SEC-1430: Refactor use of global session keys (e.g. SPRING_SECURITY_LAST_EXCEPTION) and clear session scope after use #1673

Closed
spring-issuemaster opened this Issue Mar 4, 2010 · 1 comment

1 participant

@spring-issuemaster

Luke Taylor (Migrated from SEC-1430) said:

Exceptions and messages need to be cleared out properly from the session if they are stored there. The use of global keys such as SPRING_SECURITY_LAST_EXCEPTION makes this more difficult, since multiple parts of the framework may use them.

In general we shouldn't be storing exceptions in the session if avoidable.

This may cause problems for existing users who expect the messages or exceptions to be there in order to render them after redirects.

@spring-issuemaster

Luke Taylor said:

The last authentication exception is now only set in SimpleUrlAuthenticationFailureHandler. This can easily be overridden by setting the allowSessionCreation flag on the strategy to false. The defauly AuthenticationSuccessHandler will remove the attribute from the session when authentication succeeds.

I've also removed the caching of the last username in the session. Best practice is generally to avoid re-rendering the username (which also avoids encoding issues). Users who really want to cache the username should do so in an AuthenticationFailureHandler.

The only other global key is the saved request key and this is hidden by the RequestCache abstraction. If a RequestCache is not in use (e.g. because a default target URL is always used) then the key will not be set. Otherwise it will be removed when the request is restored.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment