JeffK
Reputation: 11
Spring Security invalidates JSESSIONID when opening a new window
I have a web application from a vendor with some new functionality where you press a button on the webpage and it opens a new popup window to use the new functionality. However, when a user who is logged into the application presses the button, the user is automatically logged out. We have tested this with a lot of users and they all are having the same issue.
We are using IE 8 as that is what the vendor has written the application for. The application is hosted on WebSphere Application Server 8.5.5.1 (which was just upgraded from WebSphere 7.0.17). The issue happens whether or not we go through a web server or directly into the application via port number.
If I use Google Chrome however, the first time a user logs in and clicks the button, they are logged out, but the next time they log in the button works fine. But we can't use Google Chrome as it's not supported by the vendor.
I've opened a PMR with IBM and they can see the session is getting invalidated.
[12/12/14 11:27:49:368 EST] 0000012b HttpRequestMe 1 setRequestURL input [/blue2web/images/cbf/bg.grad.blue.jpg]
.......
[12/12/14 11:27:49:439 EST] 0000012b filter 1 com.ibm.ws.webcontainer.filter.WebAppFilterChain doFilter entry
[12/12/14 11:27:49:439 EST] 0000012b filter 1 com.ibm.ws.webcontainer.filter.WebAppFilterChain doFilter executing filter -->springSecurityFilterChain
[12/12/14 11:27:49:440 EST] 0000012b util 1 com.ibm.ws.webcontainer.util.EventListeners fireEvent Use visitor com.ibm.ws.webcontainer.webapp.FireOnFilterStartDoFilter@c7cef1a9 to fire event to com.ibm.websphere.servlet.event.FilterListenerImpl@2a6d1c41, class:class com.ibm.websphere.servlet.event.FilterListenerImpl
.......
[12/12/14 11:27:49:440 EST] 0000012b event 1 com.ibm.websphere.servlet.event.FilterListenerImpl onFilterStartDoFilter onFilterStartDoFilter -->springSecurityFilterChain request -->com.ibm.ws.webcontainer.srt.SRTServletRequest@3925fa48
.......
[12/12/14 11:27:49:444 EST] 0000012b WASSessionCor > MemorySession invalidate ENTRY AppName=default_hostblue2web; Id=XgGNO6yhlsbiQKcNk9eOeZF
.......
[12/12/14 11:27:49:445 EST] 0000012b WASSessionCor 1 MemorySession setIsValid New Value=false; Old Value=true AppName=default_hostblue2web; Id=XgGNO6yhlsbiQKcNk9eOeZF
.......
[12/12/14 11:27:49:445 EST] 0000012b WASSessionCor < MemorySession invalidate RETURN
.......
[12/12/14 11:27:49:464 EST] 0000012b filter 1 com.ibm.ws.webcontainer.filter.WebAppFilterChain doFilter entry
[12/12/14 11:27:49:464 EST] 0000012b filter 1 com.ibm.ws.webcontainer.filter.WebAppFilterChain doFilter executing filter -->struts2
.......
[12/12/14 11:27:49:481 EST] 0000012b HttpResponseM 1 Marshalling first line: HTTP/1.1 304 Not Modified
we see a request for /blue2web/images/cbf/bg.grad.blue.jpg. The request enters the filter springSecurityFilterChain, and the session is invalidated.
The request continues through several more filters (starting with the struts2 filter) and eventually returns a 304 response.
The vendor has said that nobody else (including them) has seen this issue.
I'm totally confused now, as I don't know if it's an IE 8 issue, Spring issue, or WebSphere 8.5.5.1 issue. We have other buttons in the application that bring up different windows for different functionality and they work just fine.
UPDATE (12/22/14) -
Here is the trace from spring security. Not sure it will help.
