Spring security 4 throwing Bad Credentials even if they're right




Asked on September 11, 2016
Hello!
I have a problem with Spring security 4 (using DB authentication) occasionally throwing Bad Credentials. But after several project builds and deployments (on Tomcat 8), without changing anything in the code, it recognizes the credentials. 
Furthermore, when the error is thrown, I have no errors in the console, I set the hibernate BasicBinder log level to trace and I can see the queries being performed correctly and retrieving the right user.
Has anyone had this problem? Is this a bug of some sort? How can I solve it?
Thank you!



Replied on September 11, 2016
It could be Concurrent Session Control issue.
If we have configured 

<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />

Then we can login only with given max session and then it will throw error.





Replied on September 25, 2016
I don't set that anywhere in the code.
Here's my Hibernate & DataSource configuration:
@Configuration
@ComponentScan(basePackages = "laura.bachelordegree")
@EnableTransactionManagement
@EnableWebSecurity
//@EnableGlobalMethodSecurity
@Import({SecurityConfig.class})
public class HibernateUtils { 
@Autowired
    @Qualifier("sessionFactory")
private static SessionFactory sessionFactory = buildSessionFactory();

@Bean
private static SessionFactory buildSessionFactory() {
try {
if (sessionFactory == null) {
org.hibernate.cfg.Configuration configuration = new org.hibernate.cfg.Configuration();
addAnnotatedClasses(configuration);
StandardServiceRegistryBuilder  serviceRegistryBuilder = new StandardServiceRegistryBuilder();
DataSource datasource = getDataSource();
serviceRegistryBuilder.applySetting(Environment.DATASOURCE, datasource);
serviceRegistryBuilder.applySettings(configuration.getProperties());
Properties hibernateProperties = setHibernateProperties();
serviceRegistryBuilder.applySettings(hibernateProperties);
StandardServiceRegistry serviceRegistry = serviceRegistryBuilder.build();
sessionFactory = configuration.buildSessionFactory(serviceRegistry);
}
return sessionFactory;
} catch (Throwable ex) {
System.err.println("Initial SessionFactory creation failed." + ex);
throw new ExceptionInInitializerError(ex);
}
}
@Bean
public static DataSource getDataSource() {
   BasicDataSource dataSource = new BasicDataSource();
   dataSource.setDriverClassName("com.microsoft.sqlserver.jdbc.SQLServerDriver");
   dataSource.setUrl("jdbc:sqlserver://localhost:1433;databaseName=Licenta");
   dataSource.setUsername("sa");
   dataSource.setPassword("admin9");
   return dataSource;
}
private static Properties setHibernateProperties() {
         Properties properties = new Properties();
         properties.put("hibernate.dialect", "org.hibernate.dialect.SQLServer2008Dialect");
         properties.put("hibernate.hbm2ddl.auto", "update");
         properties.put("hibernate.show_sql", "true");
         properties.put("hibernate.format_sql", "true");
         properties.put("hibernate.current_session_context_class", "thread");
         return properties;        
    }
@Bean
@Autowired
public HibernateTransactionManager transactionManager(SessionFactory sessionFactory) {
HibernateTransactionManager txManager = new org.springframework.orm.hibernate5.HibernateTransactionManager();
txManager.setSessionFactory(sessionFactory);

return txManager;
}
 
@Bean
public PersistenceExceptionTranslationPostProcessor exceptionTranslation() {
return new PersistenceExceptionTranslationPostProcessor();
}

public static void addAnnotatedClasses(org.hibernate.cfg.Configuration configuration){
configuration.addAnnotatedClass(Inhabitant.class);
configuration.addAnnotatedClass(User.class);
configuration.addAnnotatedClass(Role.class);
configuration.addAnnotatedClass(Apartment.class);
configuration.addAnnotatedClass(Rent.class);
}

public static SessionFactory getSessionFactory() {
return sessionFactory;
}

public static void shutdown() {
getSessionFactory().close();
}

And this is the security configuration:

@Configuration
@EnableWebSecurity
@ComponentScan(package_name)
@EnableAspectJAutoProxy(proxyTargetClass = true)
@EnableGlobalMethodSecurity(securedEnabled=true, prePostEnabled=true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
final static Logger logger = LogManager.getLogger(SecurityConfig.class);

@Autowired
@Qualifier("userDetailsService")
UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
try{
http.authorizeRequests().antMatchers("/**").hasAnyRole("USER").
and().formLogin().and().logout().logoutUrl("/j_spring_security_logout").invalidateHttpSession(true);
} catch (Exception e) {
//...
}
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
ShaPasswordEncoder encoder = new ShaPasswordEncoder();
auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
}


Write Answer










©2024 concretepage.com | Privacy Policy | Contact Us