Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-2111: Disable auto save of SecurityContext when response committed after startAsync invoked #2313
Previously Spring Security would disable automatically saving the SecurityContext when the Thread was different than the Thread that created the SaveContextOnUpdateOrErrorResponseWrapper. This worked for many cases, but could cause issues when a timeout occurred. The problem is that a Thread can be reused to process the timeout since the Threads are pooled. This means that a timeout of a request trigger an apparent logout as described in the following workflow:
Spring Security should prevent the SecurityContext from automatically being saved when the response is committed as soon as ServletRequest#startAsync() or ServletRequest#startAsync(ServletRequest,ServletResponse) is called as apposed to looking at the Thread equality.
h1. Original Description
I still see the same behavior on DeferredResult controllers. (after some time there is an auto logout)
Logs are just before logging out occurs and are related to an AJAX call to a deferredResult method.
Rob Winch said:
A few specific questions:
Moosh Ben said:
During this time there is no activity other than an ongoing connection to a deferred result controller.
#* An AJAX connection is made to ??/deferred??
Here is a code example of how our code looks like. Please note that logging out occurs after a connection timeout and not after a message is sent.
All future request are logged out
As for logs I'm not sure there is anything interesting prior to the logout, in any case I have trouble attaching full logs, if required I will produce logs again without doing anything prior to the logout so you can have clean logs.
My workaround for now is this (works perfectly): ????
Rob Winch said:
Thank you for the details on how to reproduce the problem I was able to reproduce the issue and understand what is happening. The updates to prevent the logout were to disable automatically saving the SecurityContext when the response was committed if the response was committed on a different Thread than the original request. This works fine except for when the Thread that created the request is reused (since it is in a Thread Pool) to handle a timeout. The only time it causes a problem is when the Thread was reused, so that is why you only experienced intermittent issues.
I have a few ideas on how to resolve the issue, but haven't come to any conclusions on how best to do it just yet. I will post here when I have a snapshot with a fix available (likely within the next week).
Rob Winch said:
@mooshben - I have pushed a fix out to to master and it should be deployed to the snapshot repository. A tip on reproducing the issue more consistently is to change the number of threads processing requests to 1. By doing this you ensure that once a timeout occurs the same Thread processes the timeout as was processing the original request and thus you should be able to reproduce the issue consistently. You can try this configuration before updating to the spring-security-web snapshot to ensure that you are consistently able to reproduce the issue. For example, if you are using Tomcat update your connector definition to state maxThreads=1 as shown in the server.xml snippet below:
Once you can consistently reproduce the issue update to use spring-security-web-3.2.0.CI-SNAPSHOT.jar and you should see that the issue is gone. I have confirmed this locally with my own sample application but it would not hurt to get validation from you to ensure I have found the correct issue.
Update the spring-security-web dependency to use spring-security-web-3.2.0.CI-SNAPSHOT.jar and you should see the issue is fixed.