Closed imranmir closed 10 years ago
Just to add, I removed the grails cookie plugin. Now I get the login page, but when I try to login, I get the following exception in the background, consequently i am not able to login:
Error 2014-01-04 13:51:41,825 [http-bio-8080-exec-2] ERROR [/].[default] - Servlet.service() for servlet [default] in context with path [] threw exception [Filter execution threw an exception] with root cause Message: org.codehaus.groovy.grails.plugins.springsecurity.GrailsUser Line | Method ->> 202 | run in java.net.URLClassLoader$1
| 190 | findClass in java.net.URLClassLoader | 306 | loadClass . . . . . . . . . in java.lang.ClassLoader | 106 | getConfiguredKryoSerializer in com.granicus.grails.plugins.cookiesession.KryoSessionSerializer | 67 | serialize . . . . . . . . . in '' | 368 | serializeSession in com.granicus.grails.plugins.cookiesession.CookieSessionRepository | 349 | saveSession . . . . . . . . in '' | 92 | saveSession in com.granicus.grails.plugins.cookiesession.SessionRepositoryResponseWrapper | 127 | sendRedirect . . . . . . . in '' | 68 | onAuthenticationSuccess in grails.plugin.springsecurity.web.authentication.AjaxAwareAuthenticationSuccessHandler | 49 | doFilter . . . . . . . . . in grails.plugin.springsecurity.web.authentication.RequestHolderAuthenticationFilter | 82 | doFilter in grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter | 102 | invokeWithWrappedRequest . in grails.plugin.springsecurity.web.filter.DebugFilter | 69 | doFilter in '' | 78 | doFilterInternal . . . . . in com.granicus.grails.plugins.cookiesession.CookieSessionFilter | 886 | runTask in java.util.concurrent.ThreadPoolExecutor$Worker | 908 | run . . . . . . . . . . . . in '' ^ 662 | run in java.lang.Thread
Hi
I think the problem is with "kryo" serializer. Please see the demo project here https://github.com/imranmir/test-cookie-session-plugin. The exception is thrown whenever i hit "http://localhost:8080/sessionCookie/"
When I change the searializer to java, this exception is not thrown, but it does not allow me to login twice without clearing the browser cookies.
Hi Imram,
I'll look into this in detail tomorrow morning, but in the meantime, there a few things I'd like you to try:
1) drop the cookie size from 10k to 4k. From experience, cookies over 4K are not compatible with most browsers. If I could have gotten away with a 10K cookie, I wouldn't have had to split serialized sessions across multiple cookies in the first place ;)
2) regarding when you removed the cookie-session and ran your code and got a Kryo serializer exception - this shouldn't have happened... you need to clean your project (/>grails clean) after you remove a plugin to make sure artifacts aren't left lying around. Give this a try and make sure your project runs without the plugin. Then Install the plugin and try again.
3) If you're using Google Chrome, its really helpful to test with an "Incognito" instance of the browser. This will ensure you get a fresh session without a bunch of cookies carrying over from previous attempts to run your app. If you don't do this, you'll likely be either a) seeing a ton of unreproducible errors because of cookies containing sessions and such, some of which may be corrupt or b) you're cleaning out your cookie a lot which generally inconvenient and not 100% reliable, especially if your working with multiple windows and an app that is constantly setting cookies, like apps that use the cookie-session plugin.
I'll take a look into this as soon as I can - if you discover anything new about the errors, please send it along!
thanks,
Ben Lucchesi | Chief Software Architect | Granicus Inc. 600 Harrison Street, Suite 120 San Francisco, CA 94107 work: 415.357.3618 x1300 | fax: 415.618.0102 | cell: 775.250.3396
From: Imran Mir [notifications@github.com] Sent: Sunday, January 05, 2014 7:22 AM To: benlucchesi/grails-cookie-session-v2 Subject: Re: [grails-cookie-session-v2] Cannot get cookie session plugin working with grails 2.3.4 (#29)
Hi
I think the problem is with "kryo" serializer. Please see the demo project here https://github.com/imranmir/test-cookie-session-plugin. The exception is thrown whenever i hit "http://localhost:8080/sessionCookie/"
When I change the searializer to java, this exception is not thrown, but it does not allow me to login twice without clearing the browser cookies.
— Reply to this email directly or view it on GitHubhttps://github.com/benlucchesi/grails-cookie-session-v2/issues/29#issuecomment-31606591.
Imran,
In your project, you named your cookie "gsession-5". Just name it "gsession". The cookie-session plugin creates multiple cookies and appends the index of the cookie to the end. The format of the cookies names written in responses will be "gsession-X" where X is the index. So for example, if 5 cookies are generated, then responses would contain the following cookies:
gsession-0 gsession-1 gsession-2 gsession-3 gsession-4
In other words, you don't need to name it gsession-5 to get the plugin to generate 5 cookies.
Please rename and give it a try - and remember to clear cookies or use an incognito window.
thanks,
Ben Lucchesi | Chief Software Architect | Granicus Inc. 600 Harrison Street, Suite 120 San Francisco, CA 94107 work: 415.357.3618 x1300 | fax: 415.618.0102 | cell: 775.250.3396
From: Imran Mir [notifications@github.com] Sent: Sunday, January 05, 2014 7:22 AM To: benlucchesi/grails-cookie-session-v2 Subject: Re: [grails-cookie-session-v2] Cannot get cookie session plugin working with grails 2.3.4 (#29)
Hi
I think the problem is with "kryo" serializer. Please see the demo project here https://github.com/imranmir/test-cookie-session-plugin. The exception is thrown whenever i hit "http://localhost:8080/sessionCookie/"
When I change the searializer to java, this exception is not thrown, but it does not allow me to login twice without clearing the browser cookies.
— Reply to this email directly or view it on GitHubhttps://github.com/benlucchesi/grails-cookie-session-v2/issues/29#issuecomment-31606591.
Hi Ben,
First of all, thank you for taking out some time to look into the issue. I found the reason for the exception in the plugin while being used with spring-security-2.0. Please validate my pull request here: https://github.com/benlucchesi/grails-cookie-session-v2/pull/30.
Though, the exception is fixed now, but if a user logouts and wants to login again, I still need to clear all cookies in my browser to login. Just to add, that I renamed the session cookie gsession as suggested.
Hi Imran,
Great catch! so the process I follow with pull requests is to first pull it into a development branch, write tests that specifically verify the changes and then merge the dev branch into master at which point I cut a versioned release. For this particular issue, I need to get bottom of why logging out doesn't clear the user from the session - clearing cookie is obviously an unacceptable solution.
I suspect that either the spring security code that clears the currently logged in user is executing after the session has been written or the name of the class that stores the security context has changed or the key in the session that stores the security context has changed.
If you're up to it, can you make sure that all of the code in the SecurityContextSessionPersistenceListener is executing correctly? There's some tracing available, but a couple of the "if" statements may not be executing under the new spring security plugin. In any case, this is the first place I'd look for a problem. The second place is the security filter chain ordering... If you don't have time, I'll be able to get to it shortly.
thanks for the contribution!
Ben Lucchesi | Chief Software Architect | Granicus Inc. 600 Harrison Street, Suite 120 San Francisco, CA 94107 work: 415.357.3618 x1300 | fax: 415.618.0102 | cell: 775.250.3396
From: Imran Mir [notifications@github.com] Sent: Monday, January 06, 2014 8:42 PM To: benlucchesi/grails-cookie-session-v2 Cc: Benjamin Lucchesi Subject: Re: [grails-cookie-session-v2] Cannot get cookie session plugin working with grails 2.3.4 (#29)
Hi Ben,
First of all, thank you for taking out some time to look into the issue. I found the reason for the exception in the plugin while being used with spring-security-2.0. Please validate my pull request here: #30https://github.com/benlucchesi/grails-cookie-session-v2/pull/30.
Though, the exception is fixed now, but if a user logouts and wants to login again, I still need to clear all cookies in my browser to login. Just to add, that I renamed the session cookie gsession as suggested.
— Reply to this email directly or view it on GitHubhttps://github.com/benlucchesi/grails-cookie-session-v2/issues/29#issuecomment-31713033.
Hi Ben
I tried to look into the issue. I share my findings: In SecurityContextSessionPersistenceListener.beforeSessionSaved, I always get session.SPRING_SECURITY_SAVED_REQUEST_KEY = null When I try to login (after I had logged in and logged out once), I get the following logs:
2014-01-10 10:36:35,540 [http-bio-8080-exec-1] TRACE cookiesession.CookieSessionFilter - doFilterInteral() 2014-01-10 10:36:35,540 [http-bio-8080-exec-1] TRACE cookiesession.SessionRepositoryRequestWrapper - restoreSession() 2014-01-10 10:36:35,550 [http-bio-8080-exec-1] INFO cookiesession.CookieSessionRepository - retrieved valid session from cookie. lastAccessedTime: Fri Jan 10 10:03:25 IST 2014 2014-01-10 10:36:35,551 [http-bio-8080-exec-1] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession(false) 2014-01-10 10:36:35,551 [http-bio-8080-exec-1] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession(false) 2014-01-10 10:36:35,551 [http-bio-8080-exec-1] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession(false) 2014-01-10 10:36:35,691 [http-bio-8080-exec-1] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession(false) 2014-01-10 10:36:35,691 [http-bio-8080-exec-1] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession() 2014-01-10 10:36:35,691 [http-bio-8080-exec-1] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession(true) 2014-01-10 10:36:35,691 [http-bio-8080-exec-1] TRACE cookiesession.SessionRepositoryRequestWrapper - isRequestedSessionIdValid() 2014-01-10 10:36:35,691 [http-bio-8080-exec-1] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession() 2014-01-10 10:36:35,692 [http-bio-8080-exec-1] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession(true) 2014-01-10 10:36:35,692 [http-bio-8080-exec-1] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession(true) 2014-01-10 10:36:35,692 [http-bio-8080-exec-1] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession(false) 2014-01-10 10:36:35,692 [http-bio-8080-exec-1] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession(false) 2014-01-10 10:36:35,692 [http-bio-8080-exec-1] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession(false) 2014-01-10 10:36:35,692 [http-bio-8080-exec-1] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession(false)
and the sesssion contains: <com.granicus.grails.plugins.cookiesession.SerializableSession@6f36e7f3 SESSION_CONTEXT=com.granicus.grails.plugins.cookiesession.SerializableSession$1@7db63b8f SESSION_CONTEXT_ID_ENUM=com.granicus.grails.plugins.cookiesession.SerializableSession$2@470069c3 serialVersionUID=42 creationTime=1389328405093 lastAccessedTime=1389330395550 attributes=[SPRING_SECURITY_CONTEXT:org.springframework.security.core.context.SecurityContextImpl@45592199: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@45592199: Principal: grails.plugin.springsecurity.userdetails.GrailsUser@5fae87b: Username: imran; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: simplesession; Granted Authorities: ROLE_ADMIN, org.codehaus.groovy.grails.FLASH_SCOPE:[:], SPRING_SECURITY_SAVED_REQUEST:DefaultSavedRequest[http://localhost:8080/sessionCookie/user/afterLogout]] isValid=false servletContext=org.apache.catalina.core.ApplicationContextFacade@6854928f newSession=false maxInactiveInterval=0>
I tried to use session.SPRING_SECURITY_SAVED_REQUEST instead of session.SPRING_SECURITY_SAVED_REQUEST_KEY, but that also did not work.
May be this could be of some help while you try fixing this.
Thanks.
Hi Imran,
I merged you pull request into a feature branch that I'm working on, but as an FYI - it breaks backwards compatibility with previous version of grails because of the name change. I'm fixing that issue by checking grails version versions.
Question: did you disable session fixation prevention in your project?
grails.plugin.springsecurity.useSessionFixationPrevention = false
apparently its enabled by default in the new spring security plugin and it needs to be disabled for things to work correctly. I don't know if this will resolve your issue, but if you could try it out, I'd appreciate it. In the meantime I'm getting a test project up and running to see what else is breaking with the new version of spring security.
thanks, -ben
Hi Imran,
I got cookie-sessions working with 2.3.4.
Here's the settings you'll need to make in your Config.groovy
// disable session fixation grails.plugin.springsecurity.useSessionFixationPrevention = false
// get your logout controller working like previous versions of grails grails.plugin.springsecurity.logout.postOnly = false
This second option is a new configuration needed to be backwards compatible with previous versions of the spring security plugin.
You'll also need your modified KryoSessionSerializer to get the correct GrailsUser class.
Please verify that these setting fix your app. Also, here's an idea on how to test to ensure that you're actually using cookie sessions: 1) start your app 2) log into your app 3) kill the app 4) start the app 5) from the webpage, verify that you're still logged in.
thanks!
-ben
Hi Ben
Great!! I tried the app with the above mentioned configurations. It is indeed working now. I again thank you for taking out some time for this issue.
I am eagerly waiting for the new version of the plugin now, so that we could use it in our project.
That's great to hear! FYI - its going to be a while before I get the update out because I need to migrate all of the tests to a 2.3.4 project. In the meantime, I'm glad its working for you!
Ben Lucchesi | Chief Software Architect | Granicus Inc. 600 Harrison Street, Suite 120 San Francisco, CA 94107 work: 415.357.3618 x1300 | fax: 415.618.0102 | cell: 775.250.3396
From: Imran Mir [notifications@github.com] Sent: Tuesday, January 14, 2014 9:46 PM To: benlucchesi/grails-cookie-session-v2 Cc: Benjamin Lucchesi Subject: Re: [grails-cookie-session-v2] Cannot get cookie session plugin working with grails 2.3.4 (#29)
Hi Ben
Great!! I tried the app with the above mentioned configurations. It is indeed working now. I again thank you for taking out some time on this issue.
I am eagerly waiting for the new version of the plugin now, so that we could use it in our project.
— Reply to this email directly or view it on GitHubhttps://github.com/benlucchesi/grails-cookie-session-v2/issues/29#issuecomment-32336497.
hi Imran
as a quick follow-up to this issue, I'll be releasing a new version of the plugin that includes an error log entry if sessionfixationprevention is turned on.
for the postOnly option, I won't output a trace warning because this option breaks existing apps that use GET to logout regardless of whether cookiesessions are used or not.
If this issue isn't resolved for you, please reopen and let me know what's going on!
thanks, -ben
It sounds great, Ben. I will surely try it soon.
Hi Ben
The new cookie-session plugin is working well.
Thanks, Imran Mir
Hi All,
I am facing a issue while trying to login with google+ oauth. When user first register with google+ it cause a NotSerializableException. What i found that when i store some object in session and when i render response the exception occurs.
session[SPRING_SECURITY_OAUTH_TOKEN] = oAuthToken
Here is the stacktrace
org.codehaus.groovy.grails.web.json.JSONObject. Stacktrace follows: java.io.NotSerializableException: org.codehaus.groovy.grails.web.json.JSONObject at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1183) at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1547) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1508) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1431) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1177) at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:347) at java.util.HashMap.writeObject(HashMap.java:1129) at java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:988) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1495) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1431) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1177) at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1547) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1508) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1431) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1177) at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:347) at com.granicus.grails.plugins.cookiesession.JavaSessionSerializer.serialize(JavaSessionSerializer.groovy:36) at com.granicus.grails.plugins.cookiesession.CookieSessionRepository.serializeSession(CookieSessionRepository.groovy:369) at com.granicus.grails.plugins.cookiesession.CookieSessionRepository.saveSession(CookieSessionRepository.groovy:354) at com.granicus.grails.plugins.cookiesession.SessionRepositoryResponseWrapper.saveSession(SessionRepositoryResponseWrapper.java:95) at com.granicus.grails.plugins.cookiesession.SessionRepositoryResponseWrapper.getWriter(SessionRepositoryResponseWrapper.java:122) at grails.converters.JSON.render(JSON.java:150)
It looks like the JSONObject doesn't implement serializable... that's not an issue with the cookie session, but a problem with the Java Serializer not being able to serialize that object.
I suggest you use the Kryo serializer and write a custom serializer for the JSONObject. It should be self evident as to how to serialize/deserialize of a JSON data :)
If you need an example of how to write a kryo serializer, there's examples in the cookie-session plugin source code. If you need further direction, just let me know.
-ben
On Mon, Jul 13, 2015 at 10:29 PM, TUSHAR SAXENA notifications@github.com wrote:
Hi All,
I am facing a issue while trying to login with google+ oauth. When user first register with google+ it cause a NotSerializableException. What i found that when i store some object in session and when i render response the exception occurs.
session[SPRING_SECURITY_OAUTH_TOKEN] = oAuthToken
Here is the stacktrace
org.codehaus.groovy.grails.web.json.JSONObject. Stacktrace follows: java.io.NotSerializableException: org.codehaus.groovy.grails.web.json.JSONObject at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1183) at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1547) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1508) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1431) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1177) at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:347) at java.util.HashMap.writeObject(HashMap.java:1129) at java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:988) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1495) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1431) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1177) at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1547) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1508) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1431) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1177) at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:347) at com.granicus.grails.plugins.cookiesession.JavaSessionSerializer.serialize(JavaSessionSerializer.groovy:36) at com.granicus.grails.plugins.cookiesession.CookieSessionRepository.serializeSession(CookieSessionRepository.groovy:369) at com.granicus.grails.plugins.cookiesession.CookieSessionRepository.saveSession(CookieSessionRepository.groovy:354) at com.granicus.grails.plugins.cookiesession.SessionRepositoryResponseWrapper.saveSession(SessionRepositoryResponseWrapper.java:95) at com.granicus.grails.plugins.cookiesession.SessionRepositoryResponseWrapper.getWriter(SessionRepositoryResponseWrapper.java:122) at grails.converters.JSON.render(JSON.java:150)
— Reply to this email directly or view it on GitHub https://github.com/benlucchesi/grails-cookie-session-v2/issues/29#issuecomment-121136152 .
Hi Ben,
It worked like a charm.
Thanks, Tushar Saxena
Hi
I am trying to make grails cookie-session working with grails-2.3.4, but all seems to be going in vain. I also use spring-security-core:2.0-RC2. I keep on getting the following exception when trying to application url:
2014-01-04 12:00:09,565 [http-bio-8080-exec-5] TRACE cookiesession.SessionRepositoryResponseWrapper - intercepting getWriter to save session 2014-01-04 12:00:09,565 [http-bio-8080-exec-5] TRACE cookiesession.SessionRepositoryResponseWrapper - saveSession() 2014-01-04 12:00:09,565 [http-bio-8080-exec-5] TRACE cookiesession.SessionRepositoryResponseWrapper - session is already saved, not attempting to save again. 2014-01-04 12:00:09,567 [http-bio-8080-exec-5] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession(false) 2014-01-04 12:00:09,567 [http-bio-8080-exec-5] TRACE cookiesession.SessionRepositoryRequestWrapper - getSession(false) | Error 2014-01-04 12:00:09,567 [http-bio-8080-exec-5] ERROR [/].[gsp] - Servlet.service() for servlet [gsp] in context with path [] threw exception Message: Error applying layout : public Line | Method ->> 53 | doFilter in /grails-app/views/layouts/public.gsp
| 49 | doFilter in '' | 82 | doFilter . . . . . . . . in '' | 102 | invokeWithWrappedRequest in '' | 69 | doFilter . . . . . . . . in '' | 78 | doFilterInternal in '' | 886 | runTask . . . . . . . . in '' | 908 | run in '' ^ 662 | run . . . . . . . . . . in ''
Caused by GroovyPagesException: Error processing GroovyPageView: null ->> 85 | doFilter in /grails-app/views/layouts/public.gsp
Caused by EmptyStackException: null ->> 85 | peek in java.util.Stack
| 67 | pop in '' | 53 | doFilter . . . . . . . . in grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter | 49 | doFilter in grails.plugin.springsecurity.web.authentication.RequestHolderAuthenticationFilter | 82 | doFilter . . . . . . . . in grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter | 102 | invokeWithWrappedRequest in grails.plugin.springsecurity.web.filter.DebugFilter | 69 | doFilter . . . . . . . . in '' | 78 | doFilterInternal in com.granicus.grails.plugins.cookiesession.CookieSessionFilter | 886 | runTask . . . . . . . . in java.util.concurrent.ThreadPoolExecutor$Worker | 908 | run in '' ^ 662 | run . . . . . . . . . . in java.lang.Thread
My Config.groovy :
grails.plugin.cookiesession.enabled = true grails.plugin.cookiesession.encryptcookie = true grails.plugin.cookiesession.cryptoalgorithm = "Blowfish" grails.plugin.cookiesession.secret = "i am a secret" grails.plugin.cookiesession.cookiecount = 5 grails.plugin.cookiesession.maxcookiesize = 10240 // 10kb grails.plugin.cookiesession.sessiontimeout = 10 // 30 minutes grails.plugin.cookiesession.cookiename = 'gsession-5' grails.plugin.cookiesession.serializer = 'kryo' grails.plugin.cookiesession.springsecuritycompatibility = true
My BuildConfig: compile ':webxml:1.4.1' compile ":cookie-session:2.0.13"
When I tried get back to an old branch (on grails 2.0.3, with spring-security-core:1.2.7.3 ) and added the same cookie-session plugin, my application worked fine. Any help will be appreciated.