Session management in Spring Security

I am new to Spring Security. I have a requirement to do url based authentication where the user needs to be authenticated based on a unique link that will be sent every time as a parameter in the url. I'll pass this link to the web service, get the required data, and then authenticate the user (and set the roles). The authentication and authorization part is working fine.

However, when I try to access the application again (now with a different link in the url) it says "SecurityContextHolder is not filled with anonymous token as it already contains ..." and it showed the details of the previous request. I've tried clearing the security context using SecurityContextHolder.getContext (). SetAuthentication (null) and SecurityContextHolder.clearContext ().

After that, I was able to access the application several times. However, if I try to access the application at the same time as my machine, I get a blank page. After checking the logs, I see the message "SecurityContextHolder not populated with anonymous token ...". I also tried to set up sessions, but I don't know where I am losing track.

Below is my web.xml (only the Spring Security part):

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
<listener-class>
          org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>

<listener>
    <listener-class>
          org.springframework.security.web.session.HttpSessionEventPublisher
    </listener-class>
</listener>

<session-config>
<session-timeout>30</session-timeout>
</session-config>

      

        
        
        
      

    

spring-security.xml:

<http use-expressions="true" auto-config="false" entry-point-                   
                            ref="http403ForbiddenEntryPoint">
<intercept-url pattern="/paymentPortalInternal.*" access="hasRole('Internal')"/>
<intercept-url pattern="/paymentPortalExternal.*" access="hasRole('External')"/>

<custom-filter position="PRE_AUTH_FILTER" ref="customAuthenticationFilter"/>
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<session-management session-authentication-strategy-ref="sas"/>
</http>

<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/session-expired.htm" />
</beans:bean>

<beans:bean id="http403ForbiddenEntryPoint"
  class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
<beans:bean id="customAuthenticationFilter"
  class="com.xxx.xxx.xxxxx.security.CustomAuthenticationFilter">
      <beans:property name="sessionAuthenticationStrategy" ref="sas" />
  <beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>

<beans:bean id="sas" 
              class="org.springframework.security.web.authentication.session.
                                               ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
<beans:property name="exceptionIfMaximumExceeded" value="true" />
</beans:bean>

<beans:bean id="sessionRegistry"    
class="org.springframework.security.core.session.SessionRegistryImpl" />

<authentication-manager alias="authenticationManager">
    <authentication-provider ref="preauthAuthProvider" />
</authentication-manager>

<beans:bean id="preauthAuthProvider" 
                class="org.springframework.security.web.authentication.preauth.
                                       PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
    <beans:bean class="com.XXX.XXXX.XXX.UserServiceImpl" />
    </beans:property>
</beans:bean>

      

        
        
        
      

    

Please let me know if I need more information.

EDIT: adding logs.

For the first request:

2013-02-07 17: 27: 38,834 DEBUG [http-8081-2] [org.springframework.security.web.context.HttpSessionSecurityContextRepository.readSecurityContextFromSession (127)] - Currently HttpSession does not exist 2013-02-07 17: 27: 38,834 DEBUG [http-8081-2] [org.springframework.security.web.context.HttpSessionSecurityContextRepository.loadContext (85)] - Missing SecurityContext available from HttpSession: null. A new one will be created.

For the second request (note that the data in the security context is the parameters of the first request):

2013-02-07 17: 27: 54,272 DEBUG [http-8081-2] [org.springframework.security.web.context.HttpSessionSecurityContextRepository.readSecurityContextFromSession (158)] - Got a valid SecurityContext from SPRING_SECURITY_ org .CONTEXT: ' springframework.security.core.context.SecurityContextImpl@101729 3c: Authentication: org.springframework.security .web.authentication.preauth.PreAuthenticatedAuthenticationToken @ 1017293c: Principal: org.springframework.security.core.userdetails: Username: Internal @ 5581e6e1-7e61-41bb-9257-b3c1acb96519; Password protected]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Powers granted: internal; Credentials: [PROTECT]; Authenticated: true; Details: org.sprin gframework.security.web.authentication.WebAuthenticationDetails @ ffffc434: RemoteIpAddress: 10.188.182.107; SessionId: null; Authority Granted: Internal

I understand that the owner of the security context stores information about all users. But in this case, I cannot launch the application from another tab / browser.