Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

multiple user session created on sping logout #53

Closed
sharadkeer opened this issue Apr 26, 2017 · 0 comments
Closed

multiple user session created on sping logout #53

sharadkeer opened this issue Apr 26, 2017 · 0 comments
Assignees
@emre-aydin
Labels
bug
Milestone
3.8.3

Comments

@sharadkeer
Copy link

sharadkeer commented Apr 26, 2017
edited

Hi,

I am experiencing following issues on hazelcast with spring security. We are running application with following technology stack:

  • Java - 1.8
  • Hazelcast verison:-3.7.5
  • Hazelcast-WM version:- 3.8
  • Spring-security:- 4.2.3
  • Spring -security-web:-4.0.1

Issue#1:

  • Multiple users session created when user log-out the application

Description:

  • We are using generic web session replication for managing user sessions in centralised hazelcast server. So after populating user session in cache, if user go for the logout I have noticed hazelcast api internally creating number of new user sessions in centralised cache server. Over here new sessions are not consistent in number sometime it is creating 2 but sometime more than that.

Issue#2:

  • Throwing java.lang.IllegalStateException: invalidate: Session already invalidated exception when user log-out the application, and again to try to log-in.

Description:

  • After populating user session in cache, if user go for the logout and try to login again in a same browser window, we are getting following exception:-
java.lang.IllegalStateException: invalidate: Session already invalidated
	org.apache.catalina.session.StandardSession.invalidate(StandardSession.java:1249)
	org.apache.catalina.session.StandardSessionFacade.invalidate(StandardSessionFacade.java:190)
	com.hazelcast.web.HazelcastHttpSession.invalidate(HazelcastHttpSession.java:178)
	org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler.logout(SecurityContextLogoutHandler.java:65)
	org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:112)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:96)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:133)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:152)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
	org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
	org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
	org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
	org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	com.hazelcast.web.WebFilter.doFilter(WebFilter.java:287)

However above exception is not consistent, because sometime user is able to log-in again but if we try to logout after that, we got this exception again. Most likely we are getting this issue after user logout. I got similar issue reported in following URL:-

hazelcast/hazelcast#3742

But it seems like its added fixes are not available hazelcast-wm-3.8. Following are the used configuration:-

<web-app>

	<filter>
	    <filter-name>hazelcast-filter</filter-name>
	    <filter-class>com.hazelcast.web.spring.SpringAwareWebFilter</filter-class>
	    <init-param>
	        <param-name>map-name</param-name>
	        <param-value>sessions</param-value>
	    </init-param>
	    <init-param>
	        <param-name>sticky-session</param-name>
	        <param-value>true</param-value>
    	</init-param>
	    <init-param>
	        <param-name>cookie-name</param-name>
	        <param-value>hazelcast.sessionId</param-value>
	    </init-param>
	    <init-param>
	        <param-name>debug</param-name>
	        <param-value>true</param-value>
	    </init-param>
	     <init-param>
	        <param-name>use-client</param-name>
	        <param-value>true</param-value>
    	</init-param>
	    <init-param>  
		    <param-name>instance-name</param-name>
		    <param-value>axis-centralize-cache</param-value>
		</init-param>
	    <init-param>
	        <param-name>shutdown-on-destroy</param-name>
	        <param-value>true</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>hazelcast-filter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>FORWARD</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>REQUEST</dispatcher>
</filter-mapping>

<listener>
    <listener-class>com.hazelcast.web.SessionListener</listener-class>
</listener>

	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>classpath:context/applicationContext.xml</param-value>
	</context-param>

  	<filter>
		<filter-name>characterEncodingFilter</filter-name>
		<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
		<init-param>
			<param-name>encoding</param-name>
			<param-value>UTF-8</param-value>
		</init-param>
	</filter>

 	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter>
	
  
	<filter-mapping>
		<filter-name>characterEncodingFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

      	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	
	<servlet>
		<servlet-name>webservices</servlet-name>
		<servlet-class>org.springframework.ws.transport.http.MessageDispatcherServlet</servlet-class>
		<init-param>
			<param-name>transformWsdlLocations</param-name>
			<param-value>true</param-value>
		</init-param>
		<init-param>
			<param-name>contextConfigLocation</param-name>
			<param-value></param-value>
		</init-param>
		<load-on-startup>1</load-on-startup>
	</servlet>
	<servlet-mapping>
		<servlet-name>webservices</servlet-name>
		<url-pattern>*.wsdl</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>webservices</servlet-name>
		<url-pattern>/b2b-soap-endpoints/*</url-pattern>
	</servlet-mapping>

	<session-config>
		<session-timeout>60</session-timeout>
	</session-config>
</web-app>
@emre-aydin emre-aydin self-assigned this Sep 12, 2017
@emre-aydin emre-aydin added the bug label Sep 12, 2017
@emre-aydin emre-aydin added this to the 3.8.3 milestone Sep 12, 2017
emre-aydin added a commit that referenced this issue Sep 18, 2017
@emre-aydin
Merge pull request #59 from emre-aydin/issue-53
9190aac 
Fix #53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emre-aydin emre-aydin

Labels
bug
Projects
None yet
Milestone
3.8.3
Development

No branches or pull requests
2 participants
@emre-aydin @sharadkeer