Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-1587

HttpSessionSecurityContextRepository should clear session context when current context is anonmous or empty

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.3
    • Fix Version/s: 3.0.5, 3.1.0.M2
    • Component/s: None
    • Labels:
      None

      Description

      I have written a LogoutFilter which does not redirect to a logout page. It just logs out the user and goes on with the filter chain.
      (it's needed because we have different areas and the user should be logged out when switching to another "area")

      Before it comes to saving the security context with HttpSessionSecurityContextRepository the anonymousFilter sets an AnonymousAuthentication. So when it comes to saving the context, it is not saved.

      This is because of this code in HttpSessionSecurityContextRepository

      protected void saveContext(SecurityContext context) {
      // See SEC-776
      if (authenticationTrustResolver.isAnonymous(context.getAuthentication())) {
      if (logger.isDebugEnabled())

      { logger.debug("SecurityContext contents are anonymous - context will not be stored in HttpSession. "); }

      return;
      }

      BTW my LogoutFilter is configured with invalidateHttpSession=false otherwise this bug wouldn't occur i guess.

      So imho, there should be another check to see what is actually saved in the session.

      regards
      Janning

        Activity

        Hide
        janning Janning Vygen added a comment -

        From your previous post, i was just about starting to look at this again. But i think you already fixed it, right? If not, please send me a mail.

        Show
        janning Janning Vygen added a comment - From your previous post, i was just about starting to look at this again. But i think you already fixed it, right? If not, please send me a mail.
        Hide
        luke Luke Taylor added a comment -

        Yeah, I've added the fix, but I'm still not sure why it would be needed in a single-VM situation.

        Show
        luke Luke Taylor added a comment - Yeah, I've added the fix, but I'm still not sure why it would be needed in a single-VM situation.
        Hide
        janning Janning Vygen added a comment -

        I have attached a maven test project. i hope it helps. if not please ask.

        the main reason for this to happen is:

        • LogoutFilter does not return after logout but continues with doChain
        • LogoutFilter does not invalidate session

        please take a loolk at the source code. project is very small.
        tets fails with 3.0.3, it succeeds with 3.0.5

        Show
        janning Janning Vygen added a comment - I have attached a maven test project. i hope it helps. if not please ask. the main reason for this to happen is: LogoutFilter does not return after logout but continues with doChain LogoutFilter does not invalidate session please take a loolk at the source code. project is very small. tets fails with 3.0.3, it succeeds with 3.0.5
        Hide
        janning Janning Vygen added a comment -

        Maven test project

        Show
        janning Janning Vygen added a comment - Maven test project
        Hide
        issuemaster Spring Issuemaster added a comment -
        Show
        issuemaster Spring Issuemaster added a comment - This issue has been migrated to https://github.com/spring-projects/spring-security/issues/1826

          People

          • Assignee:
            luke Luke Taylor
            Reporter:
            janning Janning Vygen
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development