Recently I've been getting reports that sometimes people after login getting another user that is working on the system in the same time - i see it by exploring the session. my users are split to different "tenants " in the domain model by parent organization and this problem is cause to mix between users so one user is getting the session and the data of another - a big problem!
Has anyone seen problems like this before or have any ideas how I can track down what is going on? Thanks, Meni menil@opentunities.com |
From what I understand lets say User A is getting the data saved by User B.
IMHO This is something which you have to enforce in your controller and service. I assume that spring security doesn't provide security at such a low level(querying), correct me if I'm wrong with this statement. On Thu, Oct 18, 2012 at 8:04 PM, menilub <[hidden email]> wrote: Recently I've been getting reports that sometimes people after login getting -- Ravi Teja Lokineni | Software Engineer SemanticBits India Pvt. Ltd. |
With ACL you can achieve that objects are only handed out by a service, if the user who owns the session has the rights to access the object. So this is pretty fine granular. However, you have to organise your Grails project into services.
To me this sounds like you use load balancing, but something goes wrong with your sticky sessions? If not, I have no experience with multi-tenant so I can't help there.
Cheers, Wolfgang On Fri, Oct 19, 2012 at 11:40 AM, Ravi Teja Lokineni <[hidden email]> wrote: From what I understand lets say User A is getting the data saved by User B. |
In reply to this post by bond_
it's not the case - the case is that user A getting User B user.
User A is doing login and after navigation between controller suddenly the account is switched to the account of user B meaning getCurrent user or Sessions are mixed up and user A see the account of user B Meni |
If that's the case, no I have not faced any such issues.
As Wolfgang has specified it might be a problem with the load balancing and clustering stuff. If that's the case try running a single instance and see if you can reproduce it or not. On Fri, Oct 19, 2012 at 3:24 PM, menilub <[hidden email]> wrote: it's not the case - the case is that user A getting User B user. -- Ravi Teja Lokineni | Software Engineer SemanticBits India Pvt. Ltd.
|
the issue here is that i'm running a single instance without a balancer
the application is running on tomcat 6 linux VPS server for more then 2 years and the problem start a month ago. from what i understand the user sessions is mixed up and user A is getting user B session. i need to indicate that the users are connecting to the system from different locations Meni |
Weird, ideally it should never happen. Anyways wait for others to reply.
On Fri, Oct 19, 2012 at 3:52 PM, menilub <[hidden email]> wrote: the issue here is that i'm running a single instance without a balancer -- Ravi Teja Lokineni | Software Engineer SemanticBits India Pvt. Ltd.
|
I've used spring-security for many years, since before it was even an official spring project, and I've never encountered this problem. I doubt it is the framework itself that is at fault, given the massively widespread use of the framework, unless you are deploying the nightly build or something. There's really not enough information in your query to posit a possible reason. At the very least, we need to know versions of grails, spring, spring-security, what version of tomcat. What changed a month ago? It is very unlikely that the behaviour changed completely spontaneously without some software change somewhere. Do you have caching of any kind happening at any layer? Any unusual filters or interceptors running in your codebase which might be manipulating what the security filter is seeing?
The most likely candidate is probably putting state in a singleton class that gets shared between all threads/requests. If you have a singleton controller or service, for example, and you store the current user in a member of the class, then any other request that routes through that controller/service and accesses that member will see whatever object was placed there by the last request. Grails defaults to prototype controllers, so this shouldn't be an issue in a controller, but it is easy enough to change that behaviour in grails (or maybe it changed with a software upgrade?) and spring's default for other spring-managed beans is still singleton, so it is very easy to wind up with a singleton class that isn't threadsafe if you aren't careful. --sam On Fri, Oct 19, 2012 at 4:13 AM, Ravi Teja Lokineni <[hidden email]> wrote: Weird, ideally it should never happen. Anyways wait for others to reply. |
In reply to this post by menilub
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Hi, do you use Apache/mod_jk? We once had this issue - not grails was to blame but there was a Bug in mod_jk mixing up sessions under certain circumstances (sorry, I do not remember details). Regards, Peter On 18.10.2012 16:34, menilub wrote: > Recently I've been getting reports that sometimes people after > login getting another user that is working on the system in the > same time - i see it by exploring the session. my users are split > to different "tenants " in the domain model by parent organization > and this problem is cause to mix between users so one user is > getting the session and the data of another - a big problem! > > > Has anyone seen problems like this before or have any ideas how I > can track down what is going on? > > Thanks, Meni [hidden email] > > > > -- View this message in context: > http://grails.1312388.n4.nabble.com/Spring-Security-after-log-in-user-changed-and-session-mixed-up-tp4636714.html > > > > --------------------------------------------------------------------- > > To unsubscribe from this list, please visit: > > http://xircles.codehaus.org/manage_email > > - -- Dr.-Ing. Peter Reiß Softwareentwickler und Stellvertretender Leiter Projekte & Prozesse Friedrich-Alexander-Universität Erlangen-Nürnberg Regionales Rechenzentrum Erlangen (RRZE) Martensstraße 1, 91058 Erlangen, Deutschland Tel.: +49 9131 85-25452 +49 9131 85-27039 Fax: +49 9131 85-25777 [hidden email] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCFYwgACgkQMAKAcxTCp4DUygCglf72uAAf+0Ix1FjiHmEAA9Qu /J4An3RP9UB+IV/Z0FR2YlPUecYH0WUj =xBCF -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email |
Peter Thanks.
i'll check it - i'll try to fine out the issue or remove the apache Meni |
Meni, sorry to go back to an old message, but did the suggested apache change fix your issue?
I am having a similar issue, but I cannot reproduce it myself. Thanks, Padraig
|
In reply to this post by menilub
I know its been long since you posted this thread but I am also getting the same issue.
What is strange in my case is the issue in only in PRODUCTION (not in development) and specific ISP. Let know if you found solution to this issue. |
Ravin,
Sorry I don't remember how it was fixed (5 years ago...) and what it was - but I have a vague memory of sessions storage issue. Please try to see if it's related to the server (Tomcat) restart that keep and restores the old sessions and cause to this session problem - if so try to clean the server file system from session cache and storage. Regards, Meni |
Free forum by Nabble | Edit this page |