SEC-1998: Support for Servlet 3.0/3.1 asynchronous request processing #2223

Closed
spring-issuemaster opened this Issue Jul 8, 2012 · 4 comments

2 participants

@spring-issuemaster

Rob Winch (Migrated from SEC-1998) said:

Similar to SPR-8517 Spring Security should support Asynch Servlet request processing

Note: SEC-2067 has a sample application that should be validated against when fixing this issue

@spring-issuemaster

Rob Winch said:

This is resolved in master

@spring-issuemaster

Moosh Ben said:

I still see the same behavior on DeferredResult controllers. (after some time there is an auto logout)
It doesn't always happen as it used to before 3.2.0.M1 .

Logs are just before logging out occurs and are related to an AJAX call to a deferredResult method.

Logs:
2013-01-01 16:20:08,019 DEBUG yContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
...
2013-01-01 16:21:32,649 DEBUG eToSessionResponseWrapper:140 - Skip saving SecurityContext since processing the HttpServletResponse on a different Thread than the original HttpServletRequest
...
2013-01-01 16:22:01,650 DEBUG SecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
...
2013-01-01 16:22:03,660 DEBUG AntPathRequestMatcher :116 - Checking match of request : '/deferred'; against '/resources/**'
...
2013-01-01 16:22:03,661 DEBUG SecurityContextRepository:139 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2013-01-01 16:22:03,661 DEBUG SecurityContextRepository:85 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@5b3cc94b. A new one will be created.
...
2013-01-01 16:22:03,664 DEBUG ymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90541710: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 6D46ACB5AEA101C58A838529A3F6ED1D; Granted Authorities: ROLE_ANONYMOUS'
...
2013-01-01 16:22:03,667 DEBUG FilterSecurityInterceptor:310 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9054171: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 6D46ACB5AEA101C58A838529A3F6ED1D; Granted Authorities: ROLE_ANONYMOUS
...
2013-01-01 16:22:03,668 DEBUG AffirmativeBased :65 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@52d9eb9, returned: -1
...
2013-01-01 16:22:03,668 DEBUG xceptionTranslationFilter:165 - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
...

@spring-issuemaster

Rob Winch said:

@mooshben - As this JIRA is already closed, I have created SEC-2111 to track your issue. Do you have any more information on how to reproduce the issue? Perhaps a sample project? If you have futher information please provide it on SEC-2111. Thanks!

@spring-issuemaster spring-issuemaster added this to the 3.2.0.M1 milestone Feb 5, 2016
@spring-issuemaster

This issue depends on #2301

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment