Re: [Acegisecurity-developer] Help with HTTP Session Authentication

[Thompson Marzagao]

Hi Ben,
Thanks for the helpful pointers, but I'm still having problems:
1. Yes, the Contacts sample app works fine.
2. I am not doing anything special with HttpSessions or any threads or 
the ContextHolder.
3. Here are the log messages:

----- When I try to access a protected page directly 
(http://localhost:8080/action/project/editor) using my default browser 
(firefox):

2004-09-26 02:35:59,093 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
not added to ContextHolder (could not extract an authentication object 
from the container which is an instance of Authentication)>
2004-09-26 02:35:59,140 DEBUG 
[net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint] 
- <Redirecting to: http://localhost:8080/action/security/login/form>
2004-09-26 02:35:59,156 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <ContextHolder 
does not contain any authentication information>
2004-09-26 02:35:59,203 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
not added to ContextHolder (could not extract an authentication object 
from the container which is an instance of Authentication)>
2004-09-26 02:35:59,531 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <ContextHolder 
does not contain any authentication information>

----- I get redirected to the login page, then when I sucessfully log 
in, I get:
2004-09-26 02:36:34,453 DEBUG 
[net.sf.acegisecurity.ui.AbstractProcessingFilter] - <Request is to 
process authentication>
2004-09-26 02:36:36,734 INFO 
[net.sf.acegisecurity.providers.dao.event.LoggerListener] - 
<Authentication success for user: adminuser; details: 127.0.0.1>
2004-09-26 02:36:36,781 DEBUG 
[net.sf.acegisecurity.ui.AbstractProcessingFilter] - <Authentication 
success: 
[EMAIL PROTECTED]: 
Username: adminuser; Password: [PROTECTED]; Authenticated: false; 
Details: null; Granted Authorities: LEVEL_ANY, LEVEL_GROUP>
2004-09-26 02:36:36,781 DEBUG 
[net.sf.acegisecurity.ui.AbstractProcessingFilter] - <Redirecting to 
target URL from HTTP Session (or default): 
http://localhost:8080/action/project/editor>
2004-09-26 02:36:36,796 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:36:38,843 INFO 
[net.sf.acegisecurity.providers.dao.event.LoggerListener] - 
<Authentication success for user: adminuser; details: null>
2004-09-26 02:36:46,578 INFO 
[net.sf.acegisecurity.providers.dao.event.LoggerListener] - 
<Authentication success for user: adminuser; details: null>
2004-09-26 02:36:48,343 INFO 
[net.sf.acegisecurity.providers.dao.event.LoggerListener] - 
<Authentication success for user: adminuser; details: null>
2004-09-26 02:36:50,140 INFO 
[net.sf.acegisecurity.providers.dao.event.LoggerListener] - 
<Authentication success for user: adminuser; details: null>
2004-09-26 02:36:50,640 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:36:50,671 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:36:50,671 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:36:50,703 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:36:50,703 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:36:50,750 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:36:50,750 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:36:50,750 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:36:50,750 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:36:50,765 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:36:50,765 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:36:50,781 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:36:50,781 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:36:50,781 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:36:50,781 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:36:50,781 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:36:50,781 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:36:50,781 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:36:50,781 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:36:50,828 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:36:52,656 INFO 
[net.sf.acegisecurity.providers.dao.event.LoggerListener] - 
<Authentication success for user: adminuser; details: null>
2004-09-26 02:36:53,203 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:36:55,953 INFO 
[net.sf.acegisecurity.providers.dao.event.LoggerListener] - 
<Authentication success for user: adminuser; details: null>
2004-09-26 02:36:58,109 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>

----- I close the browser (firefox), open a different browser (internet 
explorer) and try to call the protected page directly 
(http://localhost:8080/action/project/editor)... the protected page 
shows up as if I were still logged in:

