Spring Security. Unstable Session

Question

I have default spring security login form j_spring_security_check . Login process work also fine. But after login I have one trouble. My session is also very unstable. If I try to visit my site from another tab of my browser. It looks like I'm not logged in. But in my first tab I'm also logged and can look some private pages. But sometimes all work fine. But only sometimes. As I said, user sessions are very unstable. May be someone can say me why? Thanks!

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5"
         xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                             http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

    <display-name>Spring MVC Application</display-name>


    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <servlet>
        <servlet-name>mvc-dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>mvc-dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/mvc-dispatcher-servlet.xml
            /WEB-INF/spring-security.xml
        </param-value>
    </context-param>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <session-config>
        <session-timeout>60</session-timeout>
    </session-config>

</web-app>

mvc-dispatcher-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:context="http://www.springframework.org/schema/context"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                           http://www.springframework.org/schema/mvc
                           http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
                           http://www.springframework.org/schema/context
                           http://www.springframework.org/schema/context/spring-context-3.0.xsd
                           http://www.springframework.org/schema/tx
                           http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">

    <context:annotation-config />

    <context:component-scan base-package="com.petrez" />

    <tx:annotation-driven transaction-manager="transactionManager" />

    <mvc:annotation-driven />

    <mvc:resources mapping="/res/**" location="file:/home/piotr/Work/apache-tomcat-7.0.42/work-dir/res/" />

    <bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="prefix" value="/WEB-INF/pages/"/>
        <property name="suffix" value=".jsp" />
    </bean>

    <bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
        <property name="maxUploadSize" value="1000000000"/>
    </bean>

    <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
        <property name="driverClassName" value="com.mysql.jdbc.Driver" />
        <property name="url" value="jdbc:mysql://localhost:3306/Library" />
        <property name="username" value="root" />
        <property name="password" value="G190419g" />
    </bean>

    <bean id="sessionFactory" class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
        <property name="packagesToScan" value="com.petrez" />
        <property name="dataSource" ref="dataSource" />
        <property name="hibernateProperties">
            <props>
                <prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
                <prop key="show_sql">false</prop>
            </props>
        </property>
    </bean>

    <bean id="transactionManager" class="org.springframework.orm.hibernate4.HibernateTransactionManager">
        <property name="sessionFactory" ref="sessionFactory"/>
    </bean>

    <bean id="userDetailsService" class="com.petrez.service.CustomUserDetailsService" />

    <bean id="fileUploadService" class="com.petrez.service.FileUploadServiceImpl">
        <property name="savePath" value="/home/piotr/Work/apache-tomcat-7.0.42/work-dir" />
    </bean>
</beans>

spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <http auto-config="true" use-expressions="true" create-session="always">
        <intercept-url pattern="/" access="permitAll" />
        <intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
        <form-login login-page="/"
                    login-processing-url="/j_spring_security_check"
                    default-target-url="/home"
                    authentication-failure-url="/?error=1"/>
        <remember-me user-service-ref="userDetailsService" />
        <logout logout-success-url="/" />

        <session-management invalid-session-url="/">
            <concurrency-control expired-url="/" />
        </session-management>
    </http>

    <authentication-manager>
        <authentication-provider user-service-ref="userDetailsService" />
    </authentication-manager>

</beans:beans>

index.jsp //Login part

<form method="post" action="<c:url value='/j_spring_security_check'/>">
    <table>
        <tr>
            <b>Login</b>
        </tr>
        <tr>
            <td>Login:</td>
            <td><input type="text" name="j_username"  size="30" maxlength="40" /></td>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type="password" name="j_password" size="30" maxlength="32" /></td>
        </tr>
        <tr>
            <td>Remember me?</td>
            <td><input type="checkbox" name="_spring_security_remember_me" checked="checked" /></td>
        </tr>
        <tr>
            <td><input type="submit" value="Login" /></td>
        </tr>
    </table>
</form>

Thanks for your help! Sorry if something wrong with my English.

Answer 1

Not meant as a full answer, just as advice.

In order to know about session creation and destruction in a Spring managed web application, create @Component s that implement ApplicationListener<AuthenticationSuccessEvent> and ApplicationListener<HttpSessionDestroyedEvent> . Their onApplicationEvent() methods will be called to at least give you some indication of session behaviour.

You'll also need to add a listener to your web.xml as follows

<!-- translates session callbacks to Spring application events -->
<listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>