Spring Security
  1. Spring Security
  2. SEC-1353

SessionManagementFilter can invoke other filters after sending redirect

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Duplicate
    • Affects Version/s: 3.0.0
    • Fix Version/s: 3.0.1
    • Component/s: Core
    • Labels:
      None

      Description

      SessionManagementFilter::doFilter() fails to stop request processing in branch "No security context or authentication present" (at SessionManagementFilter.java:89). More precisely, it does not return after calling redirectStrategy.sendRedirect(), but passes to the next filter.

      This causes an error if there are controllers that define methods taking a HttpSession argument, because in this case AnnotationMethodHandlerAdapter attempts to call request.getSession(), which is not permitted after a redirect had been sent.

        Issue Links

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Artem Anisimov
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: