Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-248: HttpSessionContextIntegrationFilter doesn't work with HttpInvokerServiceExporter #510

spring-issuemaster opened this Issue Apr 14, 2006 · 4 comments


None yet
1 participant

Danielius Jurna(Migrated from SEC-248) said:

HttpSessionContextIntegrationFilter doesn’t work if HttpInvokerServiceExporter is used.
HttpInvokerServiceExporter calls HttpResponse.getOutputStream().close(). After that you cannot set headers in response, that meanss you cannot set cookies in the response, that meanss, that your HttpSession is lost and http client must authenticate on every request.
Workaround: create filter before HttpSessionContextIntegrationFilter and create session before invoking other filters.

Ben Alex said:

HttpSessionContextIntegrationFilter offers a new property, forceEagerSessionCreation, which may achieve the same workaround as suggested.

Nevertheless, I am surprised by this problem as I believe Contacts ships with a HttpInvoker which shows it operating correctly. I’ll need to try to reproduce this problem before we release 1.0.0 final.

Danielius Jurna said:

Actually “doesn’t work” is not very exact statement :-). Everything is working without major problems, but if you look at the http messages sent across the wire, you’ll see that credentials are sent on every request (because everytime server returns ‘Not Authenticated’ and HttpClient retries the same operation with authentication credentials). It took me a while to find out why credentials are sent on every request.

Ben Alex said:

The lack of support in HttpInvoker for HttpSessions is a HttpInvoker-specific issue. This is not an issue with Acegi Security, so the issue is being closed.

@spring-issuemaster spring-issuemaster added this to the 1.0.0 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment