Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-1430: Refactor use of global session keys (e.g. SPRING_SECURITY_LAST_EXCEPTION) and clear session scope after use #1673

spring-projects-issues opened this issue Mar 4, 2010 · 1 comment


Copy link

@spring-projects-issues spring-projects-issues commented Mar 4, 2010

Luke Taylor (Migrated from SEC-1430) said:

Exceptions and messages need to be cleared out properly from the session if they are stored there. The use of global keys such as SPRING_SECURITY_LAST_EXCEPTION makes this more difficult, since multiple parts of the framework may use them.

In general we shouldn't be storing exceptions in the session if avoidable.

This may cause problems for existing users who expect the messages or exceptions to be there in order to render them after redirects.

Copy link

@spring-projects-issues spring-projects-issues commented Nov 26, 2010

Luke Taylor said:

The last authentication exception is now only set in SimpleUrlAuthenticationFailureHandler. This can easily be overridden by setting the allowSessionCreation flag on the strategy to false. The defauly AuthenticationSuccessHandler will remove the attribute from the session when authentication succeeds.

I've also removed the caching of the last username in the session. Best practice is generally to avoid re-rendering the username (which also avoids encoding issues). Users who really want to cache the username should do so in an AuthenticationFailureHandler.

The only other global key is the saved request key and this is hidden by the RequestCache abstraction. If a RequestCache is not in use (e.g. because a default target URL is always used) then the key will not be set. Otherwise it will be removed when the request is restored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant