Spring Security + Flex + BlazeDS Login Issue

Question

We have a problem on our companies FLEX/Spring/BlazeDS app. Basically, in FireFox and IE (not Chrome) if you authenticate multiple times with the website (login / logout / login / logout), you eventually end up in a state where you can then authenticate with the server simply by clicking login with anything in the password field, at least until your browser is closed and re-opened. What's up with this??

When looking at the Spring Security logs, it can be seen that the SecurityContext is not being properly invalidated, and get re-used. I've included some snippets below to get an idea of the solution.

This only seems to occur when I use the default glassfish servlet context for the application https://staging.website.net:8181/

if I use the direct context for the application, it does not happen: https://staging.website.net:8181/myapp

Here is our logout filter and spring-security details

<security:http entry-point-ref="oamAuthenticationProcessingFilterEntryPoint"
        auto-config="false">
        <security:intercept-url pattern="/messagebroker/**/*"
            access="ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN" />
        <security:intercept-url pattern="/cms/login"
            access="ROLE_ANONYMOUS" />
        <security:intercept-url pattern="/cms*"
            access="ROLE_CMS,ROLE_ADMIN" />
        <security:intercept-url pattern="/gen*"
            access="ROLE_CMS,ROLE_ADMIN" />
        <security:intercept-url pattern="/test*"
            access="ROLE_ANONYMOUS,ROLE_USER" />
        <intercept-url pattern="*/index.jsp" filters="none" />          
        <intercept-url pattern="*/" filters="none" />                   
        <!-- <security:form-login login-page="/index.jsp" /> -->
        <security:logout logout-success-url="/index.jsp" />
        <security:anonymous granted-authority="ROLE_ANONYMOUS" />
    </security:http>
    <bean id="splashPageLogoutFilter"
        class="<redacted>.security.SplashPageLogoutFilter">
        <security:custom-filter position="FIRST" />
        <constructor-arg index="0">
            <list>
                <ref bean="securityContextLogoutHandler" />
            </list>
        </constructor-arg>
    </bean>
    <bean id="securityContextLogoutHandler" class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" />
    <bean id="daoAuthenticationProvider"
        class="<redacted>.security.UserAuthentication">
        <security:custom-authentication-provider />
        <property name="allowedFailAttempts" value="5" />
        <property name="allowedAttemptsBeforeCaptcha" value="3" />
        <property name="userDetailsService" ref="customUserDetailsService" />
        <property name="passwordEncoder">
            <bean name="passwordEncoder"
                class="org.springframework.security.providers.encoding.ShaPasswordEncoder" />
        </property>
        <property name="saltSource">
            <bean
                class="org.springframework.security.providers.dao.salt.SystemWideSaltSource">
                <property name="systemWideSalt" value="not1thing" />
            </bean>
        </property>
    </bean>

Our context handler:

    @Override
protected void doFilterHttp(HttpServletRequest request,
        HttpServletResponse response, FilterChain chain)
        throws IOException, ServletException {  
    // SSO Login Request
    boolean logout = false;
    if ("POST".equals(request.getMethod())
            && request.getRequestURI().endsWith("/webSSO")) {
        logout = true;
    }

    if ("GET".equals(request.getMethod())
            && (request.getRequestURI().contains("index.jsp"))) {
        logout = true;
    }

    if (logout) {           
        Authentication auth = SecurityContextHolder.getContext()
                .getAuthentication();
        logger.info("doFilterHttp caused Logout.");
        for (int i = 0; i < handlers.length; i++) {
            handlers[i].logout(request, response, auth);
        }
    }

    chain.doFilter(request, response);
}

I can see doFilterHttp is logging the user out, and they get sent to the index page, however after doing this a few times, the user can log in with any password. Looking at spring security debug shows the following:

sec.log

2011-11-25 09:06:30,689|ExceptionTranslationFilter|Chain processed normally
2011-11-25 09:06:30,690|HttpSessionContextIntegrationFilter|SecurityContextHolder now cleared, as request processing completed
2011-11-25 09:09:36,017|FilterChainProxy|Converted URL to lowercase, from: '/messagebroker/amfsecure'; to: '/messagebroker/amfsecure'
2011-11-25 09:09:36,018|FilterChainProxy|Candidate is: '/messagebroker/amfsecure'; pattern is /**; matched=true
2011-11-25 09:09:36,019|FilterChainProxy|/messagebroker/amfsecure at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.flex.config.SessionFixationProtectionConfigurer$PriorityOrderedRequestContextFilter@65b8b2
'
2011-11-25 09:09:36,019|FilterChainProxy|/messagebroker/amfsecure at position 2 of 10 in additional filter chain; firing Filter: '<redacted>.security.SplashPageLogoutFilter[ order=0; ]'
2011-11-25 09:09:36,021|FilterChainProxy|/messagebroker/amfsecure at position 3 of 10 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'
2011-11-25 09:09:36,024|HttpSessionContextIntegrationFilter|Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT to associate with SecurityContextHolder: 'org.springframework.security.context.SecurityContextImpl@a9f1ed4c: Authentic
ation: org.springframework.security.providers.UsernamePasswordAuthenticationToken@a9f1ed4c: Principal: <redacted>.security.UserDetailsServiceImpl$1@5674e6; Password: [PROTECTED]; Authenticated: true; Details: <redacted>.security.UserAuthentication$1@14b9a6; Granted Authorities: ROLE_USER'
2011-11-25 09:09:36,025|FilterChainProxy|/messagebroker/amfsecure at position 4 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.logout.LogoutFilter[ order=300; ]'
2011-11-25 09:09:36,025|FilterChainProxy|/messagebroker/amfsecure at position 5 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]'
2011-11-25 09:09:36,026|FilterChainProxy|/messagebroker/amfsecure at position 6 of 10 in additional filter chain; firing Filter: 'org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1100; ]'
2011-11-25 09:09:36,026|SavedRequestAwareWrapper|Wrapper not replaced; SavedRequest was: null
2011-11-25 09:09:36,027|FilterChainProxy|/messagebroker/amfsecure at position 7 of 10 in additional filter chain; firing Filter: 'org.springframework.security.providers.anonymous.AnonymousProcessingFilter[ order=1300; ]'
2011-11-25 09:09:36,027|AnonymousProcessingFilter|SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.providers.UsernamePasswordAuthenticationToken@a9f1ed4c: Principal: <redacted>.security.UserDetailsServiceImpl$1@5674e6; Password: [PROTECTED]; Authenticated: true; Details: <redacted>.security.UserAuthentication$1@14b9a6; Granted Authorities: ROLE_USER'
2011-11-25 09:09:36,028|FilterChainProxy|/messagebroker/amfsecure at position 8 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.ExceptionTranslationFilter[ order=1400; ]'
2011-11-25 09:09:36,029|FilterChainProxy|/messagebroker/amfsecure at position 9 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.SessionFixationProtectionFilter[ order=1600; ]'
2011-11-25 09:09:36,030|FilterChainProxy|/messagebroker/amfsecure at position 10 of 10 in additional filter chain; firing Filter: 'org.springframework.security.intercept.web.FilterSecurityInterceptor@36e1ed'
2011-11-25 09:09:36,030|DefaultFilterInvocationDefinitionSource|Converted URL to lowercase, from: '/messagebroker/amfsecure'; to: '/messagebroker/amfsecure'
2011-11-25 09:09:36,031|DefaultFilterInvocationDefinitionSource|Candidate is: '/messagebroker/amfsecure'; pattern is /messagebroker/**/*; matched=true
2011-11-25 09:09:36,032|AbstractSecurityInterceptor|Secure object: FilterInvocation: URL: /messagebroker/amfsecure; ConfigAttributes: [ROLE_ANONYMOUS, ROLE_USER, ROLE_ADMIN]
2011-11-25 09:09:36,033|AbstractSecurityInterceptor|Previously Authenticated: org.springframework.security.providers.UsernamePasswordAuthenticationToken@a9f1ed4c: Principal: <redacted>.security.UserDetailsServiceImpl$1@56
74e6; Password: [PROTECTED]; Authenticated: true; Details: <redacted>.security.UserAuthentication$1@14b9a6; Granted Authorities: ROLE_USER
2011-11-25 09:09:36,034|AbstractSecurityInterceptor|Authorization successful
2011-11-25 09:09:36,035|AbstractSecurityInterceptor|RunAsManager did not change Authentication object
2011-11-25 09:09:36,037|FilterChainProxy|/messagebroker/amfsecure reached end of additional filter chain; proceeding with original chain

This problem has been plagueing me for awhile, can anyone help?

Cheers, Chris

Answer 1

not really sure of the answer myself, its difficult to see what may be happening with this limited information... but have you tried doing a session invalidate (request.getSession().invalidate()) inside the logout block in the filter? see if the problem still remains after the session is forcibly destroyed. may be that will provide more clue towards what the problem might be.