spring-session icon indicating copy to clipboard operation
spring-session copied to clipboard
verified publisher icon spring-projects

Spring session jdbc getting password blank after successful login

Open manojsharma20 opened this issue 7 years ago • 6 comments

Hi, I have integerated spring session jdbc but when login successfully and session is created and store in Spring_session, then password field getting blank. Password field contain after login '' something blank.

I check several time, but it is the issue with spring session jdbc. When i remove the dependency, password is not getting blank anymore.

Please tell me how to fix this issue.

manojsharma20 avatar Jan 09 '18 08:01 manojsharma20

How are you saving the password field?

rwinch avatar Jan 09 '18 21:01 rwinch

I have saved password as bcrypt at the time of registration or password changed. At the time of login i and doing anything or making just nonlocked property to false and saved the user using spring data jpa.

manojsharma20 avatar Jan 10 '18 04:01 manojsharma20

Please provide the code that is saving the password to session.

rwinch avatar Jan 10 '18 15:01 rwinch

Hi, Please find code for user detail service.

`package com.velocis.vahan;

import java.util.ArrayList; import java.util.Collection; import java.util.Iterator; import java.util.List; import java.util.Map;

import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest;

import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.session.SessionInformation; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.session.ExpiringSession; import org.springframework.session.FindByIndexNameSessionRepository; import org.springframework.session.Session; import org.springframework.session.jdbc.JdbcOperationsSessionRepository; import org.springframework.session.security.SpringSessionBackedSessionRegistry; import org.springframework.stereotype.Service;

import com.mycomp.exception.AlreadyLoginForceException; import com.mycomp.pojo.EvUser; import com.mycomp.pojo.Privilege; import com.mycomp.pojo.Role; import com.mycomp.pojo.UserAttempts; import com.mycomp.repository.JpaUserAttemptsRepository; import com.mycomp.repository.JpaUserRepository; import com.mycomp.utils.LoginAttemptService;

@Service public class UserDetailsService implements UserDetailsService {

@Autowired private JpaUserRepository userRepository;
@Autowired private LoginAttemptService loginAttemptService;
@Autowired private HttpServletRequest request;

// @Autowired private JpaUserAttemptsRepository jpaUserAttemptsRepository; @Autowired private FindByIndexNameSessionRepository sessionRepository; @Autowired private FindByIndexNameSessionRepository<? extends ExpiringSession> sessions;

public UserDetailsService() {
    super();
}

// API

@Override
public UserDetails loadUserByUsername(final String username) throws UsernameNotFoundException {
	final String ip = getClientIP();
    
	if (loginAttemptService.isBlocked(ip)) {
        throw new RuntimeException("blocked");
    }

	boolean isUserAuthenticated = false;
	org.springframework.security.core.userdetails.User authUser = null;
	EvUser user = null;
	
	try {
		if(username.trim().equalsIgnoreCase("")){
    		isUserAuthenticated =false;
    	} else{
            user = userRepository.findByEmail(username);
            	user = sessionValidate(user, username);
            	authUser = new org.springframework.security.core.userdetails.User(user.getEmail(), user.getPassword(), new Boolean(user.getEnabled()), true, true, true, getAuthorities(user.getRoles()));
//               System.out.println(authUser.getAuthorities());
            	 if(authUser != null)
              	   isUserAuthenticated = true;
    	}
        
		if (!isUserAuthenticated) {
            throw new UsernameNotFoundException("No user found with your provide credential : " + username);
        }
    } catch (final Exception e) {
    	if(e instanceof AlreadyLoginForceException)
    		throw e;
    	else
    		throw new RuntimeException(e);
    }
    
    return authUser;
}

// UTIL

private EvUser sessionValidate(EvUser user, String username){
	if(user == null)
		return null;
	
	SpringSessionBackedSessionRegistry sessionRegistry = new SpringSessionBackedSessionRegistry((FindByIndexNameSessionRepository<ExpiringSession>) sessions);
	Collection<? extends ExpiringSession> usersSessions = sessions
            .findByIndexNameAndIndexValue(FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME, username)
            .values();
	
	String isForceLogin = request.getParameter("frdlog");
	Boolean frdlog = new Boolean(isForceLogin);
	if(usersSessions != null && !usersSessions.isEmpty() && frdlog == true){
		try {
			request.logout();
			request.getSession().invalidate();
			Iterator<? extends ExpiringSession> itr = usersSessions.iterator();
			while(itr.hasNext()){
				String sessionId = itr.next().getId();
		        // sessionRegistry.removeSessionInformation(sessionId);
		        SessionInformation info = sessionRegistry.getSessionInformation(sessionId);
		        info.expireNow();
		        
			}
			
			user.setNonLocked(true);
		} catch (ServletException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}
		user = userRepository.save(user);
	}
	else if(usersSessions != null && !usersSessions.isEmpty()){
		throw new AlreadyLoginForceException("already");
	}
	
	return user;
}

public final Collection<? extends GrantedAuthority> getAuthorities(final Collection<Role> roles) {
	return getGrantedAuthorities(getPrivileges(roles));
}
private List<String> getPrivileges(Collection<Role> roles) {
	  
    List<String> privileges = new ArrayList<>();
    List<Privilege> collection = new ArrayList<>();
    for (Role role : roles) {
        collection.addAll(role.getPrivileges());
    }
    for (Privilege item : collection) {
        privileges.add(item.getName());
    }
    return privileges;
}
private final String getClientIP() {
    final String xfHeader = request.getHeader("X-Forwarded-For");
    if (xfHeader == null) {
        return request.getRemoteAddr();
    }
    return xfHeader.split(",")[0];
}
private List<GrantedAuthority> getGrantedAuthorities(List<String> privileges) {
    List<GrantedAuthority> authorities = new ArrayList<>();
    for (String privilege : privileges) {
        authorities.add(new SimpleGrantedAuthority(privilege));
    }
    return authorities;
}

}`

Please suggest me the solution, I have debug the code and till my failure handler called, password not changed. after that spring specific filter calling changing the password.

manojsharma20 avatar Jan 11 '18 05:01 manojsharma20

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

spring-projects-issues avatar Dec 15 '20 17:12 spring-projects-issues

I think the code already shared.

XI1876-ManojSharma avatar Dec 18 '20 12:12 XI1876-ManojSharma