Luke Taylor (Migrated from SEC-767) said:
The changes introduced in SEC-689 may cause problems when a response has already been committed (for whatever reason) when going from an unauthenticated to an authenticated state. In this case it isn’t possible to create a new session. The session fixation protection filter should check the response state.
Luke Taylor said:
I’ve added a check in the session fixation filter to make sure the response hasn’t already been committed. If it has, it will log a warning when it would normally have created a new session.
See http://jira.springframework.org/browse/SEC-767. As the user suggests, adding support for flushBuffer in the response wrapper would be a better solution.
I’ve added flushBuffer to the methods that the reponse wrapper overrides. However, it’s still possible that the response will be committed due to the write buffer being filled without an explicit call to flushBuffer.