i am working on spring security. but the j_spring_security serlvet seems not working. how do i debug the problem, or at least look for the root cause? i dont see any useful log files…

<?xml version="1.0" encoding="UTF-8"?>

  - Sample namespace-based configuration

<beans:beans xmlns=""
 xmlns:beans="" xmlns:xsi=""

 <global-method-security pre-post-annotations="enabled">
   AspectJ pointcut expression that locates our "post" method and
   applies security that way <protect-pointcut expression="execution(*
   bigbank.**(..))" access="ROLE_TELLER"/>

 <http use-expressions="true">
  <intercept-url pattern="/" access="permitAll" />
  <intercept-url pattern="/login/**" filters="none" />
  <intercept-url pattern="/static/**" filters="none" />
  <intercept-url pattern="/**" access="isAuthenticated()" />
  <form-login login-page="/login/login.jsp"
   default-target-url="/" authentication-failure-url="/login/login.jsp?login_error=1" />
  <logout logout-success-url="/login/logout_success.jsp" />
   Uncomment to enable X509 client authentication support <x509 />
  <!-- Uncomment to limit the number of sessions a user can have -->
  <session-management invalid-session-url="/timeout.jsp">
   <concurrency-control max-sessions="1"
    error-if-maximum-exceeded="true" />


then i have checked out for errors and here is a cut of the log file

when i am logging off

DEBUG [http-8080-2] ( - Converted URL to lowercase, from: '/j_spring_security_logout'; to: '/j_spring_security_logout'
DEBUG [http-8080-2] ( - Candidate is: '/j_spring_security_logout'; pattern is /login/**; matched=false
DEBUG [http-8080-2] ( - Converted URL to lowercase, from: '/j_spring_security_logout'; to: '/j_spring_security_logout'
DEBUG [http-8080-2] ( - Candidate is: '/j_spring_security_logout'; pattern is /static/**; matched=false
DEBUG [http-8080-2] ( - Converted URL to lowercase, from: '/j_spring_security_logout'; to: '/j_spring_security_logout'
DEBUG [http-8080-2] ( - Candidate is: '/j_spring_security_logout'; pattern is /**; matched=true
DEBUG [http-8080-2] ( - /j_spring_security_logout at position 1 of 10 in additional filter chain; firing Filter: ''
DEBUG [http-8080-2] ( - /j_spring_security_logout at position 2 of 10 in additional filter chain; firing Filter: ''
DEBUG [http-8080-2] ( - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: ' Authentication: Principal: Username: rod; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERVISOR,ROLE_TELLER,ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: RemoteIpAddress:; SessionId: C6056CE774DE3568943D98A05ABCC744; Granted Authorities: ROLE_SUPERVISOR, ROLE_TELLER, ROLE_USER'
DEBUG [http-8080-2] ( - /j_spring_security_logout at position 3 of 10 in additional filter chain; firing Filter: ''
DEBUG [http-8080-2] ( - Logging out user ' Principal: Username: rod; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERVISOR,ROLE_TELLER,ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: RemoteIpAddress:; SessionId: C6056CE774DE3568943D98A05ABCC744; Granted Authorities: ROLE_SUPERVISOR, ROLE_TELLER, ROLE_USER' and transferring to logout destination
DEBUG [http-8080-2] ( - Using default Url: /login/logout_success.jsp
DEBUG [http-8080-2] ( - Redirecting to '/crvWeb/login/logout_success.jsp'
DEBUG [http-8080-2] ( - HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session
DEBUG [http-8080-2] ( - SecurityContextHolder now cleared, as request processing completed
DEBUG [http-8080-2] ( - Converted URL to lowercase, from: '/login/logout_success.jsp'; to: '/login/logout_success.jsp'
DEBUG [http-8080-2] ( - Candidate is: '/login/logout_success.jsp'; pattern is /login/**; matched=true
DEBUG [http-8080-2] ( -  has an empty filter list

and then login again . spring says i am having an active session and didnt allow the login

note the exception in log
Reason: Maximum sessions of 1 for this principal exceeded.

DEBUG [http-8080-2] ( - Converted URL to lowercase, from: '/j_spring_security_check'; to: '/j_spring_security_check'
DEBUG [http-8080-2] ( - Candidate is: '/j_spring_security_check'; pattern is /login/**; matched=false
DEBUG [http-8080-2] ( - Converted URL to lowercase, from: '/j_spring_security_check'; to: '/j_spring_security_check'
DEBUG [http-8080-2] ( - Candidate is: '/j_spring_security_check'; pattern is /static/**; matched=false
DEBUG [http-8080-2] ( - Converted URL to lowercase, from: '/j_spring_security_check'; to: '/j_spring_security_check'
DEBUG [http-8080-2] ( - Candidate is: '/j_spring_security_check'; pattern is /**; matched=true
DEBUG [http-8080-2] ( - /j_spring_security_check at position 1 of 10 in additional filter chain; firing Filter: ''
DEBUG [http-8080-2] ( - /j_spring_security_check at position 2 of 10 in additional filter chain; firing Filter: ''
DEBUG [http-8080-2] ( - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG [http-8080-2] ( - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@e3fda4. A new one will be created.
DEBUG [http-8080-2] ( - /j_spring_security_check at position 3 of 10 in additional filter chain; firing Filter: ''
DEBUG [http-8080-2] ( - /j_spring_security_check at position 4 of 10 in additional filter chain; firing Filter: ''
DEBUG [http-8080-2] ( - Request is to process authentication
DEBUG [http-8080-2] ( - Authentication attempt using
DEBUG [http-8080-2] ( - Authentication request failed: Maximum sessions of 1 for this principal exceeded
DEBUG [http-8080-2] ( - Updated SecurityContextHolder to contain null Authentication
DEBUG [http-8080-2] ( - Delegating to authentication failure
DEBUG [http-8080-2] ( - Redirecting to /login/login.jsp?login_error=1
DEBUG [http-8080-2] ( - Redirecting to '/crvWeb/login/login.jsp?login_error=1'
DEBUG [http-8080-2] ( - SecurityContextHolder now cleared, as request processing completed
DEBUG [http-8080-2] ( - Converted URL to lowercase, from: '/login/login.jsp'; to: '/login/login.jsp'
DEBUG [http-8080-2] ( - Candidate is: '/login/login.jsp'; pattern is /login/**; matched=true
DEBUG [http-8080-2] ( -  has an empty filter list

why isnt my log off working? how can i look for the cause?

Best Answer

Spring Security requires a <listener> in web.xml in order to enable <concurrency-control>, see docs:

