New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hazelcast Session Clustering with Spring Security Problem #3049
Comments
I've created a sample project to reproduce the problem but couldn't manage. Please use the sample project to reproduce the problem. |
The issue is caused by that session is registered with Hazelcast session id and removed with native session id on "org.springframework.security.core.session.SessionRegistry" instance. Removing on session registry is triggered by "org.springframework.security.web.session.HttpSessionEventPublisher" listener defined in "web.xml". In this PR (#3184), Spring aware filter named ""com.hazelcast.web.spring.SpringAwareWebFilter" extending from "com.hazelcast.web.WebFilter", triggers "org.springframework.security.core.session.SessionRegistry" instance to remove session information. So for using Hazelcast web filter on Spring, "com.hazelcast.web.spring.SpringAwareWebFilter" must be used instead of "com.hazelcast.web.WebFilter" like: <filter>
<filter-name>hazelcast-filter</filter-name>
<filter-class>com.hazelcast.web.spring.SpringAwareWebFilter</filter-class>
...
</filter> In addition, anymore it is not needed defining both of Hazelcast Session Listener and Spring Session Listeners in web.xml since we are already send events to Spring. So defining "org.springframework.security.web.session.HttpSessionEventPublisher" as listener in web.xml is not needed anymore, if we use SpringAwareWebFilter. We only must define Hazelcast Session Listener like this: <listener>
<listener-class>com.hazelcast.web.SessionListener</listener-class>
</listener> @mesutcelik If PR (#3184) is OK, I think, I should add this usage to our documentation. WDYT ? |
If verified, I think it is a useful information to be included in the Reference Manual, too. Let me know if such an update is done in the manual. |
@Serdaro Ok, after verify, I will do necessary updates and inform you. |
@mesutcelik verify ? |
Can you please add your test cases? It seems none is available for SpringAwareWebFilter.
https://hazelcast-l337.ci.cloudbees.com/job/Hazelcast-3.x-pr-builder/9780/console |
Can you optimize SpringAwareWebFilterTest to run through all our available test cases.
|
… for both webfilter and springawarewebfilter
Fix and Unit Test for #3049 (Hazelcast Session Clustering with Spring Security Problem)
closed via #3184 |
after fix, i built latest version of hazelcast in my machine and i tried to run sample project.
Does it expected errors? |
Hi @bilalyasar, There are some non-existing dependencies since they are defined in "pom.xml" as provided or test scoped. So they are not exported to generated war file. You must add them your "pom.xml" ...
<properties>
...
<!-- or any other Spring version -->
<org.springframework.version>3.1.0.RELEASE</org.springframework.version>
...
</properties>
...
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${org.springframework.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${org.springframework.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${org.springframework.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>${org.springframework.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${org.springframework.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${org.springframework.version}</version>
</dependency> |
Documentation and minor refactors for issue #3049
full story is here : https://groups.google.com/forum/#!topic/hazelcast/5LgM9LE-V_M
Basically the problem is Spring Security does not work well with Hazelcast Session Replication.
Workaround is to develop a custom LogoutHandler.
public class EventFiringSecurityContextLogoutHandler extends SecurityContextLogoutHandler implements ApplicationContextAware {
ApplicationContext applicationContext;
}
And LogoutFilter configuration:
The text was updated successfully, but these errors were encountered: