Spring Security
  1. Spring Security
  2. SEC-1346

SessionManagementFilter: should "return;" after "redirectStrategy.sendRedirect(request, response, invalidSessionUrl);"

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0
    • Fix Version/s: 3.0.1
    • Component/s: Web
    • Labels:
      None

      Description

      java.lang.IllegalStateException: Cannot create a session after the response has been committed
      org.apache.catalina.connector.Request.doGetSession(Request.java:2313)
      org.apache.catalina.connector.Request.getSession(Request.java:2074)
      org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833)
      org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:844)
      javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:224)
      org.springframework.security.web.savedrequest.HttpSessionRequestCache.saveRequest(HttpSessionRequestCache.java:38)
      org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:177)
      org.springframework.security.web.access.ExceptionTranslationFilter.handleException(ExceptionTranslationFilter.java:158)
      org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)
      org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
      org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:95)
      org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
      org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:79)
      org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
      org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:55)
      org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
      org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:36)
      org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
      org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:188)
      org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
      org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:106)
      org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
      org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
      org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
      org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:150)
      org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
      org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)

        Issue Links

          Activity

          Hide
          Alvin Chee added a comment -

          Same issue should be faced in ConcurrentSessionFilter (have yet to try)

          Show
          Alvin Chee added a comment - Same issue should be faced in ConcurrentSessionFilter (have yet to try)
          Hide
          Alvin Chee added a comment -

          if (invalidSessionUrl != null)

          { logger.debug("Redirecting to '" + invalidSessionUrl + "'"); redirectStrategy.sendRedirect(request, response, invalidSessionUrl); return; //should add this }
          Show
          Alvin Chee added a comment - if (invalidSessionUrl != null) { logger.debug("Redirecting to '" + invalidSessionUrl + "'"); redirectStrategy.sendRedirect(request, response, invalidSessionUrl); return; //should add this }
          Hide
          Alvin Chee added a comment -

          Additionally, can NULL sessions be redirected to invalidSessionUrl as well? (or configurable via namespace) To avoid JSESSIONID to be appended by the servlet container.

          Example,
          <login.url>;jsessionid=C0B6CF8068DE7FB83CAA6C473DA5D098

          Show
          Alvin Chee added a comment - Additionally, can NULL sessions be redirected to invalidSessionUrl as well? (or configurable via namespace) To avoid JSESSIONID to be appended by the servlet container. Example, <login.url>;jsessionid=C0B6CF8068DE7FB83CAA6C473DA5D098
          Hide
          Luke Taylor added a comment - - edited

          Thanks for spotting this. I've fixed the appropriate redirects.

          To answer your question - a null session isn't regarded as invalid and there is no functionality to treat it as such. That URL only applies to the situation when a session ID is submitted by the client.

          Show
          Luke Taylor added a comment - - edited Thanks for spotting this. I've fixed the appropriate redirects. To answer your question - a null session isn't regarded as invalid and there is no functionality to treat it as such. That URL only applies to the situation when a session ID is submitted by the client.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Alvin Chee
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: