You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When using XML configuration with once-per-request="true" with use-authorization-manager="false" as per this guide, the resulting org.springframework.security.web.access.intercept.FilterSecurityInterceptor still containts observeOncePerRequest = false.
This is probably because org.springframework.security.config.http.HttpConfigurationBuilder does not ever set the value to true:
if ("false".equals(this.httpElt.getAttribute(ATT_ONCE_PER_REQUEST))) {
builder.addPropertyValue("observeOncePerRequest", Boolean.FALSE);
}
It is probably expected that the default is still true, which changed in gh-11466 (6455e98)
To Reproduce
Create a Spring Security configuration with a similar configuration:
Describe the bug
When using XML configuration with
once-per-request="true"
withuse-authorization-manager="false"
as per this guide, the resultingorg.springframework.security.web.access.intercept.FilterSecurityInterceptor
still containtsobserveOncePerRequest = false
.This is probably because
org.springframework.security.config.http.HttpConfigurationBuilder
does not ever set the value totrue
:It is probably expected that the default is still true, which changed in gh-11466 (6455e98)
To Reproduce
Expected behavior
Upon setting
once-per-request="true"
, the forwarded request should not be processed the second time.The text was updated successfully, but these errors were encountered: