Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-2111

Disable auto save of SecurityContext when response committed after startAsync invoked

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.2.0.M1
    • Fix Version/s: 3.2.0.M2
    • Component/s: None
    • Labels:
      None

      Description

      Updated Description

      Previously Spring Security would disable automatically saving the SecurityContext when the Thread was different than the Thread that created the SaveContextOnUpdateOrErrorResponseWrapper. This worked for many cases, but could cause issues when a timeout occurred. The problem is that a Thread can be reused to process the timeout since the Threads are pooled. This means that a timeout of a request trigger an apparent logout as described in the following workflow:

      • The SecurityContext was established on the SecurityContextHolder
      • An Async request was made
      • The SecurityContextHolder would be cleared out
      • The Async request times out
      • The Async request would be dispatched back to the container upon
        timing out. If the container reused the same Thread to process the
        timeout as the original request, Spring Security would attempt to
        save the SecurityContext when the response was committed. Since the
        SecurityContextHolder was still cleared out it removes the
        SecurityContext from the HttpSession

      Spring Security should prevent the SecurityContext from automatically being saved when the response is committed as soon as ServletRequest#startAsync() or ServletRequest#startAsync(ServletRequest,ServletResponse) is called as apposed to looking at the Thread equality.

      Original Description

      I still see the same behavior on DeferredResult controllers. (after some time there is an auto logout)
      It doesn't always happen as it used to before 3.2.0.M1 .

      Logs are just before logging out occurs and are related to an AJAX call to a deferredResult method.

       
      Logs:
      2013-01-01 16:20:08,019 DEBUG yContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
      ...
      2013-01-01 16:21:32,649 DEBUG eToSessionResponseWrapper:140 - Skip saving SecurityContext since processing the HttpServletResponse on a different Thread than the original HttpServletRequest
      ...
      2013-01-01 16:22:01,650 DEBUG SecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
      ...
      2013-01-01 16:22:03,660 DEBUG AntPathRequestMatcher :116 - Checking match of request : '/deferred'; against '/resources/**'
      ...
      2013-01-01 16:22:03,661 DEBUG SecurityContextRepository:139 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
      2013-01-01 16:22:03,661 DEBUG SecurityContextRepository:85 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@5b3cc94b. A new one will be created.
      ...
      2013-01-01 16:22:03,664 DEBUG ymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90541710: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 6D46ACB5AEA101C58A838529A3F6ED1D; Granted Authorities: ROLE_ANONYMOUS'
      ...
      2013-01-01 16:22:03,667 DEBUG FilterSecurityInterceptor:310 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@90541710: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 6D46ACB5AEA101C58A838529A3F6ED1D; Granted Authorities: ROLE_ANONYMOUS
      ...
      2013-01-01 16:22:03,668 DEBUG AffirmativeBased :65 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@52d9eb97, returned: -1
      ...
      2013-01-01 16:22:03,668 DEBUG xceptionTranslationFilter:165 - Access is denied (user is anonymous); redirecting to authentication entry point
      org.springframework.security.access.AccessDeniedException: Access is denied

        Issue Links

          Activity

          Hide
          mooshben Moosh Ben added a comment -

          Hi Rob,
          I missed your last comment.
          I will try and reproduce the issue as your suggestion and will use the latest snapshot to confirm the issue was resolved.
          Will post here once it's done.

          Thanks

          Show
          mooshben Moosh Ben added a comment - Hi Rob, I missed your last comment. I will try and reproduce the issue as your suggestion and will use the latest snapshot to confirm the issue was resolved. Will post here once it's done. Thanks
          Hide
          mooshben Moosh Ben added a comment -

          I was unable to reproduce it using maxThreads="1" .
          In any case I have updated to CI-SNAPSHOT and I should be able to figure out if it was fixed pretty quickly.

          Thanks

          Show
          mooshben Moosh Ben added a comment - I was unable to reproduce it using maxThreads="1" . In any case I have updated to CI-SNAPSHOT and I should be able to figure out if it was fixed pretty quickly. Thanks
          Hide
          mooshben Moosh Ben added a comment -

          We have been using your fix for the last week and it seems to work perfectly.
          Thanks!

          Show
          mooshben Moosh Ben added a comment - We have been using your fix for the last week and it seems to work perfectly. Thanks!
          Hide
          rwinch Rob Winch added a comment -

          Thanks for the bug report and for ensuring to follow up! Given your feedback, I am going to mark this as fixed.

          Show
          rwinch Rob Winch added a comment - Thanks for the bug report and for ensuring to follow up! Given your feedback, I am going to mark this as fixed.
          Hide
          issuemaster Spring Issuemaster added a comment -
          Show
          issuemaster Spring Issuemaster added a comment - This issue has been migrated to https://github.com/spring-projects/spring-security/issues/2313

            People

            • Assignee:
              rwinch Rob Winch
              Reporter:
              mooshben Moosh Ben
            • Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development