Login returns indefinitely HttpSession returned null object for SPRING_SECURITY_CONTEXT

15:09:33,068 DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] (http--0.0.0.0-8080-10) Returning cached instance of singleton bean 'transactionManager' 15:09:33,068 DEBUG [org.springframework.orm.jpa.JpaTransactionManager] (http--0.0.0.0-8080-10) Creating new transaction with name [com.ust.wmi.lakshya.service.dao.OrderDAO.getOrderByLoginId]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; '' 15:09:33,068 DEBUG [org.springframework.orm.jpa.JpaTransactionManager] (http--0.0.0.0-8080-10) Opened new EntityManager [org.hibernate.ejb.EntityManagerImpl@680daeb0] for JPA transaction 15:09:33,068 DEBUG [org.springframework.orm.jpa.JpaTransactionManager] (http--0.0.0.0-8080-10) Exposing JPA transaction as JDBC transaction [org.springframework.orm.jpa.vendor.HibernateJpaDialect$HibernateConnectionHandle@42dfd3c5] 15:09:33,427 DEBUG [org.springframework.security.web.util.matcher.AntPathRequestMatcher] (http--0.0.0.0-8080-8) Checking match of request : '/'; against '/js/' 15:09:33,427 DEBUG [org.springframework.security.web.util.matcher.AntPathRequestMatcher] (http--0.0.0.0-8080-8) Checking match of request : '/'; against '/img/' 15:09:33,427 DEBUG [org.springframework.security.web.util.matcher.AntPathRequestMatcher] (http--0.0.0.0-8080-8) Checking match of request : '/'; against '/css/' 15:09:33,427 DEBUG [org.springframework.security.web.util.matcher.AntPathRequestMatcher] (http--0.0.0.0-8080-8) Checking match of request : '/'; against '/fonts/' 15:09:33,427 DEBUG [org.springframework.security.web.util.matcher.AntPathRequestMatcher] (http--0.0.0.0-8080-8) Checking match of request : '/'; against '/less/' 15:09:33,427 DEBUG [org.springframework.security.web.util.matcher.AntPathRequestMatcher] (http--0.0.0.0-8080-8) Checking match of request : '/'; against '/docs/' 15:09:33,427 DEBUG [org.springframework.security.web.util.matcher.AntPathRequestMatcher] (http--0.0.0.0-8080-8) Checking match of request : '/'; against '/dashboard-assets/' 15:09:33,427 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /?t=0.234172108117491 at position 1 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 15:09:33,427 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] (http--0.0.0.0-8080-8) No HttpSession currently exists 15:09:33,427 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] (http--0.0.0.0-8080-8) No SecurityContext was available from the HttpSession: null. A new one will be created. 15:09:33,443 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /?t=0.234172108117491 at position 2 of 15 in additional filter chain; firing Filter: 'ConcurrentSessionFilter' 15:09:33,443 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /?t=0.234172108117491 at position 3 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 15:09:33,443 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /?t=0.234172108117491 at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter' 15:09:33,443 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /?t=0.234172108117491 at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter' 15:09:33,443 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /?t=0.234172108117491 at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' 15:09:33,443 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /?t=0.234172108117491 at position 7 of 15 in additional filter chain; firing Filter: 'BasicAuthenticationFilter' 15:09:33,443 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /?t=0.234172108117491 at position 8 of 15 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 15:09:33,443 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /?t=0.234172108117491 at position 9 of 15 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 15:09:33,443 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /?t=0.234172108117491 at position 10 of 15 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter' 15:09:33,443 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /?t=0.234172108117491 at position 11 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 15:09:33,443 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] (http--0.0.0.0-8080-8) Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 106.219.63.98; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' 15:09:33,458 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /?t=0.234172108117491 at position 12 of 15 in additional filter chain; firing Filter: 'SessionManagementFilter' 15:09:33,458 DEBUG [org.springframework.security.web.session.SessionManagementFilter] (http--0.0.0.0-8080-8) Requested session ID zgOCshH3xP8LpHdbmUl30Yhz.wm2-lakshya2 is invalid. 15:09:33,458 DEBUG [org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy] (http--0.0.0.0-8080-8) Starting new session (if required) and redirecting to '/logoutSession' 15:09:33,458 DEBUG [org.springframework.security.web.session.HttpSessionEventPublisher] (http--0.0.0.0-8080-8) Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@3c370fd5] 15:09:33,458 DEBUG [org.springframework.security.web.DefaultRedirectStrategy] (http--0.0.0.0-8080-8) Redirecting to '/oms-web/logoutSession' 15:09:33,458 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] (http--0.0.0.0-8080-8) SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 15:09:33,458 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] (http--0.0.0.0-8080-8) SecurityContextHolder now cleared, as request processing completed 15:09:33,600 DEBUG [org.springframework.security.web.util.matcher.AntPathRequestMatcher] (http--0.0.0.0-8080-8) Checking match of request : '/logoutsession'; against '/js/' 15:09:33,600 DEBUG [org.springframework.security.web.util.matcher.AntPathRequestMatcher] (http--0.0.0.0-8080-8) Checking match of request : '/logoutsession'; against '/img/' 15:09:33,600 DEBUG [org.springframework.security.web.util.matcher.AntPathRequestMatcher] (http--0.0.0.0-8080-8) Checking match of request : '/logoutsession'; against '/css/' 15:09:33,600 DEBUG [org.springframework.security.web.util.matcher.AntPathRequestMatcher] (http--0.0.0.0-8080-8) Checking match of request : '/logoutsession'; against '/fonts/' 15:09:33,600 DEBUG [org.springframework.security.web.util.matcher.AntPathRequestMatcher] (http--0.0.0.0-8080-8) Checking match of request : '/logoutsession'; against '/less/' 15:09:33,600 DEBUG [org.springframework.security.web.util.matcher.AntPathRequestMatcher] (http--0.0.0.0-8080-8) Checking match of request : '/logoutsession'; against '/docs/' 15:09:33,600 DEBUG [org.springframework.security.web.util.matcher.AntPathRequestMatcher] (http--0.0.0.0-8080-8) Checking match of request : '/logoutsession'; against '/dashboard-assets/' 15:09:33,600 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /logoutSession at position 1 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 15:09:33,600 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] (http--0.0.0.0-8080-8) HttpSession returned null object for SPRING_SECURITY_CONTEXT 15:09:33,600 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] (http--0.0.0.0-8080-8) No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3c370fd5. A new one will be created. 15:09:33,600 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /logoutSession at position 2 of 15 in additional filter chain; firing Filter: 'ConcurrentSessionFilter' 15:09:33,600 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /logoutSession at position 3 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 15:09:33,615 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /logoutSession at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter' 15:09:33,615 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8) /logoutSession at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter' 15:09:33,615 DEBUG [org.springframework.security.web.FilterChainProxy] (http--0.0.0.0-8080-8)