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/javascript/cbfcommonutil.js'; to: '/javascript/cbfcommonutil.js'
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is:
'/javascript/cbfcommonutil.js'; pattern is /j_security_check; matched=false
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/javascript/cbfcommonutil.js'; to: '/javascript/cbfcommonutil.js'
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/javascript/cbfcommonutil.js'; pattern is /favicon.ico; matched=false
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/javascript/cbfcommonutil.js'; to: '/javascript/cbfcommonutil.js'
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/javascript/cbfcommonutil.js'; pattern is /index*; matched=false
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/javascript/cbfcommonutil.js'; to: '/javascript/cbfcommonutil.js'
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/javascript/cbfcommonutil.js'; pattern is /javascript/*; matched=true
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy doFilter /javascript/cbfCommonUtil.js has an empty filter list
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/javascript/mootools-1.2.5.js'; to: '/javascript/mootools-1.2.5.js'
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/javascript/mootools-1.2.5.js'; pattern is /j_security_check; matched=false
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/javascript/mootools-1.2.5.js'; to: '/javascript/mootools-1.2.5.js'
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/javascript/mootools-1.2.5.js'; pattern is /favicon.ico; matched=false
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/javascript/mootools-1.2.5.js'; to: '/javascript/mootools-1.2.5.js'
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/javascript/mootools-1.2.5.js'; pattern is /index*; matched=false
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/javascript/mootools-1.2.5.js'; to: '/javascript/mootools-1.2.5.js'
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/javascript/mootools-1.2.5.js'; pattern is /javascript/*; matched=true
[12/22/14 14:17:19:751 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy doFilter /javascript/mootools-1.2.5.js has an empty filter list
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /j_security_check; matched=false
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /favicon.ico; matched=false
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /index*; matched=false
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /javascript/*; matched=false
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /css/*; matched=false
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /images/*; matched=false
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /iframe_black*; matched=false
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /webhelp_pro/**; matched=false
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy getFilters Candidate is: '/images/cbf/c_lt.png'; pattern is /**; matched=true
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[12/22/14 14:17:19:922 CST] 000000a5 HttpSessionSe 1 org.springframework.security.web.context.HttpSessionSecurityContextRepository readSecurityContextFromSession Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@ba2bcf8a: Authentication: com.bcbsa.blue2.configuration.security.jee.DelegateToUserDetailsPreAuthenticatedAuthenticationToken@ba2bcf8a: Principal: com.bcbsa.blue2.configuration.security.model.springsecurity.AuthoritiesByBoidUser@6820f6c1: Username: MyId; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: