I'm working on an application using Spring Security and Oracle & Cassandra as database.
Client authentication works fine until a short database outage occurs, then the application continues to return access denied, even after the databases are available again.
The application needs to be restarted to stop throwing access denied to clients...
This happens on methods annotated with
#PostAuthorize("hasPermission(returnObject?.customer,'read')")
I'm wondering if loss of connections impact somehow spring security context, in a irreversible way ?
I know I'm not providing much information, but I'm posting this in case someone have an idea why a short loss of connection pushes the application into endless access denied.
The error message each time is :
Access is denied org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice.after(ExpressionBasedPostInvocationAdvice.java:62)
at org.springframework.security.access.prepost.PostInvocationAdviceProvider.decide(PostInvocationAdviceProvider.java:41)
at org.springframework.security.access.intercept.AfterInvocationProviderManager.decide(AfterInvocationProviderManager.java:81)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.afterInvocation(AbstractSecurityInterceptor.java:316)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:73)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
Regards,
Related
I'm facing a problem which causing thousands of successful 4776 events on DCs. I figured out that some kind of network printer enumeration causing it. Every refreshing or opening printers in word for example, triggers a lot of 4776. It takes place even when user doesn't use computer so it is locked. Any idea why it works like that? I suspect that it is caused by opening printer named pipe, I see in ProcMon create, close file on pipe\spools printer path. Server is W2K8 R2 , client W10
Thanks in advance
This problem "Thousands of 4776 events" usually occurs every time that a credential validation occurs using NTLM authentication. It shows successful and unsuccessful credential validation attempts.
Only for the authoritative accounts this error occurs. For domain
accounts, the domain controller is authoritative. For local accounts,
the local computer is authoritative. This event also generates when a workstation unlock event occurs.
Obtain the source workstation address from 4776 event log and please check below steps:
Try checking whether the user is entering wrong credentials to run scheduled tasks, start services etc.
Try checking the credential management to know if there are any old credentials present in cache.
While mounting the network disk check whether you have entered wrong password.
Check if there are any third-party programs that cache the user's wrong password.
References:
4776(S, F) The computer attempted to validate the credentials for an account. (Windows 10) - Windows security | Microsoft Docs.
Event ID 4776 / 0xc00006a - Microsoft Q&A.
I have a website that requires a lot of data entry. It hasn't been an issue until recently. Now the user is getting a 403 error, which I assume is caused by the session timeout. The problem I am having is that now, every page gives you a 403 error, even the logout. So, until I clear all the site cookies, the user is unable to do anything. I have to believe there is a better way to resolve this without having to resort to clearing cookies. Thanks.
Wade
There are so many reasons behind the session timeout:
1)Application Pool is recycled
2)IIS/worker process is restarted
3)Application Domain is restarted.
4)Some times system admins(IIS server admins) restricted the applications due to heavy burden of database log files please check the database log files
First, check the iis log for the sub status code.try to set the session time and application pool recycle time the same value. iis ideal time out default value is 20 minutes.
you could also set the iis HTTP keep-alive setting by following below steps:
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httpprotocol/
you can use the Auto-Start behavior to keep the app "Always Running".
https://weblogs.asp.net/scottgu/auto-start-asp-net-applications-vs-2010-and-net-4-0-series
I have a rails api using devise-token-auth. Recently I was on really spotty/slow Wifi and I noticed I was getting 401's from my app. My theory is that the refreshing auth token is either being lost and delayed by the bad network. That being said, I'm having a hard time reproducing the bug itself.
Three primary questions:
Could a spotty Wifi/network connection lead to 401s, due to loss or delay of the new auth-token. And if this is the case, is there a way to recover without needing the user to log back in.
How to reproduce such an environment, so I can debug this scenario.
I was able to reproduce it by delaying the server response using a debugger. In my case, this happens when I enable change_headers_on_each_request config, so when the response which carries the new tokens fails the next responses throw 401 code.
I recently sent an issue to the gem explaining this and asking how can I handle this situation on the frontend.
We have implemented our own oAuth provider and are having an issue when the system runs in a load balanced scenario. When we run with a single server all is well but when we switch the other on we get the following situation:
Token ‘A’ generated on server 1
Token ‘A’ not valid on server 2.
I have done some Googling on this and it seems to be a known issue but can’t seem to find a solution.
Anybody got an idea.
Thanks
You will have to make sure that you do one of:
synchronize the state of your Authorization Server between all load balanced nodes by using a shared cache (e.g. database or file system) or replicates state across nodes using some replication mechanism
your Authorization Server issues tokens that can be inspected by the load balancer to find out to which node it needs to send the validation request
The latter. has the downside that it cannot be used in a high availability scenario.
I have writen a windows service that overwrite Logon and Logoff methods of ISenesLogon2 to check out when logon and logoff occure and then insert the log information into the sql server on server computer.
But it has problem when i turn on the client computer just after the server.
In this situation my service could not insert in sql server.
I think it's because of that the sql server did not load completely before the winservice tried to access to it.
So i want to find a way to check programmatically if the sql server is ready and then try to work with?
Your service cant start until its dependencies remote or otherwise have also started. Checking SQL Server is easy, try and connect to it and retry until you succeed.
Only problem is services have timeouts on startup, you cant sit and repeat this indefinitely.
Things that cannot be reliably started in a reasonable timeframe should not be services or they should fail as soon as possible. Otherwise you will end up with a lot of support requests for your service timing out.
Services are also usually not interactive to the user, so the failure is worse because you cant directly tell the user that your not up unless you do a tray icon.