Spring session jdbc getting password blank after successful login

[manojsharma20]

Hi, I have integerated spring session jdbc but when login successfully and session is created and store in Spring_session, then password field getting blank. Password field contain after login '' something blank.

I check several time, but it is the issue with spring session jdbc. When i remove the dependency, password is not getting blank anymore.

Please tell me how to fix this issue.

[rwinch]

How are you saving the password field?

[manojsharma20]

I have saved password as bcrypt at the time of registration or password changed. At the time of login i and doing anything or making just nonlocked property to false and saved the user using spring data jpa.

[rwinch]

Please provide the code that is saving the password to session.

[manojsharma20]

Hi, Please find code for user detail service.

`package com.velocis.vahan;

import java.util.ArrayList; import java.util.Collection; import java.util.Iterator; import java.util.List; import java.util.Map;

import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest;

import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.session.SessionInformation; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.session.ExpiringSession; import org.springframework.session.FindByIndexNameSessionRepository; import org.springframework.session.Session; import org.springframework.session.jdbc.JdbcOperationsSessionRepository; import org.springframework.session.security.SpringSessionBackedSessionRegistry; import org.springframework.stereotype.Service;

import com.mycomp.exception.AlreadyLoginForceException; import com.mycomp.pojo.EvUser; import com.mycomp.pojo.Privilege; import com.mycomp.pojo.Role; import com.mycomp.pojo.UserAttempts; import com.mycomp.repository.JpaUserAttemptsRepository; import com.mycomp.repository.JpaUserRepository; import com.mycomp.utils.LoginAttemptService;

@Service public class UserDetailsService implements UserDetailsService {

@Autowired private JpaUserRepository userRepository;
@Autowired private LoginAttemptService loginAttemptService;
@Autowired private HttpServletRequest request;

// @Autowired private JpaUserAttemptsRepository jpaUserAttemptsRepository; @Autowired private FindByIndexNameSessionRepository sessionRepository; @Autowired private FindByIndexNameSessionRepository<? extends ExpiringSession> sessions;

public UserDetailsService() {
    super();
}

// API

@Override
public UserDetails loadUserByUsername(final String username) throws UsernameNotFoundException {
    final String ip = getClientIP();

    if (loginAttemptService.isBlocked(ip)) {
        throw new RuntimeException("blocked");
    }

    boolean isUserAuthenticated = false;
    org.springframework.security.core.userdetails.User authUser = null;
    EvUser user = null;

    try {
        if(username.trim().equalsIgnoreCase("")){
            isUserAuthenticated =false;
        } else{
            user = userRepository.findByEmail(username);
                user = sessionValidate(user, username);
                authUser = new org.springframework.security.core.userdetails.User(user.getEmail(), user.getPassword(), new Boolean(user.getEnabled()), true, true, true, getAuthorities(user.getRoles()));
//               System.out.println(authUser.getAuthorities());
                 if(authUser != null)
                   isUserAuthenticated = true;
        }

        if (!isUserAuthenticated) {
            throw new UsernameNotFoundException("No user found with your provide credential : " + username);
        }
    } catch (final Exception e) {
        if(e instanceof AlreadyLoginForceException)
            throw e;
        else
            throw new RuntimeException(e);
    }

    return authUser;
}

// UTIL

private EvUser sessionValidate(EvUser user, String username){
    if(user == null)
        return null;

    SpringSessionBackedSessionRegistry sessionRegistry = new SpringSessionBackedSessionRegistry((FindByIndexNameSessionRepository<ExpiringSession>) sessions);
    Collection<? extends ExpiringSession> usersSessions = sessions
            .findByIndexNameAndIndexValue(FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME, username)
            .values();

    String isForceLogin = request.getParameter("frdlog");
    Boolean frdlog = new Boolean(isForceLogin);
    if(usersSessions != null && !usersSessions.isEmpty() && frdlog == true){
        try {
            request.logout();
            request.getSession().invalidate();
            Iterator<? extends ExpiringSession> itr = usersSessions.iterator();
            while(itr.hasNext()){
                String sessionId = itr.next().getId();
                // sessionRegistry.removeSessionInformation(sessionId);
                SessionInformation info = sessionRegistry.getSessionInformation(sessionId);
                info.expireNow();

            }

            user.setNonLocked(true);
        } catch (ServletException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
        user = userRepository.save(user);
    }
    else if(usersSessions != null && !usersSessions.isEmpty()){
        throw new AlreadyLoginForceException("already");
    }

    return user;
}

public final Collection<? extends GrantedAuthority> getAuthorities(final Collection<Role> roles) {
    return getGrantedAuthorities(getPrivileges(roles));
}
private List<String> getPrivileges(Collection<Role> roles) {

    List<String> privileges = new ArrayList<>();
    List<Privilege> collection = new ArrayList<>();
    for (Role role : roles) {
        collection.addAll(role.getPrivileges());
    }
    for (Privilege item : collection) {
        privileges.add(item.getName());
    }
    return privileges;
}
private final String getClientIP() {
    final String xfHeader = request.getHeader("X-Forwarded-For");
    if (xfHeader == null) {
        return request.getRemoteAddr();
    }
    return xfHeader.split(",")[0];
}
private List<GrantedAuthority> getGrantedAuthorities(List<String> privileges) {
    List<GrantedAuthority> authorities = new ArrayList<>();
    for (String privilege : privileges) {
        authorities.add(new SimpleGrantedAuthority(privilege));
    }
    return authorities;
}

}`

Please suggest me the solution, I have debug the code and till my failure handler called, password not changed. after that spring specific filter calling changing the password.

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[XI1876-ManojSharma]

I think the code already shared.