AdjustmentMsgUser,BasicMsgUser,CBFUpdateUser,CBFViewOnlyUser,CSRNMsgUser,Claim276StatusWithoutSccf,ClaimDispositionDetailsViewer,ClaimMisrouteMsgUser,ClaimStatusRequester,ClaimSubmissionDetailsViewer,DataRole1,DataRole11,DataRole13,DataRole17,DataRole2,DataRole3,DataRole30,DataRole35,DataRole37,DataRole39,DataRole4,DataRole41,DataRole49,DataRole5,DataRole51,DataRole53,DataRole55,DataRole57,DataRole58,DataRole59,DataRole61,DataRole63,DataRole65,DataRole70,DataRole9,DataRole99,EscalationLevel1MsgUser,EscalationLevel2MsgUser,EvaluateAdjustmentMessageStateAdmin,GlobalFeeMsgUser,LocalEditAdmin,MedicalRecordViewer,MessageCommentConfigAdmin,MessageListingViewer,MessageReprocessUser,MessageSummaryViewer,PQIMsgSummaryViewer,PQIMsgUser,PostProcessConfigAdmin,PreExMsgUser,PurgeDF,PurgeMessage,PurgeNF,PurgeRF,PurgeRestoreAdmin,PurgeSF,ReassignUserAdmin,RemoteOperationViewer,RestoreViewer,SecurityConfigAdmin,SubscriberIDWildcardSearchAdmin,ValidUser,ValidUserCBF; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails@fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 3VjGU8WisdQb0Zvjzk7jYyc; Authorities: [DataRole55, DataRole57, DataRole58, DataRole59, DataRole61, DataRole63, PurgeSF, PostProcessConfigAdmin, DataRole65, RestoreViewer, MessageReprocessUser, DataRole70, EvaluateAdjustmentMessageStateAdmin, EscalationLevel1MsgUser, PurgeDF, LocalEditAdmin, ClaimMisrouteMsgUser, DataRole99, AdjustmentMsgUser, CSRNMsgUser, ValidUserCBF, GlobalFeeMsgUser, MessageSummaryViewer, ClaimDispositionDetailsViewer, CBFViewOnlyUser, DataRole1, DataRole2, DataRole3, DataRole4, MedicalRecordViewer, DataRole5, DataRole9, PurgeMessage, BasicMsgUser, MessageListingViewer, RemoteOperationViewer, EscalationLevel2MsgUser, ClaimSubmissionDetailsViewer, CBFUpdateUser, ReassignUserAdmin, PQIMsgUser, PreExMsgUser, DataRole11, DataRole13, PurgeNF, DataRole17, PurgeRestoreAdmin, MessageCommentConfigAdmin, SubscriberIDWildcardSearchAdmin, SecurityConfigAdmin, DataRole30, DataRole35, DataRole37, DataRole39, ValidUser, Claim276StatusWithoutSccf, DataRole41, PQIMsgSummaryViewer, DataRole49, ClaimStatusRequester, DataRole51, DataRole53, PurgeRF]; Granted Authorities: AdjustmentMsgUser, BasicMsgUser, CBFUpdateUser, CBFViewOnlyUser, CSRNMsgUser, Claim276StatusWithoutSccf, ClaimDispositionDetailsViewer, ClaimMisrouteMsgUser, ClaimStatusRequester, ClaimSubmissionDetailsViewer, DataRole1, DataRole11, DataRole13, DataRole17, DataRole2, DataRole3, DataRole30, DataRole35, DataRole37, DataRole39, DataRole4, DataRole41, DataRole49, DataRole5, DataRole51, DataRole53, DataRole55, DataRole57, DataRole58, DataRole59, DataRole61, DataRole63, DataRole65, DataRole70, DataRole9, DataRole99, EscalationLevel1MsgUser, EscalationLevel2MsgUser, EvaluateAdjustmentMessageStateAdmin, GlobalFeeMsgUser, LocalEditAdmin, MedicalRecordViewer, MessageCommentConfigAdmin, MessageListingViewer, MessageReprocessUser, MessageSummaryViewer, PQIMsgSummaryViewer, PQIMsgUser, PostProcessConfigAdmin, PreExMsgUser, PurgeDF, PurgeMessage, PurgeNF, PurgeRF, PurgeRestoreAdmin, PurgeSF, ReassignUserAdmin, RemoteOperationViewer, RestoreViewer, SecurityConfigAdmin, SubscriberIDWildcardSearchAdmin, ValidUser, ValidUserCBF'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 2 of 9 in additional filter chain; firing Filter: 'LtpaSSOLogoutFilter'
[12/22/14 14:17:19:922 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 3 of 9 in additional filter chain; firing Filter: 'J2eePreAuthenticatedProcessingFilter'
[12/22/14 14:17:19:922 CST] 000000a5 J2eePreAuthen 1 org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter doFilter Checking secure context token: com.bcbsa.blue2.configuration.security.jee.DelegateToUserDetailsPreAuthenticatedAuthenticationToken@ba2bcf8a: Principal: com.bcbsa.blue2.configuration.security.model.springsecurity.AuthoritiesByBoidUser@6820f6c1: Username: MyId; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: AdjustmentMsgUser,BasicMsgUser,CBFUpdateUser,CBFViewOnlyUser,CSRNMsgUser,Claim276StatusWithoutSccf,ClaimDispositionDetailsViewer,ClaimMisrouteMsgUser,ClaimStatusRequester,ClaimSubmissionDetailsViewer,DataRole1,DataRole11,DataRole13,DataRole17,DataRole2,DataRole3,DataRole30,DataRole35,DataRole37,DataRole39,DataRole4,DataRole41,DataRole49,DataRole5,DataRole51,DataRole53,DataRole55,DataRole57,DataRole58,DataRole59,DataRole61,DataRole63,DataRole65,DataRole70,DataRole9,DataRole99,EscalationLevel1MsgUser,EscalationLevel2MsgUser,EvaluateAdjustmentMessageStateAdmin,GlobalFeeMsgUser,LocalEditAdmin,MedicalRecordViewer,MessageCommentConfigAdmin,MessageListingViewer,MessageReprocessUser,MessageSummaryViewer,PQIMsgSummaryViewer,PQIMsgUser,PostProcessConfigAdmin,PreExMsgUser,PurgeDF,PurgeMessage,PurgeNF,PurgeRF,PurgeRestoreAdmin,PurgeSF,ReassignUserAdmin,RemoteOperationViewer,RestoreViewer,SecurityConfigAdmin,SubscriberIDWildcardSearchAdmin,ValidUser,ValidUserCBF; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails@fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 3VjGU8WisdQb0Zvjzk7jYyc; Authorities: [DataRole55, DataRole57, DataRole58, DataRole59, DataRole61, DataRole63, PurgeSF, PostProcessConfigAdmin, DataRole65, RestoreViewer, MessageReprocessUser, DataRole70, EvaluateAdjustmentMessageStateAdmin, EscalationLevel1MsgUser, PurgeDF, LocalEditAdmin, ClaimMisrouteMsgUser, DataRole99, AdjustmentMsgUser, CSRNMsgUser, ValidUserCBF, GlobalFeeMsgUser, MessageSummaryViewer, ClaimDispositionDetailsViewer, CBFViewOnlyUser, DataRole1, DataRole2, DataRole3, DataRole4, MedicalRecordViewer, DataRole5, DataRole9, PurgeMessage, BasicMsgUser, MessageListingViewer, RemoteOperationViewer, EscalationLevel2MsgUser, ClaimSubmissionDetailsViewer, CBFUpdateUser, ReassignUserAdmin, PQIMsgUser, PreExMsgUser, DataRole11, DataRole13, PurgeNF, DataRole17, PurgeRestoreAdmin, MessageCommentConfigAdmin, SubscriberIDWildcardSearchAdmin, SecurityConfigAdmin, DataRole30, DataRole35, DataRole37, DataRole39, ValidUser, Claim276StatusWithoutSccf, DataRole41, PQIMsgSummaryViewer, DataRole49, ClaimStatusRequester, DataRole51, DataRole53, PurgeRF]; Granted Authorities: AdjustmentMsgUser, BasicMsgUser, CBFUpdateUser, CBFViewOnlyUser, CSRNMsgUser, Claim276StatusWithoutSccf, ClaimDispositionDetailsViewer, ClaimMisrouteMsgUser, ClaimStatusRequester, ClaimSubmissionDetailsViewer, DataRole1, DataRole11, DataRole13, DataRole17, DataRole2, DataRole3, DataRole30, DataRole35, DataRole37, DataRole39, DataRole4, DataRole41, DataRole49, DataRole5, DataRole51, DataRole53, DataRole55, DataRole57, DataRole58, DataRole59, DataRole61, DataRole63, DataRole65, DataRole70, DataRole9, DataRole99, EscalationLevel1MsgUser, EscalationLevel2MsgUser, EvaluateAdjustmentMessageStateAdmin, GlobalFeeMsgUser, LocalEditAdmin, MedicalRecordViewer, MessageCommentConfigAdmin, MessageListingViewer, MessageReprocessUser, MessageSummaryViewer, PQIMsgSummaryViewer, PQIMsgUser, PostProcessConfigAdmin, PreExMsgUser, PurgeDF, PurgeMessage, PurgeNF, PurgeRF, PurgeRestoreAdmin, PurgeSF, ReassignUserAdmin, RemoteOperationViewer, RestoreViewer, SecurityConfigAdmin, SubscriberIDWildcardSearchAdmin, ValidUser, ValidUserCBF
[12/22/14 14:17:19:922 CST] 000000a5 J2eePreAuthen 1 org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter getPreAuthenticatedPrincipal PreAuthenticated J2EE principal: null
[12/22/14 14:17:19:922 CST] 000000a5 J2eePreAuthen 1 org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter requiresAuthentication Pre-authenticated principal has changed to null and will be reauthenticated
[12/22/14 14:17:19:922 CST] 000000a5 J2eePreAuthen 1 org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter requiresAuthentication Invalidating existing session
[12/22/14 14:17:19:922 CST] 000000a5 J2eePreAuthen 1 org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter getPreAuthenticatedPrincipal PreAuthenticated J2EE principal: null
