SEC-248: HttpSessionContextIntegrationFilter doesn't work with HttpInvokerServiceExporter #510

Closed
spring-issuemaster opened this Issue Apr 14, 2006 · 4 comments

1 participant

@spring-issuemaster

Danielius Jurna (Migrated from SEC-248) said:

HttpSessionContextIntegrationFilter doesn’t work if HttpInvokerServiceExporter is used.
HttpInvokerServiceExporter calls HttpResponse.getOutputStream().close(). After that you cannot set headers in response, that meanss you cannot set cookies in the response, that meanss, that your HttpSession is lost and http client must authenticate on every request.
Workaround: create filter before HttpSessionContextIntegrationFilter and create session before invoking other filters.

@spring-issuemaster

Ben Alex said:

HttpSessionContextIntegrationFilter offers a new property, forceEagerSessionCreation, which may achieve the same workaround as suggested.

Nevertheless, I am surprised by this problem as I believe Contacts ships with a HttpInvoker which shows it operating correctly. I’ll need to try to reproduce this problem before we release 1.0.0 final.

@spring-issuemaster

Danielius Jurna said:

Actually “doesn’t work” is not very exact statement :-). Everything is working without major problems, but if you look at the http messages sent across the wire, you’ll see that credentials are sent on every request (because everytime server returns ‘Not Authenticated’ and HttpClient retries the same operation with authentication credentials). It took me a while to find out why credentials are sent on every request.

@spring-issuemaster

Ben Alex said:

The lack of support in HttpInvoker for HttpSessions is a HttpInvoker-specific issue. This is not an issue with Acegi Security, so the issue is being closed.

@spring-issuemaster spring-issuemaster added this to the 1.0.0 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment