You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are 3 tests (NoRememberMeLoginAutoconfigured, NoRememberMeLoginMockMvcWebClientBuilder and NoRememberMeLoginManually) and only the manually configured WebClient behaves as expected.
The problem is that the WebClient stays "logged in" although the session cookie has been deleted.
This does not happen when configuring it manually (new WebClient) or when accessing the page with a browser.
I used an HandlerInterceptorAdapter to verify that the cookies are not sent for the second request. Feel free to check this again (HandlerInterceptorAdapter is included in the example project) because I might have overlooked something.
I have also explained the problem on stackoverflow and the Spring Boot issue tracker on GitHub. Where I was told that the relevant code probably lies within the spring framework.
I think the example project demonstrated the problem very obviously but I would be glad to further explain any uncertainties abotu my issue.
it seems the Problem is @WithAnonymousUser.
When I set it the SecurityContext will always have an AnonymousAuthenticationToken.
Everything works fine when I omit the annotation. But the secured page should normally not be accessible by an anonymous (not logged in) User. There is even a mockMvc test asserting that @WithAnonymousUser is redirected to login.
@616slayer616 apologizes for the delay here. I was trying to run the sample to get an idea about what you were describing (and whether to move the issue to Spring Security) but the link above does not work. Do you still have the sample around?
Hi
I checked everywhere but unfortunately I don't have the code sample anymore.
It has been a while so there have been many spring releases in between so maybe the issue doesn't exist anymore
Alright, if you manage to find it we can reopen for consideration but it might be that this has been fixed in the meantime, indeed. Sorry again for the delay.
Patrick Adler opened SPR-17632 and commented
"Logging out" by removing the jsessionid cookie in with HtmlUnits WebClient seems to behave differently, depending on how the WebClient is created.
I have created an example project here
There are 3 tests (NoRememberMeLoginAutoconfigured, NoRememberMeLoginMockMvcWebClientBuilder and NoRememberMeLoginManually) and only the manually configured WebClient behaves as expected.
The problem is that the WebClient stays "logged in" although the session cookie has been deleted.
This does not happen when configuring it manually (new WebClient) or when accessing the page with a browser.
I used an HandlerInterceptorAdapter to verify that the cookies are not sent for the second request. Feel free to check this again (HandlerInterceptorAdapter is included in the example project) because I might have overlooked something.
I have also explained the problem on stackoverflow and the Spring Boot issue tracker on GitHub. Where I was told that the relevant code probably lies within the spring framework.
I think the example project demonstrated the problem very obviously but I would be glad to further explain any uncertainties abotu my issue.
Affects: 5.1.2
Reference URL: spring-projects/spring-boot#15592
The text was updated successfully, but these errors were encountered: