SEC-1346: SessionManagementFilter: should "return;" after "redirectStrategy.sendRedirect(request, response, invalidSessionUrl);" #1578

Closed
spring-issuemaster opened this Issue Dec 29, 2009 · 4 comments

1 participant

@spring-issuemaster

Alvin Chee (Migrated from SEC-1346) said:

java.lang.IllegalStateException: Cannot create a session after the response has been committed
org.apache.catalina.connector.Request.doGetSession(Request.java:2313)
org.apache.catalina.connector.Request.getSession(Request.java:2074)
org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833)
org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:844)
javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:224)
org.springframework.security.web.savedrequest.HttpSessionRequestCache.saveRequest(HttpSessionRequestCache.java:38)
org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:177)
org.springframework.security.web.access.ExceptionTranslationFilter.handleException(ExceptionTranslationFilter.java:158)
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:95)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:79)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:55)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:36)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:188)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:106)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:150)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)

@spring-issuemaster

Alvin Chee said:

Same issue should be faced in ConcurrentSessionFilter (have yet to try)

@spring-issuemaster

Alvin Chee said:

if (invalidSessionUrl != null) {
logger.debug("Redirecting to '" + invalidSessionUrl + "'");
redirectStrategy.sendRedirect(request, response, invalidSessionUrl);
return; //should add this
}

@spring-issuemaster

Alvin Chee said:

Additionally, can NULL sessions be redirected to invalidSessionUrl as well? (or configurable via namespace) To avoid JSESSIONID to be appended by the servlet container.

Example,
;jsessionid=C0B6CF8068DE7FB83CAA6C473DA5D098

@spring-issuemaster

Luke Taylor said:

Thanks for spotting this. I've fixed the appropriate redirects.

To answer your question - a null session isn't regarded as invalid and there is no functionality to treat it as such. That URL only applies to the situation when a session ID is submitted by the client.

@spring-issuemaster spring-issuemaster added this to the 3.0.1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment