Spring Security/JSF/Hibernate Accidental Session Hijacking on Tomcat?

纵然是瞬间 提交于 2019-12-01 04:48:48

I figured it out :)

It was sort of a developer error, but it is also a ridiculous default behavior of Spring. I had a JSF Managed Bean called SessionBean that I declared as @SessionScope. When you integrate JSF and Spring, the JSF dependency injection conflicts with Spring dependency injection so Spring rewrote the JSF module that handles that to just wrap Spring DI instead. So when I declare a JSF ManagedBean as Session Scoped, I must also give it a @Controller annotation so that it is recognized as a Spring Bean as well.

Turns out that Spring doesn't however understand the JSF @RequestScoped and @SessionScoped annotations. Spring has its own annotation called simply @Scope(value = "request|session|singleton?|etc...") .

Because Spring didn't recognize the JSF scope that I set, it treated the newly created bean in its default for beans, as a SINGLETON.

So everytime somebody logged on, it was overrwriting the property I used to cache the logged in user that I fetched from the Authentication Principal. Then everybody who did anything was logged on as a different user.

Nice of Spring by the way to warn you that you misconfigured your damn bean.

Thanks for everybodies help, I hope this benefits future visitors!

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!