0

I am having issue with HttpSession is getting null after user is being authenticated.Whenever a user password is being reset user is forwarded to the securityQuestions page before going to our application home page. So when the user is being authenticated when redirected to the securityQuestion page but once the user answers the securityQuestion HttpSession is getting null and the spring is creating anonymousUser authentication.

Below are my spring debug logs
    2014-09-03 22:49:55,809 DEBUG | org.springframework.security.authentication.ProviderManager |  | NFKqVO7EwF17 | Authentication attempt using com.dc.apps.cp.security.service.CPDaoAuthenticationProvider
        2014-09-03 22:49:55,887 DEBUG | org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter |  | NFKqVO7EwF17 | Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@8696305e: Principal: org.springframework.security.core.userdetails.User@49520377: Username: test1@dc.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 00.11.22.33; SessionId: C4956AA8D8DD5685E6595D3A941052B2; Not granted any authorities
        2014-09-03 22:49:55,902 DEBUG | org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter |  | NFKqVO7EwF17 | Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@8696305e: Principal: org.springframework.security.core.userdetails.User@49520377: Username: test1@dc.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 00.11.22.33; SessionId: C4956AA8D8DD5685E6595D3A941052B2; Not granted any authorities
        2014-09-03 22:49:56,123 DEBUG | org.springframework.security.web.DefaultRedirectStrategy | test1@dc.com | NFKqVO7EwF17 | Redirecting to '/Passport/securityQuestions.do?clear=true'
        2014-09-03 22:49:56,126 DEBUG | org.springframework.security.web.DefaultRedirectStrategy | test1@dc.com | NFKqVO7EwF17 | Redirecting to '/Passport/securityQuestions.do?clear=true'
        2014-09-03 22:49:56,126 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository | test1@dc.com | NFKqVO7EwF17 | HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session
        2014-09-03 22:49:56,128 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository | test1@dc.com | NFKqVO7EwF17 | SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@8696305e: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@8696305e: Principal: org.springframework.security.core.userdetails.User@49520377: Username: test1@dc.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 00.11.22.33; SessionId: C4956AA8D8DD5685E6595D3A941052B2; Not granted any authorities'
        2014-09-03 22:49:56,129 DEBUG | org.springframework.security.web.context.SecurityContextPersistenceFilter |  | NFKqVO7EwF17 | SecurityContextHolder now cleared, as request processing completed
        2014-09-03 22:49:56,129 DEBUG | org.springframework.security.web.context.SecurityContextPersistenceFilter |  | NFKqVO7EwF17 | SecurityContextHolder now cleared, as request processing completed
        2014-09-03 22:49:57,212 DEBUG | org.springframework.security.web.FilterChainProxy |  | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
        2014-09-03 22:49:57,213 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository |  | NFKqVO7EwF17 | No HttpSession currently exists
        2014-09-03 22:49:57,213 DEBUG | org.springframework.security.web.context.HttpSessionSecurityContextRepository |  | NFKqVO7EwF17 | No SecurityContext was available from the HttpSession: null. A new one will be created.
        2014-09-03 22:49:57,214 DEBUG | org.springframework.security.web.FilterChainProxy |  | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 2 of 12 in additional filter chain; firing Filter: 'WelcomePageRedirectFilter'
        2014-09-03 22:49:57,214 DEBUG | org.springframework.security.web.FilterChainProxy |  | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 3 of 12 in additional filter chain; firing Filter: 'InternalAuthenticationFilter'
        2014-09-03 22:49:57,215 DEBUG | org.springframework.security.web.FilterChainProxy |  | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
        2014-09-03 22:49:57,215 DEBUG | org.springframework.security.web.FilterChainProxy |  | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
        2014-09-03 22:49:57,216 DEBUG | org.springframework.security.web.FilterChainProxy |  | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 6 of 12 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
        2014-09-03 22:49:57,216 DEBUG | org.springframework.security.web.FilterChainProxy |  | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
        2014-09-03 22:49:57,217 DEBUG | org.springframework.security.web.FilterChainProxy |  | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
        2014-09-03 22:49:57,218 DEBUG | org.springframework.security.web.FilterChainProxy |  | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
        2014-09-03 22:49:57,218 DEBUG | org.springframework.security.web.authentication.AnonymousAuthenticationFilter | anonymousUser | NFKqVO7EwF17 | Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 00.11.22.33; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
        2014-09-03 22:49:57,219 DEBUG | org.springframework.security.web.FilterChainProxy | anonymousUser | NFKqVO7EwF17 | /securityQuestions.do?clear=true at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
        2014-09-03 22:49:57,220 DEBUG | org.springframework.security.web.session.SessionManagementFilter | anonymousUser | NFKqVO7EwF17 | Requested session ID C4956AA8D8DD5685E6595D3A941052B2 is invalid.

security-applicationCOntext.xml




<beans:bean id="trustedAuthenticationFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
   <beans:property name="principalRequestHeader" value="X-Remote-Authenticate"/>
   <beans:property name="authenticationManager" ref="authenticationManager" />
   <beans:property name="exceptionIfHeaderMissing" value="false" />
   <beans:property name="checkForPrincipalChanges" value="true" />
   <beans:property name="invalidateSessionOnPrincipalChange" value="true" />
</beans:bean>   


<!-- LOCAL LOGIN CONFIGURATION -->
<http use-expressions="true" auto-config="false" disable-url-rewriting="true" entry-point-ref="loginUrlAuthenticationEntryPoint"
        request-matcher-ref="localAuthRequestMatcher">
  <intercept-url pattern="/admin/**" access="hasRole('ADMIN_PERMISSION')" />
  <intercept-url pattern="/system/upgrade.do" access="permitAll" />
  <intercept-url pattern="/system/upgradeStatus.do" access="isAnonymous()" />
  <intercept-url pattern="/enduser/ajax/upgradeCounts.do" access="permitAll" />             
  <intercept-url pattern="/system/**" access="hasRole('ADMIN_PERMISSION')" />
  <intercept-url pattern="/enduser/**" access="isAuthenticated()" />
  <intercept-url pattern="/changePassword.do" access="permitAll"/>    
  <intercept-url pattern="/index.do" access="isAnonymous()" />
  <custom-filter after="SECURITY_CONTEXT_FILTER" ref="welcomePageRedirectFilter" />
  <custom-filter before="LOGOUT_FILTER" ref="internalAuthenticationFilter" />
  <form-login login-page="/index.do" authentication-failure-handler-ref="DCAuthenticationFailureHandler" authentication-success-handler-ref="DCAuthenticationSuccessHandler" />
  <http-basic />
  <anonymous />      
  <session-management session-authentication-strategy-ref="customSessionFixationProtectionStrategy" />  
  <logout success-handler-ref="localLogoutSuccessHandler" />       
</http>

We are having this issue only production and staging not in dev environment, so it seems really difficult for me to debug the since since its not reproducible on my local. I really appreciate any help on this

OTUser
  • 3,788
  • 19
  • 69
  • 127
  • Is you production a clustered environment? – jny Sep 04 '14 at 16:06
  • Nope its not a clustered environment – OTUser Sep 04 '14 at 16:07
  • Try [JSP Session id changes on every refresh](https://stackoverflow.com/a/6730766/772981) or [Session is lost and created as new in every servlet request](https://stackoverflow.com/a/46393979/772981). I came here trying to solve my problem, which turned out to be unrelated to Spring. – Jarekczek Sep 24 '17 at 19:30
  • I had similar problem and i found out that problem was in a wrong Tomcat connector setup. Connector had option secure=true and I was using http connections. – Peter1982 Sep 18 '19 at 14:27

0 Answers0