Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-708

PayloadValidatingInterceptor errors not clearing SecurityContextHolder

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0 GA
    • Fix Version/s: 1.5.10, 2.0.2
    • Component/s: Security
    • Labels:
      None

      Description

      I have Validtion Interecptor first and SecurityInterceptor Later in the sequence.

      When response has validation errors some how SecurityConextHolder has old previous authenticated user Information.

      When there are NO response validation errors SecurityContextHolder is clean.

      I am guessing that when PayloadValidatingInterceptor has errors which is causing not to clean up thread local ?

      Once the request is complete all thread context should be nulled out and give back to pool. It does that there are no reponse validation errors but doesn't do that when there are response validation errors. I tried to debug the code , all the way to MessageDispatcherServlet but didn't find any clue.

      Here is my configuration

      <sws:interceptors>
       
       
              <bean id="wsSecurityInterceptor" class="com.mycompancy.MyXwsSecurityInterceptor">
                  
                  <property name="secureResponse" value="false"/>
                  <property name="policyConfiguration"
                            value="/WEB-INF/spring/securityPolicy.xml"/>
                  <property name="callbackHandlers">
                      <list>
                          <bean class="com.mycompancy.security.MySpringDigestPasswordValidationCallbackHandler">
                              <property name="userDetailsService" ref="securityService"/>
                              <property name="userCache" ref="userCache"/>
                          </bean>
                      </list>
                  </property>
              </bean>
       
       
              <bean class="com.mycompancy.util.MyLoggingInterceptor"/>
              <bean class="org.springframework.ws.soap.server.endpoint.interceptor.PayloadValidatingInterceptor"
                    p:validateRequest="true" p:validateResponse="true">
                  <property name="schemas">
                      <list>
                          <value>/WEB-INF/schema/customer.xsd</value>
                          <value>/WEB-INF/schema/users.xsd</value>
                          <value>/WEB-INF/schema/userDetails.xsd</value>
                      </list>
                  </property>
              </bean>
          </sws:interceptors>

        Activity

        harshi Harshi created issue -
        arjen.poutsma Arjen Poutsma made changes -
        Field Original Value New Value
        Description I have Validtion Interecptor first and SecurityInterceptor Later in the sequence.

        When response has validation errors some how SecurityConextHolder has old previous authenticated user Information.

        When there are NO response validation errors SecurityContextHolder is clean.

        I am guessing that when PayloadValidatingInterceptor has errors which is causing not to clean up thread local ?

        Once the request is complete all thread context should be nulled out and give back to pool. It does that there are no reponse validation errors but doesn't do that when there are response validation errors. I tried to debug the code , all the way to MessageDispatcherServlet but didn't find any clue.



        Here is my configuration


        <sws:interceptors>


                <bean id="wsSecurityInterceptor" class="com.mycompancy.MyXwsSecurityInterceptor">
                    
                    <property name="secureResponse" value="false"/>
                    <property name="policyConfiguration"
                              value="/WEB-INF/spring/securityPolicy.xml"/>
                    <property name="callbackHandlers">
                        <list>
                            <bean class="com.mycompancy.security.MySpringDigestPasswordValidationCallbackHandler">
                                <property name="userDetailsService" ref="securityService"/>
                                <property name="userCache" ref="userCache"/>
                            </bean>
                        </list>
                    </property>
                </bean>


                <bean class="com.mycompancy.util.MyLoggingInterceptor"/>
                <bean class="org.springframework.ws.soap.server.endpoint.interceptor.PayloadValidatingInterceptor"
                      p:validateRequest="true" p:validateResponse="true">
                    <property name="schemas">
                        <list>
                            <value>/WEB-INF/schema/customer.xsd</value>
                            <value>/WEB-INF/schema/users.xsd</value>
                            <value>/WEB-INF/schema/userDetails.xsd</value>
                        </list>
                    </property>
                </bean>
            </sws:interceptors>
        I have Validtion Interecptor first and SecurityInterceptor Later in the sequence.

        When response has validation errors some how SecurityConextHolder has old previous authenticated user Information.

        When there are NO response validation errors SecurityContextHolder is clean.

        I am guessing that when PayloadValidatingInterceptor has errors which is causing not to clean up thread local ?

        Once the request is complete all thread context should be nulled out and give back to pool. It does that there are no reponse validation errors but doesn't do that when there are response validation errors. I tried to debug the code , all the way to MessageDispatcherServlet but didn't find any clue.



        Here is my configuration


        {code:xml}
        <sws:interceptors>


                <bean id="wsSecurityInterceptor" class="com.mycompancy.MyXwsSecurityInterceptor">
                    
                    <property name="secureResponse" value="false"/>
                    <property name="policyConfiguration"
                              value="/WEB-INF/spring/securityPolicy.xml"/>
                    <property name="callbackHandlers">
                        <list>
                            <bean class="com.mycompancy.security.MySpringDigestPasswordValidationCallbackHandler">
                                <property name="userDetailsService" ref="securityService"/>
                                <property name="userCache" ref="userCache"/>
                            </bean>
                        </list>
                    </property>
                </bean>


                <bean class="com.mycompancy.util.MyLoggingInterceptor"/>
                <bean class="org.springframework.ws.soap.server.endpoint.interceptor.PayloadValidatingInterceptor"
                      p:validateRequest="true" p:validateResponse="true">
                    <property name="schemas">
                        <list>
                            <value>/WEB-INF/schema/customer.xsd</value>
                            <value>/WEB-INF/schema/users.xsd</value>
                            <value>/WEB-INF/schema/userDetails.xsd</value>
                        </list>
                    </property>
                </bean>
            </sws:interceptors>
        {code}
        arjen.poutsma Arjen Poutsma made changes -
        Assignee Arjen Poutsma [ arjen.poutsma ]
        arjen.poutsma Arjen Poutsma made changes -
        Fix Version/s 2.0.2 [ 11893 ]
        Fix Version/s 1.5.10 [ 11497 ]
        arjen.poutsma Arjen Poutsma made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        arjen.poutsma Arjen Poutsma made changes -
        Resolution Cannot Reproduce [ 5 ]
        Status In Progress [ 3 ] Resolved [ 5 ]
        harshi Harshi made changes -
        Attachment MyXwsSecurityInterceptor.java [ 18224 ]
        arjen.poutsma Arjen Poutsma made changes -
        Resolution Cannot Reproduce [ 5 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        arjen.poutsma Arjen Poutsma made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        arjen.poutsma Arjen Poutsma made changes -
        Status Resolved [ 5 ] Closed [ 6 ]

          People

          • Assignee:
            arjen.poutsma Arjen Poutsma
            Reporter:
            harshi Harshi
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: