Spring Security - after log in user changed and session mixed up
Locked
 
|
|
From what I understand lets say User A is getting the data saved by User B.
IMHO This is something which you have to enforce in your controller and service. I assume that spring security doesn't provide security at such a low level(querying), correct me if I'm wrong with this statement. On Thu, Oct 18, 2012 at 8:04 PM, menilub <[hidden email]> wrote: Recently I've been getting reports that sometimes people after login getting -- Ravi Teja Lokineni | Software Engineer SemanticBits India Pvt. Ltd. |
|
With ACL you can achieve that objects are only handed out by a service, if the user who owns the session has the rights to access the object. So this is pretty fine granular. However, you have to organise your Grails project into services.
To me this sounds like you use load balancing, but something goes wrong with your sticky sessions? If not, I have no experience with multi-tenant so I can't help there.
Cheers, Wolfgang On Fri, Oct 19, 2012 at 11:40 AM, Ravi Teja Lokineni <[hidden email]> wrote: From what I understand lets say User A is getting the data saved by User B. |
|
|
|
|
If that's the case, no I have not faced any such issues.
As Wolfgang has specified it might be a problem with the load balancing and clustering stuff. If that's the case try running a single instance and see if you can reproduce it or not. On Fri, Oct 19, 2012 at 3:24 PM, menilub <[hidden email]> wrote: it's not the case - the case is that user A getting User B user. -- Ravi Teja Lokineni | Software Engineer SemanticBits India Pvt. Ltd.
|
|
|
|
|
Weird, ideally it should never happen. Anyways wait for others to reply.
On Fri, Oct 19, 2012 at 3:52 PM, menilub <[hidden email]> wrote: the issue here is that i'm running a single instance without a balancer -- Ravi Teja Lokineni | Software Engineer SemanticBits India Pvt. Ltd.
|
|
I've used spring-security for many years, since before it was even an official spring project, and I've never encountered this problem. I doubt it is the framework itself that is at fault, given the massively widespread use of the framework, unless you are deploying the nightly build or something. There's really not enough information in your query to posit a possible reason. At the very least, we need to know versions of grails, spring, spring-security, what version of tomcat. What changed a month ago? It is very unlikely that the behaviour changed completely spontaneously without some software change somewhere. Do you have caching of any kind happening at any layer? Any unusual filters or interceptors running in your codebase which might be manipulating what the security filter is seeing?
The most likely candidate is probably putting state in a singleton class that gets shared between all threads/requests. If you have a singleton controller or service, for example, and you store the current user in a member of the class, then any other request that routes through that controller/service and accesses that member will see whatever object was placed there by the last request. Grails defaults to prototype controllers, so this shouldn't be an issue in a controller, but it is easy enough to change that behaviour in grails (or maybe it changed with a software upgrade?) and spring's default for other spring-managed beans is still singleton, so it is very easy to wind up with a singleton class that isn't threadsafe if you aren't careful. --sam On Fri, Oct 19, 2012 at 4:13 AM, Ravi Teja Lokineni <[hidden email]> wrote: Weird, ideally it should never happen. Anyways wait for others to reply. |
|
|
|
|
|
Loading...
| Free forum by Nabble | Edit this page |