We’ve recently discovered a problem in our audit logging facility where Acegi returns a different user other than the actual user. It’s a little hard to replicate because it happens only when multiple users are accessing the system. In summary, audit logs were associated to other users because Acegi SecurityContextHolder is returning incorrect user reference when invoked within a Hibernate interceptor. Our tests showed that retrieving user within the service or DAO layer works correctly but retrieving user from an interceptor may potentially return a different user.
Our implementation is based on recommended audit logging technique as documented by Hibernate here with a couple of extensions. To be exact, here’s an old post about our audit logging implementation.
We discovered this problem during the Beta Test stage since there are multiple concurrent users testing the system. To prove that system is misbehaving, we’ve performed the following:
- Create a long running process for User A session. Let the process continue to execute with recording of audit logs.
- Create a new session for User B and do a couple of actions for the user.
- Check audit logs created for process of User A.
Our test results showed that some audit logs for User A process were recorded to User B, specifically during the time when User B performs an action. Apparently, this poses a serious hidden flaw in using Hibernate Interceptor and Acegi SecurityContextHolder for audit logging.
Hibernate Interceptor seems to create a separate thread to perform postFlush and other interceptor functions and Acegi SecurityContextHolder also has its own threading algorithm. In the end, a disconnect of user sessions.
To solve this problem, we resorted to adding a transient variable for the user id in the Auditable entity. The value of user id is populated on the service level because Acegi returns the correct user reference at this time. While this solution may not seem intrusive, I’m happy to say that it solves the concurrency issue.
Nevertheless, I posted this blog as reference to anyone attempting to implement Audit Logging or anyone who has already encountered the same problem. Please post other possible solutions.
10 thoughts on “Hidden Flaw in Audit Logging w/ Hibernate Interceptor & ACEGI”
As per your solution, I have set the user name in the entity transient field, but it is coming as null in the hibernate interceptor level
Hi Thayapavan,
Are they running in the same session? Where you able to successfully retrieve the user from service level? If you haven’t solve this problem yet, feel free to post your code fragments.
Thanks!
Allan
If you’re going to publish something like this where you talk about “serious hidden flaws” in popular frameworks then you really need to back up your assertions with some hard facts.
For example:
a). “Hibernate interceptor seems to create a separate thread…” – provide some evidence, either by logging with thread information or by posting a debugger session. Phrases like “seems to” aren’t good currency in technical circles.
b). “Acegi has its own threading algorithm” – I believe Acegi uses a standard Java ThreadLocal to store its security information and clears it at the end of each request (unless you have it misconfigured). That means it shouldn’t be passed to another thread and it certainly shouldn’t be possible to obtain a different security context, unless Hibernate has some serious brain damage and randomly chooses to flush a different users session during an HTTP request. If that’s the case, then you should be able to demonstrate it too.
http://www.ideyatech.com/2009/03/a-hidden-fatal-flaw-in-audit-logging-with-hibernate-and-acegi/
I’ve also encountered this exact issue. I’m struggling to resolve it. I’m also using a Audit Interceptor with Hibernate, Spring, and Acegi Security. My problem is even worse – a user logs in, clicks around on my site, and then is suddenly logged in as another user! I would appreciate a look at your solution in code, if you’re willing to provide one.
FYI – I found this article, which discusses Hibernate entity interceptors and concurrency. The concurrency issues described here line up with the problems you describe, and I’m experiencing. http://forum.springsource.org/archive/index.php/t-18656.html
This is in all probability the perfect article that ever cross my reference. I don’t see why anyone ought to disagree. It could be too simple #for them# to comprehend…anyway nice work i am coming back here for Extra Great Stuff!!
Great post. Totally agree with them.
Good post. Keep posting
I love your blog.. very nice colors & theme. Did you make
this website yourself or did you hire someone to do it for you?
Plz answer back as I’m looking to design my own blog and would like to know where u got this from. appreciate it
I’m really enjoying the theme/design of your site. Do you ever run into any web browser compatibility problems? A small number of my blog audience have complained about my site not operating correctly in Explorer but looks great in Opera. Do you have any solutions to help fix this issue?