Danielius Jurna(Migrated from SEC-248) said:
HttpSessionContextIntegrationFilter doesn’t work if HttpInvokerServiceExporter is used.
HttpInvokerServiceExporter calls HttpResponse.getOutputStream().close(). After that you cannot set headers in response, that meanss you cannot set cookies in the response, that meanss, that your HttpSession is lost and http client must authenticate on every request.
Workaround: create filter before HttpSessionContextIntegrationFilter and create session before invoking other filters.
Ben Alex said:
HttpSessionContextIntegrationFilter offers a new property, forceEagerSessionCreation, which may achieve the same workaround as suggested.
Nevertheless, I am surprised by this problem as I believe Contacts ships with a HttpInvoker which shows it operating correctly. I’ll need to try to reproduce this problem before we release 1.0.0 final.
Danielius Jurna said:
Actually “doesn’t work” is not very exact statement :-). Everything is working without major problems, but if you look at the http messages sent across the wire, you’ll see that credentials are sent on every request (because everytime server returns ‘Not Authenticated’ and HttpClient retries the same operation with authentication credentials). It took me a while to find out why credentials are sent on every request.
The lack of support in HttpInvoker for HttpSessions is a HttpInvoker-specific issue. This is not an issue with Acegi Security, so the issue is being closed.