=1 at position 3 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@138a92e7' DEBUG http-8082-2 org.springframework.security.web.FilterChainProxy - /p/message?mId=1 at position 4 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@6eb285b6' DEBUG http-8082-2 org.springframework.security.web.FilterChainProxy - /p/message?mId=1 at position 5 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@a68a881' DEBUG http-8082-2 org.springframework.security.web.FilterChainProxy - /p/message?mId=1 at position 6 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter@7f0cd67f' DEBUG http-8082-2 org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices - Remember-me cookie detected DEBUG http-8082-2 org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices - Cancelling cookie DEBUG http-8082-2 org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession is null, but SecurityContext has not changed from default empty context: ' org.springframework.security.core.context.SecurityContextImpl@ffffffff: Null authentication'; not creating HttpSession or storing SecurityContext DEBUG http-8082-2 org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
or it's something else?
Junior Member
so any help with the debug?
why the cookie is cancelled after it's detected?
Posting Permissions
