SEC-1724: Save the original request URL before redirecting to an invalidSessionUrl #1962

Closed
spring-issuemaster opened this Issue Apr 22, 2011 · 4 comments

1 participant

@spring-issuemaster

Ian Brandt (Migrated from SEC-1724) said:

Upon redirecting to a configured invalidSessionUrl SessionManagagementFilter currently does not save the original request URL to the RequestCache. If the invalidSessionUrl ultimately routes the user through a successful authentication, the SavedRequestAwareAuthenticationSuccessHandler can only redirect the user to the defaultTargetUrl.

See the linked forum reference for more details and a more specific use case.

Git merge request forthcoming...

@spring-issuemaster

Luke Taylor said:

Thanks for the patch. To be honest, I don't really like having the invalid-session stuff directly in the SessionManagagementFilter. I'd prefer to introduce an additional strategy which would handle this sort of thing and could encapsulate additional behaviour such as the use of the RequestCache. I will look into doing that prior to 3.1.

@spring-issuemaster

Ian Brandt said:

Perfect. My patch definitely has a single responsibility principle violation smell to it. As a newcomer I wasn't about to propose new API just to solve my specific issue, but if you think the additional strategy makes sense I couldn't agree more.

@spring-issuemaster

Luke Taylor said:

I've completed work on SEC-1754, which should allow you to plug in your own custom behaviour when an invalid session Id is detected.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC3 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment