Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-10027

Spring 3.2 Long polling causing spring security context to be cleared

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Invalid
    • Affects Version/s: 3.2 RC1
    • Fix Version/s: None
    • Component/s: Web
    • Labels:
      None

      Description

      A completed/timed out deferredresult async request is causing a clearance of the spring security from the session, making it equivalent to a logout.

      Getting this in logs:
      HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.

      The problem was found and explained by forum user nvrs:

      After the DefferedResult is set the method flush() of org.springframework.security.web.context.SaveConte xtOnUpdateOrErrorResponseWrapper gets called which via a proxy calls saveContext() of org.springframework.security.web.context.HttpSessi onSecurityContextRepository.

      Since the authentication object is null (due to the fact that the spring security context has been cleared) the line
      httpSession.removeAttribute(springSecurityContextK ey) removes the SPRING_SECURITY_CONTEXT from the session and the next request that the user makes results in a session with no security context and thus user is redirected to login.

      The workaround I'm using right now in my application is to bypass security on async requests:
      <http pattern="/async_deferred" security="none" />

      Please look in the forum for further details:
      http://forum.springsource.org/showthread.php?129823-Spring-3-2-Long-polling-causing-spring-security-context-to-be-cleared

        Attachments

          Activity

            People

            • Assignee:
              rstoya05-aop Rossen Stoyanchev
              Reporter:
              lirany liran yogev
              Last updater:
              Rossen Stoyanchev
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                5 years, 30 weeks, 3 days ago