Spring Security
  1. Spring Security
  2. SEC-1528

HttpSession.setAttribute() must be called if the SecurityContext is modified during a request

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.1.0.M1
    • Component/s: Web
    • Labels:
      None

      Description

      The current logic in HttpSessionSecurityContextRepository does not set the session attribute if it finds that the current thread-local context matches the value in the session. This works fine in a single JVM. However, in a cluster or cloud environment where requests for the same session may be handled in different JVMs, the changes must be propagated to other nodes and the setAttribute() call is required to achieve this.

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment - - edited

          The solution is probably to drop the logic from SEC-1307 which compares Cs and Ct entirely and rely on the specific checks on the context and authentication objects.

          Show
          Luke Taylor added a comment - - edited The solution is probably to drop the logic from SEC-1307 which compares Cs and Ct entirely and rely on the specific checks on the context and authentication objects.
          Hide
          Luke Taylor added a comment -

          Fix implemented as described.

          Show
          Luke Taylor added a comment - Fix implemented as described.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Luke Taylor
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: