Re: Hazelcast + session clustering + spring security concurrent session control

[Dinesh Babu]

We have a similar requirement as above. Can anyone answer this?

[ahmet mırçık]

please emphasize your software versions

2013/8/26 Dinesh Babu <dines...@gmail.com>

We have a similar requirement as above. Can anyone answer this?

--
You received this message because you are subscribed to the Google Groups "Hazelcast" group.

To unsubscribe from this group and stop receiving emails from it, send an email to hazelcast+...@googlegroups.com.

To post to this group, send email to haze...@googlegroups.com.

Visit this group at http://groups.google.com/group/hazelcast.
For more options, visit https://groups.google.com/groups/opt_out.

--
Ahmet Mırçık

[Dinesh Babu]

Hazelcast 3 & Spring 3.0.5

[markus.a...@gmail.com]

We had the exact same problem and I think I have solved it. At least I was able to get the HC session id to be sent to session registry's removeSession when user logs out.

The problem was that HttpSessionDestroyedEvents don't get fired for HC-wrapped session objects, but instead for "native" sessions. This is because the native session gets invalidated and thus the servlet container's session destroyed notification fired only after the HC WebFilter has done it's own cleanup. Therefore the HttpSessionEventPublisher that is responsible for publishing those events to Spring's listeners only sees the native session, not the HC-wrapped one.

In our system the problem only surfaced in logout, when session information in (HC-distributed) concurrent session registry didn't get properly updated.

My solution was to create my own LogoutHandler that fires HttpSessionDestroyedEvent to Spring's ApplicationEventListeners immediately before continuing to invalidate the session. This way, the session object for which the event is generated is the correct HC-wrapped session and session registry (and other listeners) sees HC's session ID instead of the native (servlet container generated) id.

The downside for this is that you cannot configure the logout mechanism using spring's <security:logout> -directive, instead you must manually configure the LogoutFilter and provide it with correct handlers and pass it as a custom filter to spring security.

Code examples below

LogoutHandler:

public class EventFiringSecurityContextLogoutHandler extends SecurityContextLogoutHandler implements ApplicationContextAware {

ApplicationContext applicationContext;

@Override

public void logout(final HttpServletRequest request, final HttpServletResponse response, final Authentication authentication) {

if (isInvalidateHttpSession()) {

applicationContext.publishEvent(new HttpSessionDestroyedEvent(request.getSession()));

}

super.logout(request, response, authentication);

}

@Override

public void setApplicationContext(final ApplicationContext applicationContext) throws BeansException {

this.applicationContext = applicationContext;

}

}

And LogoutFilter configuration:

<bean id="customLogoutHandler" class="EventFiringSecurityContextLogoutHandler">

</bean>

<bean id="customLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">

<constructor-arg index="0" ref="customLogoutSuccessHandler"></constructor-arg>

<constructor-arg index="1">

<list>

<ref bean="customLogoutHandler"/>

</list>

</constructor-arg>

<property name="filterProcessesUrl" value="/logoutProcess"/>

</bean>

<security:http ...>

...

<security:custom-filter ref="customLogoutFilter" position="LOGOUT_FILTER"/>

</security:http>

Need still more testing but at a first glance this seems to solve the problem for us.

-- 

Markus Heikkilä

[chinna]

We are also facing the same issue when both spring security concurrency control and hazelcast session clustering enables. only either of the one is working not both.

Actual issue is when user click log out and log in again spring security throws user session already exists. Idle scenario after logout session should get invalidate in both hazelcast and spring.

Session is properly getting removed from hazelcast verified from hazelcast mancenter. We are using Hazelcast 3.2 and even tried with latest 3.2.4 version also no luck

Is below Markus solution is the only option or any better solution from Hazelcast Team.

@Markus: Did you find any issues in your full testing and are you using this solution in your production. Can you please share the details of this bean. If possible can you please send all configurations and beans class to my mail id. I sent mail.

[Mesut Celik]

I have created an issue for the problem. 

https://github.com/hazelcast/hazelcast/issues/3049

--

You received this message because you are subscribed to the Google Groups "Hazelcast" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hazelcast+...@googlegroups.com.
To post to this group, send email to haze...@googlegroups.com.
Visit this group at http://groups.google.com/group/hazelcast.

To view this discussion on the web visit https://groups.google.com/d/msgid/hazelcast/b7ea6846-3168-4db7-ae12-428758e0fcbc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Mesut Celik
Integration Team Lead 
Mahir İz Cad. No:35, Altunizade, İstanbul 
me...@hazelcast.com 
+90 534 899 5147

@mesutcelik

[chinna]

Hi Mesut,

I have tried the work around mention in the issue, this resolved on issue login and logout and login. but still facing the issue when automatic session time out and try to login.

Any idea in which version can we get this fix.

Below are my spring configuration.

<security:http auto-config="false" use-expressions="true">
   <security:intercept-url pattern="/login**" access="permitAll"/>
  <security:intercept-url pattern="/dashboard**" access="isAuthenticated()" />
  
  <security:form-login login-page="/login" default-target-url="/dashBoard" authentication-failure-url="/loginfailed" />
  
  <!-- <security:logout invalidate-session="true" logout-success-url="/login" /> -->

  <security:custom-filter ref="customLogoutFilter" position="LOGOUT_FILTER"/>

  <security:access-denied-handler error-page="/error/403.jsp"/>
  <security:session-management session-fixation-protection="migrateSession" invalid-session-url="/login?expired">
   <security:concurrency-control max-sessions="1" expired-url="/login?expired" error-if-maximum-exceeded="true" />
  </security:session-management>
 </security:http>  

Any help on this, looking at this issue we are getting push to think alternative frameworks to Hazelcast.

[Mesut Celik]

HI Chinna,

Can you provide us some unittest or some sample app on github in order to reproduce the problem?

This will help us a lot.

To view this discussion on the web visit https://groups.google.com/d/msgid/hazelcast/9c840fe5-76b3-4493-a84f-270e88f6b65a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[em...@hazelcast.com]

Hello Chinna,

I've created a sample project (and shared it on GitHub) to reproduce the problem but couldn't see a problem.

It would be very helpful to us if you can checkout the sample project and modify it according to your needs.

Please see the GitHub issue for details.

[Serkan Özal]

Hi Chinna,

Are you sure that you are using these listeners in your web.xml ? (We must sure that you are using not only com.hazelcast.web.WebFilter)

<listener>
    <listener-class>com.hazelcast.web.SessionListener</listener-class>
</listener>
...
<listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

On Thursday, July 24, 2014 9:08:17 AM UTC+3, chinna wrote:

[chinna]

Hi Serkan,

Yes I am using the below listeners in the same order.

@emrahkocaman : I was occupied with some other activities, will try the sample application this week and let know the out put

[Serkan Özal]

Hi Chinna,

In your web.xml, Is Spring Security Filter (generally named as springSecurityFilterChain typed org.springframework.web.filter.DelegatingFilterProxy) defined before the Hazelcast web filter (com.hazelcast.web.WebFilter) ?

And is it possible to share your web.xml ?

--

Serkan ÖZAL

[Serkan Özal]

Hi Chinna,

In addition to this question, are you using Hazelcast session listener in your web.xml ? 

<listener>
    <listener-class>com.hazelcast.web.SessionListener</listener-class>
</listener>

[chinna]

Below is filter and listeners in web.xml in the order.

 <filter>
  <filter-name>hazelcast-filter</filter-name>
  <filter-class>com.hazelcast.web.WebFilter</filter-class>
  .....
 </filter>
 <filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
 </filter>

 <filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
 </filter-mapping>

 
 <listener>
  <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
 </listener>

  <listener>
     <listener-class>com.hazelcast.web.SessionListener</listener-class>
 </listener>

 <listener>
  <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
 </listener>

 <listener>
  <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
 </listener>

 <listener>
  <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
 </listener>

 
 

On Friday, August 1, 2014 2:35:52 AM UTC+5:30, Serkan Özal wrote:

Hi Chinna,

In addition to this question, are you using Hazelcast session listener in your web.xml ? 

 

On Thursday, July 31, 2014 7:52:30 PM UTC+3, Serkan Özal wrote:

[Serkan Özal]

Do you map your filter like ?

<filter-mapping>
  <filter-name>hazelcast-filter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

[uday kumar]

Yes

--
You received this message because you are subscribed to a topic in the Google Groups "Hazelcast" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/hazelcast/5LgM9LE-V_M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to hazelcast+...@googlegroups.com.

To post to this group, send email to haze...@googlegroups.com.
Visit this group at http://groups.google.com/group/hazelcast.

To view this discussion on the web visit https://groups.google.com/d/msgid/hazelcast/24cf60fd-562c-4526-8ee1-66a2f5ba3c36%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
Thanks,

Uday

[Serkan Özal]

Hi,

We could reproduce the issue and as we understood, the issue is caused by that session is registered with Hazelcast session id and removed with native session id on "org.springframework.security.core.session.SessionRegistry" instance. Removing on session registry is triggered by "org.springframework.security.web.session.HttpSessionEventPublisher" listener defined in "web.xml". We are thinking of implementing a Spring aware filter extending "com.hazelcast.web.WebFilter" and this filter also will trigger "org.springframework.security.core.session.SessionRegistry" instance to remove ssion information. So for using Hazelcast web filter on Spring, you will use "com.hazelcast.web.spring.SpringAwareWebFilter" instead of "com.hazelcast.web.WebFilter" like

<filter>
  <filter-name>hazelcast-filter</filter-name>
  <filter-class>com.hazelcast.web.spring.SpringAwareWebFilter</filter-class>
  ...
</filter>

But note that this is not our final decision and we are looking for other solutions if possible.

--

Serkan ÖZAL

[chinna]

In which version can we expect this or any work around patch

[Mesut Celik]

Spring Security Support will be available in 3.3 . You can already try it with 3.3-RC4-SNAPSHOT via maven snapshot repository.

• If Spring based security is used for application, you should use com.hazelcast.web.spring.SpringAwareWebFilterinstead of com.hazelcast.web.WebFilter in your filter definition.

Here is more info: https://github.com/hazelcast/hazelcast/blob/master/hazelcast-documentation/src/WebSessionReplication.md

To view this discussion on the web visit https://groups.google.com/d/msgid/hazelcast/84f732de-4a0f-441c-834a-2245d2089977%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Mesut Celik
Integration Team Lead 
Mahir İz Cad. No:35, Altunizade, İstanbul 
me...@hazelcast.com 

@mesutcelik

[balajikum...@gmail.com]

Hi Mesut Celik,

We are facing similar issue with session expiry. Our code with Hazelcast+ Spring security is on to production already and we cant use SNAPSHOT for production, please let us know if there is a work around for this.

[Mesut Celik]

There is no known workaround for this already. You have to migrate 3.3+ if you want to get real Spring Security support.

To view this discussion on the web visit https://groups.google.com/d/msgid/hazelcast/9ead0bd6-fbe9-496f-abd2-035692f13d1f%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.