Affects Version/s: 3.2 RC1
Fix Version/s: None
A completed/timed out deferredresult async request is causing a clearance of the spring security from the session, making it equivalent to a logout.
Getting this in logs:
HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
The problem was found and explained by forum user nvrs:
After the DefferedResult is set the method flush() of org.springframework.security.web.context.SaveConte xtOnUpdateOrErrorResponseWrapper gets called which via a proxy calls saveContext() of org.springframework.security.web.context.HttpSessi onSecurityContextRepository.
Since the authentication object is null (due to the fact that the spring security context has been cleared) the line
httpSession.removeAttribute(springSecurityContextK ey) removes the SPRING_SECURITY_CONTEXT from the session and the next request that the user makes results in a session with no security context and thus user is redirected to login.
The workaround I'm using right now in my application is to bypass security on async requests:
<http pattern="/async_deferred" security="none" />
Please look in the forum for further details: