Hi guys!
Did someone face the problem with spring security login when basic authorization is activated under Tomcat?
It is simply impossible to login when the login page loaded after logout. If you refresh the page and try again, everything is fine :)(.
I could not find any complain on such a behavior and spent whole day to find out the problem. Finally, it popped out that the reason is a bug in the Tomcat, which available in the versions from 6.0.20 to 6.0.28 (Bug 49598).
The issue is that the both, Tomcat's basic authorization and Spring security replace the session during authorization request. Since logout invalidates the session, direct login request after it triggers the both session replacements during the same request handling. But, in the result of the bug, Set-Cookie header in the response remains to point on the session id given by Tomcat (which gets invalidated by Spring security, since it works after). So, next request sends the cookie of already destroyed session. And the session created by Spring (which contains signed user) remains unclaimed.
The best solution is Tomcat 6.0.29 :-). If someone has a problem with Tomcat upgrade, there are 3 possibilities to avoid the bug:
Disable session replacement of Tomcat. You can do this configuring the Valve in the context.xml
<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="false"/>
Disable session replacement of Spring security configuring security.xml.
<http ... session-fixation-protection="none"> ..... </http>
Provide additional redirect after logout. This way Tomcat will have a Principle cached in the session during login request.
Maybe this protects someone of getting crazy like me yesterday :)
With regards, Edgar