[12/22/14 14:17:19:938 CST] 000000a5 J2eePreAuthen 1 org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter doAuthenticate No pre-authenticated principal found in request
[12/22/14 14:17:19:938 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[12/22/14 14:17:19:938 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[12/22/14 14:17:19:938 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 6 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[12/22/14 14:17:19:938 CST] 000000a5 AnonymousAuth 1 org.springframework.security.web.authentication.AnonymousAuthenticationFilter doFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'com.bcbsa.blue2.configuration.security.jee.DelegateToUserDetailsPreAuthenticatedAuthenticationToken@ba2bcf8a: Principal: com.bcbsa.blue2.configuration.security.model.springsecurity.AuthoritiesByBoidUser@6820f6c1: Username: MyId; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: AdjustmentMsgUser,BasicMsgUser,CBFUpdateUser,CBFViewOnlyUser,CSRNMsgUser,Claim276StatusWithoutSccf,ClaimDispositionDetailsViewer,ClaimMisrouteMsgUser,ClaimStatusRequester,ClaimSubmissionDetailsViewer,DataRole1,DataRole11,DataRole13,DataRole17,DataRole2,DataRole3,DataRole30,DataRole35,DataRole37,DataRole39,DataRole4,DataRole41,DataRole49,DataRole5,DataRole51,DataRole53,DataRole55,DataRole57,DataRole58,DataRole59,DataRole61,DataRole63,DataRole65,DataRole70,DataRole9,DataRole99,EscalationLevel1MsgUser,EscalationLevel2MsgUser,EvaluateAdjustmentMessageStateAdmin,GlobalFeeMsgUser,LocalEditAdmin,MedicalRecordViewer,MessageCommentConfigAdmin,MessageListingViewer,MessageReprocessUser,MessageSummaryViewer,PQIMsgSummaryViewer,PQIMsgUser,PostProcessConfigAdmin,PreExMsgUser,PurgeDF,PurgeMessage,PurgeNF,PurgeRF,PurgeRestoreAdmin,PurgeSF,ReassignUserAdmin,RemoteOperationViewer,RestoreViewer,SecurityConfigAdmin,SubscriberIDWildcardSearchAdmin,ValidUser,ValidUserCBF; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails@fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 3VjGU8WisdQb0Zvjzk7jYyc; Authorities: [DataRole55, DataRole57, DataRole58, DataRole59, DataRole61, DataRole63, PurgeSF, PostProcessConfigAdmin, DataRole65, RestoreViewer, MessageReprocessUser, DataRole70, EvaluateAdjustmentMessageStateAdmin, EscalationLevel1MsgUser, PurgeDF, LocalEditAdmin, ClaimMisrouteMsgUser, DataRole99, AdjustmentMsgUser, CSRNMsgUser, ValidUserCBF, GlobalFeeMsgUser, MessageSummaryViewer, ClaimDispositionDetailsViewer, CBFViewOnlyUser, DataRole1, DataRole2, DataRole3, DataRole4, MedicalRecordViewer, DataRole5, DataRole9, PurgeMessage, BasicMsgUser, MessageListingViewer, RemoteOperationViewer, EscalationLevel2MsgUser, ClaimSubmissionDetailsViewer, CBFUpdateUser, ReassignUserAdmin, PQIMsgUser, PreExMsgUser, DataRole11, DataRole13, PurgeNF, DataRole17, PurgeRestoreAdmin, MessageCommentConfigAdmin, SubscriberIDWildcardSearchAdmin, SecurityConfigAdmin, DataRole30, DataRole35, DataRole37, DataRole39, ValidUser, Claim276StatusWithoutSccf, DataRole41, PQIMsgSummaryViewer, DataRole49, ClaimStatusRequester, DataRole51, DataRole53, PurgeRF]; Granted Authorities: AdjustmentMsgUser, BasicMsgUser, CBFUpdateUser, CBFViewOnlyUser, CSRNMsgUser, Claim276StatusWithoutSccf, ClaimDispositionDetailsViewer, ClaimMisrouteMsgUser, ClaimStatusRequester, ClaimSubmissionDetailsViewer, DataRole1, DataRole11, DataRole13, DataRole17, DataRole2, DataRole3, DataRole30, DataRole35, DataRole37, DataRole39, DataRole4, DataRole41, DataRole49, DataRole5, DataRole51, DataRole53, DataRole55, DataRole57, DataRole58, DataRole59, DataRole61, DataRole63, DataRole65, DataRole70, DataRole9, DataRole99, EscalationLevel1MsgUser, EscalationLevel2MsgUser, EvaluateAdjustmentMessageStateAdmin, GlobalFeeMsgUser, LocalEditAdmin, MedicalRecordViewer, MessageCommentConfigAdmin, MessageListingViewer, MessageReprocessUser, MessageSummaryViewer, PQIMsgSummaryViewer, PQIMsgUser, PostProcessConfigAdmin, PreExMsgUser, PurgeDF, PurgeMessage, PurgeNF, PurgeRF, PurgeRestoreAdmin, PurgeSF, ReassignUserAdmin, RemoteOperationViewer, RestoreViewer, SecurityConfigAdmin, SubscriberIDWildcardSearchAdmin, ValidUser, ValidUserCBF'
