Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1528: HttpSession.setAttribute() must be called if the SecurityContext is modified during a request #1769

spring-issuemaster opened this Issue Aug 2, 2010 · 3 comments


None yet
1 participant

Luke Taylor (Migrated from SEC-1528) said:

The current logic in HttpSessionSecurityContextRepository does not set the session attribute if it finds that the current thread-local context matches the value in the session. This works fine in a single JVM. However, in a cluster or cloud environment where requests for the same session may be handled in different JVMs, the changes must be propagated to other nodes and the setAttribute() call is required to achieve this.

Luke Taylor said:

The solution is probably to drop the logic from SEC-1307 which compares Cs and Ct entirely and rely on the specific checks on the context and authentication objects.

Luke Taylor said:

Fix implemented as described.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016

This issue is related to #1552

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment