Spring Framework
  1. Spring Framework
  2. SPR-10027

Spring 3.2 Long polling causing spring security context to be cleared

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Invalid
    • Affects Version/s: 3.2 RC1
    • Fix Version/s: None
    • Component/s: Web
    • Labels:
      None

      Description

      A completed/timed out deferredresult async request is causing a clearance of the spring security from the session, making it equivalent to a logout.

      Getting this in logs:
      HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.

      The problem was found and explained by forum user nvrs:

      After the DefferedResult is set the method flush() of org.springframework.security.web.context.SaveConte xtOnUpdateOrErrorResponseWrapper gets called which via a proxy calls saveContext() of org.springframework.security.web.context.HttpSessi onSecurityContextRepository.

      Since the authentication object is null (due to the fact that the spring security context has been cleared) the line
      httpSession.removeAttribute(springSecurityContextK ey) removes the SPRING_SECURITY_CONTEXT from the session and the next request that the user makes results in a session with no security context and thus user is redirected to login.

      The workaround I'm using right now in my application is to bypass security on async requests:
      <http pattern="/async_deferred" security="none" />

      Please look in the forum for further details:
      http://forum.springsource.org/showthread.php?129823-Spring-3-2-Long-polling-causing-spring-security-context-to-be-cleared

        Activity

        Hide
        liran yogev added a comment -

        Apparently this already appears in:
        https://jira.springsource.org/browse/SEC-2067

        Which is duplicated to:
        https://jira.springsource.org/browse/SEC-1998

        This needs to be closed as duplicate.
        Sorry...

        Show
        liran yogev added a comment - Apparently this already appears in: https://jira.springsource.org/browse/SEC-2067 Which is duplicated to: https://jira.springsource.org/browse/SEC-1998 This needs to be closed as duplicate. Sorry...
        Hide
        Rossen Stoyanchev added a comment -

        It looks like you already hunted all the information down.

        Show
        Rossen Stoyanchev added a comment - It looks like you already hunted all the information down.

          People

          • Assignee:
            Rossen Stoyanchev
            Reporter:
            liran yogev
            Last updater:
            Rossen Stoyanchev
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Days since last comment:
              1 year, 21 weeks, 3 days ago