Spring BlazeDS Integration
  1. Spring BlazeDS Integration
  2. FLEX-186

FlexSession not getting re-created properly when using session-fixation-protection="newSession"

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Complete
    • Affects Version/s: 1.5.0.M2
    • Fix Version/s: 1.5.0.RC1
    • Component/s: Core
    • Labels:
      None

      Description

      The issue previously fixed and closed in FLEX-111 - Invalid FlexSession with Spring Security is happening again

        Activity

        Hide
        Pulkit Singhal added a comment -

        As I stepped through the source for FlexSessionAwareSessionAuthenticationStrategy which was wrapping SessionFixationProtectionStrategy as its delegate ... I realized that:
        1) a new session is created by the delegate by invaldiating the old one and using request.getSession(true) to create a new one
        2) but afterwards when we jump back to FlexSessionAwareSessionAuthenticationStrategy, the value of currentSession.getAttribute("__flexSession") is null
        This means that the reason for the Invalid FlexSession could be due to its absence!

        To validate this I added a fake attribute pair ("__flexSession","123") to currentSession during runtime (after coming back from the delegate's onAuthentication call) ... and this led to the provider creating a flexsession and then everything worked!

        Can you make this fix to the source code?
        Or perhaps let me know how to override/extend/inject something in place of FlexSessionAwareSessionAuthenticationStrategy so that I may write my own workaround?

        Thanks!

        Show
        Pulkit Singhal added a comment - As I stepped through the source for FlexSessionAwareSessionAuthenticationStrategy which was wrapping SessionFixationProtectionStrategy as its delegate ... I realized that: 1) a new session is created by the delegate by invaldiating the old one and using request.getSession(true) to create a new one 2) but afterwards when we jump back to FlexSessionAwareSessionAuthenticationStrategy, the value of currentSession.getAttribute("__flexSession") is null This means that the reason for the Invalid FlexSession could be due to its absence! To validate this I added a fake attribute pair ("__flexSession","123") to currentSession during runtime (after coming back from the delegate's onAuthentication call) ... and this led to the provider creating a flexsession and then everything worked! Can you make this fix to the source code? Or perhaps let me know how to override/extend/inject something in place of FlexSessionAwareSessionAuthenticationStrategy so that I may write my own workaround? Thanks!
        Hide
        Jeremy Grelle added a comment -

        This should be fixed in the snapshot build that was just completed.

        Show
        Jeremy Grelle added a comment - This should be fixed in the snapshot build that was just completed.
        Hide
        Pulkit Singhal added a comment -

        Where can I pick up the snapshot build from? I tried locating something like spring-flex-core*SNAPSHOT* using m2eclipse-plugin's add dependency based lookup ... but I could not find any such listing. Also I tried changing <version>1.5.0.M2</version> to <version>1.5.0.RC1</version> but that didn't work either.
        Please help, I'm quite ignorant

        Show
        Pulkit Singhal added a comment - Where can I pick up the snapshot build from? I tried locating something like spring-flex-core*SNAPSHOT* using m2eclipse-plugin's add dependency based lookup ... but I could not find any such listing. Also I tried changing <version>1.5.0.M2</version> to <version>1.5.0.RC1</version> but that didn't work either. Please help, I'm quite ignorant
        Show
        Pulkit Singhal added a comment - Found it: http://forum.springsource.org/showthread.php?t=77454
        Hide
        Pulkit Singhal added a comment -

        I forgot to mention, it tested it and it works. The issue is resolved. Thank you so much.

        Show
        Pulkit Singhal added a comment - I forgot to mention, it tested it and it works. The issue is resolved. Thank you so much.

          People

          • Assignee:
            Jeremy Grelle
            Reporter:
            Pulkit Singhal
          • Votes:
            2 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: