Spring Security
  1. Spring Security
  2. SEC-1430

Refactor use of global session keys (e.g. SPRING_SECURITY_LAST_EXCEPTION) and clear session scope after use

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 3.1.0.M2
    • Component/s: None
    • Labels:
      None

      Description

      Exceptions and messages need to be cleared out properly from the session if they are stored there. The use of global keys such as SPRING_SECURITY_LAST_EXCEPTION makes this more difficult, since multiple parts of the framework may use them.

      In general we shouldn't be storing exceptions in the session if avoidable.

      This may cause problems for existing users who expect the messages or exceptions to be there in order to render them after redirects.

        Activity

        Hide
        Luke Taylor added a comment -

        The last authentication exception is now only set in SimpleUrlAuthenticationFailureHandler. This can easily be overridden by setting the allowSessionCreation flag on the strategy to false. The defauly AuthenticationSuccessHandler will remove the attribute from the session when authentication succeeds.

        I've also removed the caching of the last username in the session. Best practice is generally to avoid re-rendering the username (which also avoids encoding issues). Users who really want to cache the username should do so in an AuthenticationFailureHandler.

        The only other global key is the saved request key and this is hidden by the RequestCache abstraction. If a RequestCache is not in use (e.g. because a default target URL is always used) then the key will not be set. Otherwise it will be removed when the request is restored.

        Show
        Luke Taylor added a comment - The last authentication exception is now only set in SimpleUrlAuthenticationFailureHandler. This can easily be overridden by setting the allowSessionCreation flag on the strategy to false. The defauly AuthenticationSuccessHandler will remove the attribute from the session when authentication succeeds. I've also removed the caching of the last username in the session. Best practice is generally to avoid re-rendering the username (which also avoids encoding issues). Users who really want to cache the username should do so in an AuthenticationFailureHandler. The only other global key is the saved request key and this is hidden by the RequestCache abstraction. If a RequestCache is not in use (e.g. because a default target URL is always used) then the key will not be set. Otherwise it will be removed when the request is restored.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Luke Taylor
          • Votes:
            3 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: