Spring Security - after log in user changed and session mixed up

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Spring Security - after log in user changed and session mixed up

menilub
Recently I've been getting reports that sometimes people after login getting another user that is working on the system in the same time - i see it by exploring the session. my users are split to different "tenants " in the domain model by parent organization and this problem is cause to mix between users so one user is getting the session and the data of another - a big problem!


Has anyone seen problems like this before or have any ideas how I can track down what is going on?

 Thanks,
Meni
menil@opentunities.com
Reply | Threaded
Open this post in threaded view
|

Re: Spring Security - after log in user changed and session mixed up

bond_
From what I understand lets say User A is getting the data saved by User B.

IMHO This is something which you have to enforce in your controller and service. I assume that spring security doesn't provide security at such a low level(querying), correct me if I'm wrong with this statement.

On Thu, Oct 18, 2012 at 8:04 PM, menilub <[hidden email]> wrote:
Recently I've been getting reports that sometimes people after login getting
another user that is working on the system in the same time - i see it by
exploring the session. my users are split to different "tenants " in the
domain model by parent organization and this problem is cause to mix between
users so one user is getting the session and the data of another - a big
problem!


Has anyone seen problems like this before or have any ideas how I can track
down what is going on?

 Thanks,
Meni
[hidden email]



--
View this message in context: http://grails.1312388.n4.nabble.com/Spring-Security-after-log-in-user-changed-and-session-mixed-up-tp4636714.html
Sent from the Grails - user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email





--
Ravi Teja Lokineni | Software Engineer
SemanticBits India Pvt. Ltd.



Reply | Threaded
Open this post in threaded view
|

Re: Spring Security - after log in user changed and session mixed up

Müller, Wolfgang
With ACL you can achieve that objects are only handed out by a service, if the user who owns the session has the rights to access the object. So this is pretty fine granular. However, you have to organise your Grails project into services.

To me this sounds like you use load balancing, but something goes wrong with your sticky sessions?

If not, I have no experience with multi-tenant so I can't help there.
Cheers,
Wolfgang

On Fri, Oct 19, 2012 at 11:40 AM, Ravi Teja Lokineni <[hidden email]> wrote:
From what I understand lets say User A is getting the data saved by User B.

IMHO This is something which you have to enforce in your controller and service. I assume that spring security doesn't provide security at such a low level(querying), correct me if I'm wrong with this statement.


On Thu, Oct 18, 2012 at 8:04 PM, menilub <[hidden email]> wrote:
Recently I've been getting reports that sometimes people after login getting
another user that is working on the system in the same time - i see it by
exploring the session. my users are split to different "tenants " in the
domain model by parent organization and this problem is cause to mix between
users so one user is getting the session and the data of another - a big
problem!


Has anyone seen problems like this before or have any ideas how I can track
down what is going on?

 Thanks,
Meni
[hidden email]



--
View this message in context: http://grails.1312388.n4.nabble.com/Spring-Security-after-log-in-user-changed-and-session-mixed-up-tp4636714.html
Sent from the Grails - user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email





--
Ravi Teja Lokineni | Software Engineer
SemanticBits India Pvt. Ltd.




Reply | Threaded
Open this post in threaded view
|

Re: Spring Security - after log in user changed and session mixed up

menilub
In reply to this post by bond_
it's not the case - the case is that user A getting User B user.
User A is doing login and after navigation between controller suddenly the account is switched to the account of user B meaning getCurrent user or Sessions are mixed up and user A see the account of user B

Meni
Reply | Threaded
Open this post in threaded view
|

Re: Spring Security - after log in user changed and session mixed up

bond_
If that's the case, no I have not faced any such issues.

As Wolfgang has specified it might be a problem with the load balancing and clustering stuff. If that's the case try running a single instance and see if you can reproduce it or not.

On Fri, Oct 19, 2012 at 3:24 PM, menilub <[hidden email]> wrote:
it's not the case - the case is that user A getting User B user.
User A is doing login and after navigation between controller suddenly the
account is switched to the account of user B meaning getCurrent user or
Sessions are mixed up and user A see the account of user B

Meni



--
View this message in context: http://grails.1312388.n4.nabble.com/Spring-Security-after-log-in-user-changed-and-session-mixed-up-tp4636714p4636736.html
Sent from the Grails - user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email





--
Ravi Teja Lokineni | Software Engineer
SemanticBits India Pvt. Ltd.



Reply | Threaded
Open this post in threaded view
|

Re: Spring Security - after log in user changed and session mixed up

menilub
the issue here is that i'm running a single instance without a balancer
the application is running on tomcat 6 linux VPS server for more then 2 years and the problem start a month ago.
from what i understand the user sessions is mixed up and user A is getting user B session. i need to indicate that the users are connecting to the system from different locations

Meni
Reply | Threaded
Open this post in threaded view
|

Re: Spring Security - after log in user changed and session mixed up

bond_
Weird, ideally it should never happen. Anyways wait for others to reply.

On Fri, Oct 19, 2012 at 3:52 PM, menilub <[hidden email]> wrote:
the issue here is that i'm running a single instance without a balancer
the application is running on tomcat 6 linux VPS server for more then 2
years and the problem start a month ago.
from what i understand the user sessions is mixed up and user A is getting
user B session. i need to indicate that the users are connecting to the
system from different locations

Meni



--
View this message in context: http://grails.1312388.n4.nabble.com/Spring-Security-after-log-in-user-changed-and-session-mixed-up-tp4636714p4636744.html
Sent from the Grails - user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email





--
Ravi Teja Lokineni | Software Engineer
SemanticBits India Pvt. Ltd.



Reply | Threaded
Open this post in threaded view
|

Re: Spring Security - after log in user changed and session mixed up

ideasculptor
I've used spring-security for many years, since before it was even an official spring project, and I've never encountered this problem.  I doubt it is the framework itself that is at fault, given the massively widespread use of the framework, unless you are deploying the nightly build or something.  There's really not enough information in your query to posit a possible reason.  At the very least, we need to know versions of grails, spring, spring-security, what version of tomcat.  What changed a month ago?  It is very unlikely that the behaviour changed completely spontaneously without some software change somewhere.  Do you have caching of any kind happening at any layer? Any unusual filters or interceptors running in your codebase which might be manipulating what the security filter is seeing?

The most likely candidate is probably putting state in a singleton class that gets shared between all threads/requests.  If you have a singleton controller or service, for  example, and you store the current user in a member of the class, then any other request that routes through that controller/service and accesses that member will see whatever object was placed there by the last request.  Grails defaults to prototype controllers, so this shouldn't be an issue in a controller, but it is easy enough to change that behaviour in grails (or maybe it changed with a software upgrade?) and spring's default for other spring-managed beans is still singleton, so it is very easy to wind up with a singleton class that isn't threadsafe if you aren't careful.

--sam

On Fri, Oct 19, 2012 at 4:13 AM, Ravi Teja Lokineni <[hidden email]> wrote:
Weird, ideally it should never happen. Anyways wait for others to reply.


On Fri, Oct 19, 2012 at 3:52 PM, menilub <[hidden email]> wrote:
the issue here is that i'm running a single instance without a balancer
the application is running on tomcat 6 linux VPS server for more then 2
years and the problem start a month ago.
from what i understand the user sessions is mixed up and user A is getting
user B session. i need to indicate that the users are connecting to the
system from different locations

Meni



--
View this message in context: http://grails.1312388.n4.nabble.com/Spring-Security-after-log-in-user-changed-and-session-mixed-up-tp4636714p4636744.html
Sent from the Grails - user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email





--
Ravi Teja Lokineni | Software Engineer
SemanticBits India Pvt. Ltd.




Reply | Threaded
Open this post in threaded view
|

Re: Spring Security - after log in user changed and session mixed up

Peter Reiss
In reply to this post by menilub
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

do you use Apache/mod_jk? We once had this issue - not grails was to
blame but there was a Bug in mod_jk mixing up sessions under certain
circumstances (sorry, I do not remember details).

Regards,
Peter

On 18.10.2012 16:34, menilub wrote:

> Recently I've been getting reports that sometimes people after
> login getting another user that is working on the system in the
> same time - i see it by exploring the session. my users are split
> to different "tenants " in the domain model by parent organization
> and this problem is cause to mix between users so one user is
> getting the session and the data of another - a big problem!
>
>
> Has anyone seen problems like this before or have any ideas how I
> can track down what is going on?
>
> Thanks, Meni [hidden email]
>
>
>
> -- View this message in context:
> http://grails.1312388.n4.nabble.com/Spring-Security-after-log-in-user-changed-and-session-mixed-up-tp4636714.html
>
>
Sent from the Grails - user mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
>
>
To unsubscribe from this list, please visit:
>
> http://xircles.codehaus.org/manage_email
>
>

- --

Dr.-Ing. Peter Reiß
Softwareentwickler und Stellvertretender Leiter Projekte & Prozesse
Friedrich-Alexander-Universität Erlangen-Nürnberg
Regionales Rechenzentrum Erlangen (RRZE)
Martensstraße 1, 91058 Erlangen, Deutschland
Tel.: +49 9131 85-25452
      +49 9131 85-27039
Fax:  +49 9131 85-25777
[hidden email]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCFYwgACgkQMAKAcxTCp4DUygCglf72uAAf+0Ix1FjiHmEAA9Qu
/J4An3RP9UB+IV/Z0FR2YlPUecYH0WUj
=xBCF
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: Spring Security - after log in user changed and session mixed up

menilub
Peter Thanks.
i'll check it - i'll try to fine out the issue or remove the apache

Meni
Reply | Threaded
Open this post in threaded view
|

Re: Spring Security - after log in user changed and session mixed up

Padraig
Meni, sorry to go back to an old message, but did the suggested apache change fix your issue?

I am having a similar issue, but I cannot reproduce it myself.

Thanks,
Padraig

menilub wrote
Peter Thanks.
i'll check it - i'll try to fine out the issue or remove the apache

Meni
Reply | Threaded
Open this post in threaded view
|

Re: Spring Security - after log in user changed and session mixed up

ravin.regmi
In reply to this post by menilub
I know its been long since you posted this thread but I am also getting the same issue.
What is strange in my case is the issue in only in PRODUCTION (not in development) and specific ISP.
Let know if you found solution to this issue.
Reply | Threaded
Open this post in threaded view
|

Re: Spring Security - after log in user changed and session mixed up

menilub
Ravin,
Sorry I don't remember how it was fixed (5 years ago...) and what it was - but I have a vague memory of sessions storage issue.
Please try to see if it's related to the server (Tomcat) restart that keep and restores the old sessions and cause to this session problem - if so try to clean the server file system from session cache and storage.

Regards,
Meni