Spring Security
  1. Spring Security
  2. SEC-1313

Namespace support for setting removeAfterRequest on AnonymousAuthenticationFilter

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.0 RC1
    • Fix Version/s: 3.0.0.RC2
    • Component/s: Web
    • Labels:
      None

      Description

      As far as I can tell you cannot set this using namespace config, in order to do so you must use the 'old' explicit bean configuration.

      As an aside, I'm not sure we're using this appropriately; we're having an issue related to http://forum.springsource.org/showthread.php?t=47213, where nulling of the Authentication during anonymous HttpRequest cycle yields a race condition in a thread that needs the Authentication. Using removeAfterRequest fixes this but not sure if that's optimal.

      (The suggestion there to use cloneFromHttpSession is out-of-date as HttpSessionContextIntegrationFilter is deprecated.)

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          The "removeAfterRequest" property should probably itself be removed. It's original purpose was to prevent the HttpSessionContextIntegrationFilter from storing the context with an anonymous token in it. This doesn't necessarily work in practice, since the context may be saved during a redirect or a sendError (see SEC-776). Additional checks were added (now in HttpSessionSecurityContextRepository) which prevent an anonymous token from being saved, so the original problem that this property was introduced to solve no longer exists.

          It's certainly not something that should be added to the namespace, which is not intended to expose such low-level implementation details. I'd suggest that we just remove it altogether. As explained above, it no longer does what it was intended to and having an extra parameter which affects the context contents is just adding more complication. If we remove it then that should solve your problem.

          Show
          Luke Taylor added a comment - The "removeAfterRequest" property should probably itself be removed. It's original purpose was to prevent the HttpSessionContextIntegrationFilter from storing the context with an anonymous token in it. This doesn't necessarily work in practice, since the context may be saved during a redirect or a sendError (see SEC-776 ). Additional checks were added (now in HttpSessionSecurityContextRepository) which prevent an anonymous token from being saved, so the original problem that this property was introduced to solve no longer exists. It's certainly not something that should be added to the namespace, which is not intended to expose such low-level implementation details. I'd suggest that we just remove it altogether. As explained above, it no longer does what it was intended to and having an extra parameter which affects the context contents is just adding more complication. If we remove it then that should solve your problem.
          Hide
          Luke Taylor added a comment -

          Superseded by SEC-1316.

          Show
          Luke Taylor added a comment - Superseded by SEC-1316 .

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Paul Pavlidis
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: