SEC-1528: HttpSession.setAttribute() must be called if the SecurityContext is modified during a request #1769

Closed
spring-issuemaster opened this Issue Aug 2, 2010 · 3 comments

1 participant

@spring-issuemaster

Luke Taylor (Migrated from SEC-1528) said:

The current logic in HttpSessionSecurityContextRepository does not set the session attribute if it finds that the current thread-local context matches the value in the session. This works fine in a single JVM. However, in a cluster or cloud environment where requests for the same session may be handled in different JVMs, the changes must be propagated to other nodes and the setAttribute() call is required to achieve this.

@spring-issuemaster

Luke Taylor said:

The solution is probably to drop the logic from SEC-1307 which compares Cs and Ct entirely and rely on the specific checks on the context and authentication objects.

@spring-issuemaster

Luke Taylor said:

Fix implemented as described.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
@spring-issuemaster

This issue is related to #1552

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment