Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hazelcast Session Clustering with Spring Security Problem #3049

Closed
mesutcelik opened this issue Jul 23, 2014 · 10 comments
Closed

Hazelcast Session Clustering with Spring Security Problem #3049

mesutcelik opened this issue Jul 23, 2014 · 10 comments
Assignees
@serkan-ozal
Labels
[OLD]Team: Integration Source: Internal PR or issue was opened by an employee Type: Defect
Milestone
3.3

Comments

@mesutcelik
Copy link

full story is here : https://groups.google.com/forum/#!topic/hazelcast/5LgM9LE-V_M

Basically the problem is Spring Security does not work well with Hazelcast Session Replication.

Workaround is to develop a custom LogoutHandler.

public class EventFiringSecurityContextLogoutHandler extends SecurityContextLogoutHandler implements ApplicationContextAware {
ApplicationContext applicationContext;

@Override
public void logout(final HttpServletRequest request, final HttpServletResponse response, final Authentication authentication) {
    if (isInvalidateHttpSession()) {
        applicationContext.publishEvent(new HttpSessionDestroyedEvent(request.getSession()));
    }
    super.logout(request, response, authentication);
}

@Override
public void setApplicationContext(final ApplicationContext applicationContext) throws BeansException {
    this.applicationContext = applicationContext;
}

}

And LogoutFilter configuration:

<bean id="customLogoutHandler" class="EventFiringSecurityContextLogoutHandler">
</bean>
<bean id="customLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <constructor-arg index="0" ref="customLogoutSuccessHandler"></constructor-arg>
    <constructor-arg index="1">
        <list>
            <ref bean="customLogoutHandler"/>
        </list>
    </constructor-arg>
    <property name="filterProcessesUrl" value="/logoutProcess"/>
</bean>
<security:http ...>
    <security:custom-filter ref="customLogoutFilter" position="LOGOUT_FILTER"/>
</security:http>
@emrahkocaman emrahkocaman self-assigned this Jul 25, 2014
@emrahkocaman
Copy link
Contributor

I've created a sample project to reproduce the problem but couldn't manage.
Login-Logout-Login and session expiration works well with Spring Security 3.2.3 and Hazelcast 3.3-RC3-SNAPSHOT.

Please use the sample project to reproduce the problem.
https://github.com/emrahkocaman/hazelcast-spring-security-sample

serkan-ozal pushed a commit to serkan-ozal/hazelcast that referenced this issue Aug 6, 2014
fix for hazelcast#3049
3c7916e
serkan-ozal pushed a commit to serkan-ozal/hazelcast that referenced this issue Aug 6, 2014
unit test for hazelcast#3049 and spring test infrastructure for hazel…
ef31223 
…cast-vm
@serkan-ozal
Copy link
Contributor

The issue is caused by that session is registered with Hazelcast session id and removed with native session id on "org.springframework.security.core.session.SessionRegistry" instance. Removing on session registry is triggered by "org.springframework.security.web.session.HttpSessionEventPublisher" listener defined in "web.xml". In this PR (#3184), Spring aware filter named ""com.hazelcast.web.spring.SpringAwareWebFilter" extending from "com.hazelcast.web.WebFilter", triggers "org.springframework.security.core.session.SessionRegistry" instance to remove session information. So for using Hazelcast web filter on Spring, "com.hazelcast.web.spring.SpringAwareWebFilter" must be used instead of "com.hazelcast.web.WebFilter" like:

<filter>
    <filter-name>hazelcast-filter</filter-name>
    <filter-class>com.hazelcast.web.spring.SpringAwareWebFilter</filter-class>
    ...
</filter>

In addition, anymore it is not needed defining both of Hazelcast Session Listener and Spring Session Listeners in web.xml since we are already send events to Spring. So defining "org.springframework.security.web.session.HttpSessionEventPublisher" as listener in web.xml is not needed anymore, if we use SpringAwareWebFilter. We only must define Hazelcast Session Listener like this:

<listener>
    <listener-class>com.hazelcast.web.SessionListener</listener-class>
</listener>

@mesutcelik If PR (#3184) is OK, I think, I should add this usage to our documentation. WDYT ?

serkan-ozal pushed a commit to serkan-ozal/hazelcast that referenced this issue Aug 6, 2014
created package-info for fixing issue hazelcast#3049
2adfe66
serkan-ozal pushed a commit to serkan-ozal/hazelcast that referenced this issue Aug 6, 2014
log messages updated for fixing issue hazelcast#3049
fcfdbdf
serkan-ozal pushed a commit to serkan-ozal/hazelcast that referenced this issue Aug 7, 2014
javadoc comments added for fixing issue hazelcast#3049
85bf49b
serkan-ozal pushed a commit to serkan-ozal/hazelcast that referenced this issue Aug 7, 2014
javadoc comments updated for fixing issue hazelcast#3049
de4c1b0
@Serdaro
Copy link
Contributor

Serdaro commented Aug 7, 2014

If verified, I think it is a useful information to be included in the Reference Manual, too. Let me know if such an update is done in the manual.