2004-09-26 02:37:34,718 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
not added to ContextHolder (could not extract an authentication object 
from the container which is an instance of Authentication)>
2004-09-26 02:37:36,609 INFO 
[net.sf.acegisecurity.providers.dao.event.LoggerListener] - 
<Authentication success for user: adminuser; details: null>
2004-09-26 02:37:44,078 INFO 
[net.sf.acegisecurity.providers.dao.event.LoggerListener] - 
<Authentication success for user: adminuser; details: null>
2004-09-26 02:37:45,859 INFO 
[net.sf.acegisecurity.providers.dao.event.LoggerListener] - 
<Authentication success for user: adminuser; details: null>
2004-09-26 02:37:47,703 INFO 
[net.sf.acegisecurity.providers.dao.event.LoggerListener] - 
<Authentication success for user: adminuser; details: null>
2004-09-26 02:37:47,750 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
not added to ContextHolder (could not extract an authentication object 
from the container which is an instance of Authentication)>
2004-09-26 02:37:47,750 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:37:47,765 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <ContextHolder 
does not contain any authentication information>
2004-09-26 02:37:47,781 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:37:47,781 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:37:47,796 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:37:47,796 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:37:47,812 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:37:47,812 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:37:47,812 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:37:47,812 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:37:47,812 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:37:47,828 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:37:47,828 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:37:47,828 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:37:47,828 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:37:47,828 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:37:47,843 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:37:47,843 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:37:47,843 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:37:47,859 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:37:47,859 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:37:47,859 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:37:47,859 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:37:47,859 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:37:47,859 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:37:47,859 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:37:47,875 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:37:47,875 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:37:47,875 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:37:49,734 INFO 
[net.sf.acegisecurity.providers.dao.event.LoggerListener] - 
<Authentication success for user: adminuser; details: null>
2004-09-26 02:37:49,796 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
added to ContextHolder from container>
2004-09-26 02:37:51,765 INFO 
[net.sf.acegisecurity.providers.dao.event.LoggerListener] - 
<Authentication success for user: adminuser; details: null>
2004-09-26 02:37:53,875 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>

----- If I wait a bit and try again, then I finally get the login screen:
2004-09-26 02:42:16,562 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
not added to ContextHolder (could not extract an authentication object 
from the container which is an instance of Authentication)>
2004-09-26 02:42:16,562 DEBUG 
[net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint] 
- <Redirecting to: http://localhost:8080/action/security/login/form>
2004-09-26 02:42:16,562 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:42:16,562 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
not added to ContextHolder (could not extract an authentication object 
from the container which is an instance of Authentication)>
2004-09-26 02:42:16,593 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>
2004-09-26 02:42:16,593 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Authentication 
not added to ContextHolder (could not extract an authentication object 
from the container which is an instance of Authentication)>
2004-09-26 02:42:16,593 DEBUG 
[net.sf.acegisecurity.ui.AbstractIntegrationFilter] - <Updating 
container with new Authentication object, and then removing 
Authentication from ContextHolder>

Ben Alex wrote:
Thompson Marzagao wrote:
Hi all,
I am having a problem with HTTP Session authentication where the 
Authentication object somehow seems like is being cached even across 
sessions it seems. This causes user A to be immediately successfully 
authenticated as user B when caling a protected URL, if user B logged 
in a few moments earlier. Terrible. If user A then calls the same or 
any other protected URL again, only then is he required to login.

Does anybody know what might be causing this?

Hi Thompson
I cannot see anything wrong with your configuration, although I 
recommend using FilterToBeanProxy for the Auto Integration Filter:

   <filter>
       <filter-name>Acegi Security System for Spring Auto Integration 
Filter</filter-name>
       
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
       <init-param>
           <param-name>targetClass</param-name>
           
<param-value>net.sf.acegisecurity.ui.AutoIntegrationFilter</param-value>
       </init-param>
   </filter>

Does the Contacts sample app behave properly in your container? We 
test with Tomcat 5, so I'd be a little surprised if that was the problem.

Would you please confirm you're not doing anything special with 
HttpSessions or threads or the ContextHolder.

For this sort of thread/session related problem, the main class to 
look at is HttpSessionIntegrationFilter. In your configuration you're 
using AutoIntegrationFilter, which automatically tries the HttpSession 
first and delegates to HttpSessionIntegrationFilter. For this reason 
I'd recommend you try using HttpSessionIntegrationFilter directly and 
then switching on debug level logging, seeing if that gives any clues.

If you can't resolve it using the above, please post the debug-level 
log for HttpSessionIntegrationFilter in particular to the list.

Thanks
Ben

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer