SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user

Question

Environment:

• MFP 6.3 Studio Windows 7
• MFP 6.3 Server (WAS LC)

Downloaded the form-based sample from the IBM MobileFirst Platform Developer Center.

In MFP 6.3 Studio, the sample runs fine.

I then change my build settings and Build All Environment -> get the new wlapp file.

I get my war file from the MFP 6.3 Server. Open up and put in the modified authenticationConfig.xml Basically it's just transferring the one snippet from the studio authenticationConfig.xml to the xml file within the WAR file.

<customSecurityTest name="DummyAdapter-securityTest">
    <test isInternalUserID="true" realm="SampleAppRealm"/>
</customSecurityTest>       

I restart the server and deploy the .wlapp and .adapter files.

In the standalone server, I run the preview mode. I Enter the username and password and login. It didn't login and I see these errors on the server console.log.

[ERROR   ] SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:BasicRegistry/demo.
[ERROR   ] SRVE0232E: Internal Server Error. Exception Message: [com.ibm.ws.webcontainer.webapp.WebAppErrorReport: com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException: SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:BasicRegistry/demo.
    at com.ibm.ws.webcontainer.session.impl.HttpSessionContextImpl.checkSecurity(HttpSessionContextImpl.java:686)
    at [internal classes]
    at com.worklight.core.auth.impl.AuthenticationFilter.associateAuthContextWithThread(AuthenticationFilter.java:426)
    at com.worklight.core.auth.impl.AuthenticationFilter.doFilter(AuthenticationFilter.java:145)
    at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:194)
    at [internal classes]
Caused by: com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException: SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:BasicRegistry/demo.
    ... 7 more
]
[ERROR   ] SRVE0777E: Exception thrown by application class 'com.worklight.core.auth.impl.AuthenticationContext.checkAuthentication:604'
com.worklight.server.auth.api.WorkLightAuthenticationException
    at com.worklight.core.auth.impl.AuthenticationContext.checkAuthentication(AuthenticationContext.java:604)
    at com.worklight.core.auth.impl.AuthenticationContext.processRealms(AuthenticationContext.java:469)
    at com.worklight.core.auth.impl.AuthenticationContext.pushCurrentResource(AuthenticationContext.java:443)
    at com.worklight.core.auth.impl.AuthenticationServiceBean.accessResource(AuthenticationServiceBean.java:75)
    at com.worklight.integration.services.impl.DataAccessServiceImpl.invokeProcedureInternal(DataAccessServiceImpl.java:430)
    at com.worklight.integration.services.impl.DataAccessServiceImpl.invokeProcedure(DataAccessServiceImpl.java:139)
    at com.worklight.gadgets.serving.handler.BackendQueryHandler.getContent(BackendQueryHandler.java:95)
    at com.worklight.gadgets.serving.handler.BackendQueryHandler.doPost(BackendQueryHandler.java:56)
    at com.worklight.gadgets.serving.GadgetAPIServlet.doGetOrPost(GadgetAPIServlet.java:148)
    at com.worklight.gadgets.serving.GadgetAPIServlet.doPost(GadgetAPIServlet.java:108)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1240)
    at [internal classes]
    at com.worklight.core.auth.impl.AuthenticationFilter$1.execute(AuthenticationFilter.java:217)
    at com.worklight.core.auth.impl.AuthenticationServiceBean.accessResource(AuthenticationServiceBean.java:76)
    at com.worklight.core.auth.impl.AuthenticationFilter.doFilter(AuthenticationFilter.java:222)
    at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:194)
    at [internal classes]

Answer 1

After studying the securityIntegrationEnabled="false workaround, I think I have figured out why things are working / not working.

The solution is actually very simple without changing the server.xml.

When the error SESN0008E occured, I was testing the FormAuth app using the common preview mode by clicking on the link from the admin console in the standalone server. Although the common preview link opened to a new browser, but the sessionID actually stays. Both browser tabs are in the same session (I checked).

It means that the sessionID that I am using is actually the one that was already authenticated by the Admin Console. And in my preview mode I tried to authenticate again in the session that was already "owned" by another user. This causes WAS to throw the error SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:BasicRegistry/demo. My app preview is in the same httpsession as the admin console, and hence the error.

So to get it to work, I copy the preview link. Close all the browser to ensure the sessions are killed. Open a new browser, paste the preview link and the FormAuthentication works now.

A maybe more convenient solution would be to create a mobile web environment and use that for preview testing.

Answer 2

In WAS and WAS Liberty profile, security integration is enabled by default. This also means that:

... session management facility associates the identity of users with their HTTP sessions. This feature will mark a session as "owned" by the first user that accesses a session that is not already marked as owned.

If a session is already marked as owned, it will check that the owner is the same as the current user. If not, rather than granting access to the session, at minimum a message with identifier SESN0008E will be logged and access to the session will not be granted.

In some cases, an UnauthorizedSessionRequestException is thrown, with message SESN0008E as the cause.

In the MobileFirst Development Server in Eclipse, the underlying WAS Liberty's server.xml has this disabled.

For your POC as a workaround, you can disable the feature by adding in the server.xml file the following entry: <httpSession securityIntegrationEnabled="false"/>

Note that adding this setting is global to all applications and can impact negatively on existing applications on the server, if in existance.