[12/22/14 14:17:19:938 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 7 of 9 in additional filter chain; firing Filter: 'SessionManagementFilter'
[12/22/14 14:17:19:938 CST] 000000a5 HttpSessionSe 1 org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper createNewSessionIfAllowed HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session
[12/22/14 14:17:19:938 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[12/22/14 14:17:19:938 CST] 000000a5 FilterChainPr 1 org.springframework.security.web.FilterChainProxy$VirtualFilterChain doFilter /images/cbf/c_lt.png at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[12/22/14 14:17:19:938 CST] 000000a5 DefaultFilter 1 org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource lookupAttributes Converted URL to lowercase, from: '/images/cbf/c_lt.png'; to: '/images/cbf/c_lt.png'
UPDATE (12/24/14) -
Ok, so the issue is occurring the Spring Security I believe. When the application tries to get the images from /images/cbf, instead of picking the pattern /images/* it's picking the pattern /. By picking the / it's going through the Spring Security filters when it shouldn't be. So why is it picking the pattern /** instead of /images/*. Could this be an issue in WebSphere 8.5.5.1?
Here are the patterns it can choose.
<sec:http entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" access-decision-manager-ref="httpRequestAccessDecisionManager">
<sec:intercept-url pattern="/general/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<sec:intercept-url pattern="/j_security_check" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none"/>
<sec:intercept-url pattern="/favicon.ico" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none"/>
<sec:intercept-url pattern="/index*" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none"/>
<sec:intercept-url pattern="/javascript/*" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none"/>
<sec:intercept-url pattern="/css/*" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none"/>
<sec:intercept-url pattern="/images/*" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none"/>
<sec:intercept-url pattern="/iframe_black*" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none"/>
<sec:intercept-url pattern="/WebHelp_Pro/**" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none"/>
<sec:intercept-url pattern="/j_spring_security_logout" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/**" access="ValidUser"/>
<sec:intercept-url pattern="/cbf/*" access="ValidUserCBF"/>
<sec:custom-filter ref="j2eePreAuthFilter" position="PRE_AUTH_FILTER" />
<sec:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />
</sec:http>
Upvotes: 0
Views: 1352
Answers (1)
JeffK
Reputation: 11
I was able to resolve the issue by changing the intercept-url pattern from /images/* to /images/** . This allowed the images that were stored under /images/cbf or /images/cbf/button to not go through the Spring Security filters.
Upvotes: 1
Related Questions
- Spring adds a JSESSIONID despite stateless session management
- Why JSESSIONID doesn't change after logging in when using a custom security filter in Spring Boot?
- Stateless spring application - JSESSIONID still generated
- Spring Security session JSESSIONID
- Spring security, JSESSIONID copy issue
- Two applications on the same server use the same JSESSIONID
- JSessionID not changing after user logs out - Is this a security issue?
- How to make Spring-based app work with jsessionid URL parameter
- Preventing re-use of jsessionid
- prevent generating new jsessionid?