Here i am using the spring security 3.2.0.Release version and spring 4.0.0.Release version.

After logged in immediately or after few seconds gap it is getting log off, After debugging I saw the above log. I couldn't able to understand why my session is getting null Spring_Security_Context.

Here is my piece of code i m validating the session

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
    //  LOGGER.info(session.getAttribute("loginId")+"========"+url+"=============");
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        response.setHeader("Cache-Control","no-cache"); //Forces caches to obtain a new copy of the page from the origin server
        response.setHeader("Cache-Control","no-store"); //Directs caches not to store the page under any circumstance
        response.setDateHeader("Expires", 0); //Causes the proxy cache to see the page as "stale"
        response.setHeader("Pragma","no-cache"); //HTTP 1.0 backward 
        response.setHeader("X-Frame-Options","deny");//For clickjacking deny
        //response.setHeader("Content-Security-Policy", "default-src 'self'");//cross site scripting disable 
//        response.setHeader("Set-Cookie", "JSESSIONID=" + request.getSession().getId() + "; secure");
        String url = request.getServletPath();
        HttpSession session = request.getSession(false);
        if (null == session) {
           // response.sendRedirect("/index");
            LOGGER.info("-------------------------------");
            LOGGER.info("Empty Session");
            LOGGER.info("-------------------------------");
        }
        else if(url.equals("/")){
            response.sendRedirect(request.getContextPath()+"/welcome");
        }
        chain.doFilter(req, res);

    }

And the piece of code of my spring security config file,

    <security:form-login login-page="/index" default-target-url="/welcome" authentication-failure-url="/loginError?error" 
                                always-use-default-target="true"/>
        <security:logout invalidate-session="true" logout-url="/logout" logout-success-url="/nourlhere" delete-cookies="JSESSIONID"/>

        <security:session-management invalid-session-url="/logoutSession" >
            <security:concurrency-control expired-url="/logoutSession" max-sessions="1" error-if-maximum-exceeded="false" />
        </security:session-management>

        <security:access-denied-handler error-page="/welcome"/>
        <security:custom-filter ref="sessionValidtion" after="LAST"/>
            <security:remember-me use-secure-cookie="true" user-service-ref="userDetailsService"/>
<bean id="sessionValidtion" class="com.wmi.lakshya.web.resource.SessionValidation"></bean>

I am not mention all configuration but somehow the major piece of code listed here.

Please help me to understand how it is making null my session Object @rwinch

spring-projects / spring-security

Login returns indefinitely HttpSession returned null object for SPRING_SECURITY_CONTEXT #4204