@serkan-ozal
Copy link
Contributor

@Serdaro Ok, after verify, I will do necessary updates and inform you.

@serkan-ozal
Copy link
Contributor

@mesutcelik verify ?

@mesutcelik
Copy link
Author

Can you please add your test cases? It seems none is available for SpringAwareWebFilter.

Running com.hazelcast.wm.test.TomcatWebFilterTest
Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 39.024 sec - in com.hazelcast.wm.test.TomcatWebFilterTest
Running com.hazelcast.wm.test.JettyWebFilterTest
Tests run: 44, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 320.112 sec - in com.hazelcast.wm.test.JettyWebFilterTest

https://hazelcast-l337.ci.cloudbees.com/job/Hazelcast-3.x-pr-builder/9780/console

serkan-ozal pushed a commit to serkan-ozal/hazelcast that referenced this issue Aug 8, 2014
unit test for hazelcast#3049
9f86c83
@mesutcelik mesutcelik removed the PENDING label Aug 8, 2014
@mesutcelik mesutcelik added this to the 3.3 milestone Aug 8, 2014
@mesutcelik
Copy link
Author

@serkan-ozal ,

Can you optimize SpringAwareWebFilterTest to run through all our available test cases.
I think it is good to see the same number of test cases that JettyWebFilterTest executes.

Running com.hazelcast.wm.test.TomcatWebFilterTest
Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 38.808 sec - in com.hazelcast.wm.test.TomcatWebFilterTest
Running com.hazelcast.wm.test.JettyWebFilterTest
Tests run: 44, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 326.06 sec - in com.hazelcast.wm.test.JettyWebFilterTest
Running com.hazelcast.wm.test.spring.SpringAwareWebFilterTest
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 8.898 sec - in com.hazelcast.wm.test.spring.SpringAwareWebFilterTest

serkan-ozal pushed a commit to serkan-ozal/hazelcast that referenced this issue Aug 12, 2014
unit test for hazelcast#3049 and test infrastructure to run all tests…
a78cd6e 
… for both webfilter and springawarewebfilter
mesutcelik pushed a commit that referenced this issue Aug 13, 2014
Merge pull request #3184 from serkan-ozal/fix/master/issue-3049
4652cb3 
Fix and Unit Test for #3049 (Hazelcast Session Clustering with Spring Security Problem)
@mesutcelik
Copy link
Author

closed via #3184

@bilalyasar
Copy link
Contributor

after fix, i built latest version of hazelcast in my machine and i tried to run sample project.
my steps are:
-create .war file
-copy war file to tomcat
-start tomcat
at this point project seems working well.
then
-i started new hazelcast instance in my machine (same version-build)
-and these instances connected automatically. (they have same xml file and tcp-ip is true)
-then i tried project (try to login)

SEVERE: [127.0.0.1]:5702 [dev] [3.3-RC4-SNAPSHOT] java.lang.ClassNotFoundException: org.springframework.security.web.savedrequest.DefaultSavedRequest
com.hazelcast.nio.serialization.HazelcastSerializationException: java.lang.ClassNotFoundException: org.springframework.security.web.savedrequest.DefaultSavedRequest
    at com.hazelcast.nio.serialization.DefaultSerializers$ObjectSerializer.read(DefaultSerializers.java:201)
    at com.hazelcast.nio.serialization.StreamSerializerAdapter.read(StreamSerializerAdapter.java:63)
    at com.hazelcast.nio.serialization.SerializationServiceImpl.readObject(SerializationServiceImpl.java:285)
    at com.hazelcast.nio.serialization.SerializationServiceImpl.toObject(SerializationServiceImpl.java:262)
    at com.hazelcast.spi.impl.NodeEngineImpl.toObject(NodeEngineImpl.java:186)
    at com.hazelcast.map.AbstractMapServiceContextSupport.toObject(AbstractMapServiceContextSupport.java:63)
    at com.hazelcast.map.DefaultMapServiceContext.toObject(DefaultMapServiceContext.java:21)
    at com.hazelcast.map.operation.PartitionWideEntryBackupOperation.run(PartitionWideEntryBackupOperation.java:55)
    at com.hazelcast.spi.impl.BasicOperationService$OperationHandler.handle(BasicOperationService.java:672)
    at com.hazelcast.spi.impl.BasicOperationService$OperationHandler.access$400(BasicOperationService.java:648)
    at com.hazelcast.spi.impl.BasicOperationService.runOperationOnCallingThread(BasicOperationService.java:222)
    at com.hazelcast.spi.impl.Backup.run(Backup.java:95)
    at com.hazelcast.spi.impl.BasicOperationService$OperationHandler.handle(BasicOperationService.java:672)
    at com.hazelcast.spi.impl.BasicOperationService$OperationHandler.access$400(BasicOperationService.java:648)
    at com.hazelcast.spi.impl.BasicOperationService$OperationPacketHandler.handle(BasicOperationService.java:622)
    at com.hazelcast.spi.impl.BasicOperationService$OperationPacketHandler.handle(BasicOperationService.java:590)
    at com.hazelcast.spi.impl.BasicOperationService$OperationPacketHandler.access$1400(BasicOperationService.java:577)
    at com.hazelcast.spi.impl.BasicOperationService$BasicDispatcherImpl.dispatch(BasicOperationService.java:532)
    at com.hazelcast.spi.impl.BasicOperationScheduler$OperationThread.process(BasicOperationScheduler.java:439)
    at com.hazelcast.spi.impl.BasicOperationScheduler$OperationThread.doRun(BasicOperationScheduler.java:433)
    at com.hazelcast.spi.impl.BasicOperationScheduler$OperationThread.run(BasicOperationScheduler.java:408)
Caused by: java.lang.ClassNotFoundException: org.springframework.security.web.savedrequest.DefaultSavedRequest
    at java.net.URLClassLoader$1.run(URLClassLoader.java:366)

Does it expected errors?

@serkan-ozal
Copy link
Contributor

Hi @bilalyasar,

There are some non-existing dependencies since they are defined in "pom.xml" as provided or test scoped. So they are not exported to generated war file. You must add them your "pom.xml"

    ...
    <properties>
        ...
        <!-- or any other Spring version -->
        <org.springframework.version>3.1.0.RELEASE</org.springframework.version>
        ...
    </properties>

    ...

        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-core</artifactId>
            <version>${org.springframework.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-context</artifactId>
            <version>${org.springframework.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>${org.springframework.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-web</artifactId>
            <version>${org.springframework.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-webmvc</artifactId>
            <version>${org.springframework.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>${org.springframework.version}</version>
        </dependency>

serkan-ozal added a commit to serkan-ozal/hazelcast that referenced this issue Aug 14, 2014
@serkan-ozal
documentation for issue hazelcast#3049
701dceb
serkan-ozal added a commit to serkan-ozal/hazelcast that referenced this issue Aug 14, 2014
@serkan-ozal
documentation for issue hazelcast#3049
3711e2d
serkan-ozal pushed a commit to serkan-ozal/hazelcast that referenced this issue Aug 14, 2014
removed console logs for issue hazelcast#3049
ad36956
serkan-ozal pushed a commit to serkan-ozal/hazelcast that referenced this issue Aug 14, 2014
documentation for issue hazelcast#3049
152eb7e
Serdaro added a commit that referenced this issue Aug 15, 2014
@Serdaro
Merge pull request #3267 from serkan-ozal/fix/master/issue-3049
5aeaa7b 
Documentation and minor refactors for issue #3049
serkan-ozal pushed a commit to serkan-ozal/hazelcast that referenced this issue Aug 15, 2014
documentation fix "pom.xml -> web.xml" for issue hazelcast#3049
f6c3d50
serkan-ozal pushed a commit to serkan-ozal/hazelcast that referenced this issue Aug 15, 2014
checkstyle fix for issue hazelcast#3049
b97e91f
@mmedenjak mmedenjak added the Source: Internal PR or issue was opened by an employee label Jan 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@serkan-ozal serkan-ozal

Labels
[OLD]Team: Integration Source: Internal PR or issue was opened by an employee Type: Defect
Projects
None yet
Milestone
3.3
Development

No branches or pull requests
6 participants
@mesutcelik @emrahkocaman @serkan-ozal @Serdaro @bilalyasar @mmedenjak