Spring Security
  1. Spring Security
  2. SEC-248

HttpSessionContextIntegrationFilter doesn't work with HttpInvokerServiceExporter

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: 1.0.0 RC2
    • Fix Version/s: 1.0.0
    • Component/s: Core
    • Labels:
      None
    • Environment:
      JDK 5.0, Jetty, Linux

      Description

      HttpSessionContextIntegrationFilter doesn't work if HttpInvokerServiceExporter is used.
      HttpInvokerServiceExporter calls HttpResponse.getOutputStream().close(). After that you cannot set headers in response, that meanss you cannot set cookies in the response, that meanss, that your HttpSession is lost and http client must authenticate on every request.
      Workaround: create filter before HttpSessionContextIntegrationFilter and create session before invoking other filters.

        Activity

        Hide
        Ben Alex added a comment -

        HttpSessionContextIntegrationFilter offers a new property, forceEagerSessionCreation, which may achieve the same workaround as suggested.

        Nevertheless, I am surprised by this problem as I believe Contacts ships with a HttpInvoker which shows it operating correctly. I'll need to try to reproduce this problem before we release 1.0.0 final.

        Show
        Ben Alex added a comment - HttpSessionContextIntegrationFilter offers a new property, forceEagerSessionCreation, which may achieve the same workaround as suggested. Nevertheless, I am surprised by this problem as I believe Contacts ships with a HttpInvoker which shows it operating correctly. I'll need to try to reproduce this problem before we release 1.0.0 final.
        Hide
        Danielius Jurna added a comment -

        Actually "doesn't work" is not very exact statement . Everything is working without major problems, but if you look at the http messages sent across the wire, you'll see that credentials are sent on every request (because everytime server returns 'Not Authenticated' and HttpClient retries the same operation with authentication credentials). It took me a while to find out why credentials are sent on every request.

        Show
        Danielius Jurna added a comment - Actually "doesn't work" is not very exact statement . Everything is working without major problems, but if you look at the http messages sent across the wire, you'll see that credentials are sent on every request (because everytime server returns 'Not Authenticated' and HttpClient retries the same operation with authentication credentials). It took me a while to find out why credentials are sent on every request.
        Hide
        Ben Alex added a comment -

        The lack of support in HttpInvoker for HttpSessions is a HttpInvoker-specific issue. This is not an issue with Acegi Security, so the issue is being closed.

        Show
        Ben Alex added a comment - The lack of support in HttpInvoker for HttpSessions is a HttpInvoker-specific issue. This is not an issue with Acegi Security, so the issue is being closed.

          People

          • Assignee:
            Ben Alex
            Reporter:
            Danielius Jurna
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: