Home/ Questions/Q 8961271
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T15:51:03+00:00

I have a custom AuthenticationProvider with the authenticate method. @Override public Authentication authenticate(Authentication authentication)

  • 0

I have a custom AuthenticationProvider with the authenticate method.

    @Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {

        > Check username, password, throw exceptions where needed

        return new CustomAuthenticationToken(username, grantedAuthorities);
    }

And the token:

public class CustomAuthenticationToken extends UsernamePasswordAuthenticationToken
{
     public CustomAuthenticationToken(ICurrentUserContext currentUser, List<GrantedAuthority> authorities) {
         super(currentUser.getUsername(), currentUser.getPassword(), authorities);
     }
}

When I login with Chrome, Firefox, there is no problem whatsoever.

In IE 8/9 I have a very weird problem. Sometimes it will only call the method authenticate one time, it will login and everything works as expected. But from time to time, it will call authenticate twice, and fails to log in.

Does anybody have any clue?

I’ve tested it on Tomcat btw.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’ve found the problem, with careful tracing the debug log of the Spring Security.. Hopefully this will help someone in the future.

    Apparantly, spring security default migrates sessions after login. But in IE it does not migrate the authentication cookie to the new session, resulting in presenting of the login page.

    The fix is easy, and can be done in the Spring Security xml:

    <http use-expressions="true">

    <!-- 
        This settings is for IE. Default this setting is on migrateSession.
        When IE tries to migrate the session, the auth cookie does not migrate,
        resulting in a nice login screen again, after you've logged in.

        This setting ensures that the session will not be invalidated, and thus IE will still work as expected.
     -->
    <session-management session-fixation-protection="none" />
</http>
    • 0