[BUG] JF2 SWF PrimeFaces SSecurity "invalid-session-url" doesn't work with commandBut

[tichu]

Hi all,

I think I found a bug in SWF(?). I am using JF2 Sframework 3.0.5 SWF 2.3.0 Ssecurity 3.0.3 primefaces 2.2.m1 Tomcat 7.0.11

I am trying to handle the timeout scenarios in the application. I config the web.xml session-timeou value and session-management invalid-session-url in spring security config file.
However, after a session times out, if you click on the p:commandButton the web page doesn't redirect properly even tho the log says otherwise.
This redirection seems to be working for h:outputLink.

Please see below for my steps to reproduce and log outputs. Any help/suggestion is appreciated. Thank you.


check out the spring JSF2, PrimeFaces, and Spring Web Flow showcase

Code:

svn co https://src.springframework.org/svn/spring-samples/webflow-primefaces-showcase/

In web.xml

Code:

    <session-config>
        <session-timeout>1</session-timeout>
    </session-config>

In security-config.xml http tag, add

Code:

<security:session-management invalid-session-url="/app/login"/>

In pom.xml, change

Code:

<springwebflow-version>2.3.0.BUILD-SNAPSHOT</springwebflow-version> to <springwebflow-version>2.3.0.RELEASE</springwebflow-version>

In log4j.xml, add

Code:

    <logger name="org.springframework.security">
        <level value="trace" />
    </logger>

change other loggers value if needed.

Build and deploy the application and go to the URL /app/login and sign in as keith/melbourne.

Click "Web Flow render action" and wait 1 minute. Now click on "Suggest" button and the web app will stuck on the same page even tho the log output suggests otherwise.

log outputs

Code:

DEBUG: org.springframework.security.web.FilterChainProxy - Converted URL to lowercase, from: '/app/ajax-render-action'; to: '/app/ajax-render-action'
DEBUG: org.springframework.security.web.FilterChainProxy - Candidate is: '/app/ajax-render-action'; pattern is /**; matched=true
DEBUG: org.springframework.security.web.FilterChainProxy - /app/ajax-render-action?execution=e3s1 at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@d95f1b9'
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG: org.springframework.security.web.FilterChainProxy - /app/ajax-render-action?execution=e3s1 at position 2 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@6f30afa6'
DEBUG: org.springframework.security.web.FilterChainProxy - /app/ajax-render-action?execution=e3s1 at position 3 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@655bf451'
DEBUG: org.springframework.security.web.FilterChainProxy - /app/ajax-render-action?execution=e3s1 at position 4 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.www.BasicAuthenticationFilter@780525d3'
DEBUG: org.springframework.security.web.FilterChainProxy - /app/ajax-render-action?execution=e3s1 at position 5 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@19f67d34'
DEBUG: org.springframework.security.web.FilterChainProxy - /app/ajax-render-action?execution=e3s1 at position 6 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@595ee3d'
DEBUG: org.springframework.security.web.FilterChainProxy - /app/ajax-render-action?execution=e3s1 at position 7 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@364be9a8'
DEBUG: org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
DEBUG: org.springframework.security.web.FilterChainProxy - /app/ajax-render-action?execution=e3s1 at position 8 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionManagementFilter@31d93071'
DEBUG: org.springframework.security.web.session.SessionManagementFilter - Requested session ID7C04A360AD89527ECF6D660D9A2E67A8 is invalid.
DEBUG: org.springframework.security.web.session.SessionManagementFilter - Starting new session (if required) and redirecting to '/app/login'
DEBUG: org.springframework.security.web.DefaultRedirectStrategy - Redirecting to '/webflow-primefaces-showcase-1.0.0-BUILD-SNAPSHOT/app/login'
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext contents are anonymous - context will not be stored in HttpSession. 
DEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG: org.springframework.security.web.FilterChainProxy - Converted URL to lowercase, from: '/app/login'; to: '/app/login'
DEBUG: org.springframework.security.web.FilterChainProxy - Candidate is: '/app/login'; pattern is /**; matched=true
DEBUG: org.springframework.security.web.FilterChainProxy - /app/login at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@d95f1b9'
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@58f5def1. A new one will be created.
DEBUG: org.springframework.security.web.FilterChainProxy - /app/login at position 2 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@6f30afa6'
DEBUG: org.springframework.security.web.FilterChainProxy - /app/login at position 3 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@655bf451'
DEBUG: org.springframework.security.web.FilterChainProxy - /app/login at position 4 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.www.BasicAuthenticationFilter@780525d3'
DEBUG: org.springframework.security.web.FilterChainProxy - /app/login at position 5 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@19f67d34'
DEBUG: org.springframework.security.web.FilterChainProxy - /app/login at position 6 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@595ee3d'
DEBUG: org.springframework.security.web.FilterChainProxy - /app/login at position 7 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@364be9a8'
DEBUG: org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9054b1a2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1c07a: RemoteIpAddress: 127.0.0.1; SessionId: 442A9DB2A27709462DA97F0378318336; Granted Authorities: ROLE_ANONYMOUS'
DEBUG: org.springframework.security.web.FilterChainProxy - /app/login at position 8 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionManagementFilter@31d93071'
DEBUG: org.springframework.security.web.FilterChainProxy - /app/login at position 9 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter@29fb6448'
DEBUG: org.springframework.security.web.FilterChainProxy - /app/login at position 10 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor@3774c880'
...

[tichu]

Sorry the log was too long

Code:

DEBUG: org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource - Converted URL to lowercase, from: '/app/login'; to: '/app/login'
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Public object - authentication not attempted
TRACE: org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in Root WebApplicationContext: org.springframework.security.access.event.PublicInvocationEvent[source=FilterInvocation: URL: /app/login]
DEBUG: org.springframework.security.web.FilterChainProxy - /app/login reached end of additional filter chain; proceeding with original chain
TRACE: org.springframework.web.servlet.DispatcherServlet - Bound request context to thread: org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper@75ffcdd7
DEBUG: org.springframework.web.servlet.DispatcherServlet - DispatcherServlet with name 'Spring MVC Servlet' processing GET request for [/webflow-primefaces-showcase-1.0.0-BUILD-SNAPSHOT/app/login]
TRACE: org.springframework.web.servlet.DispatcherServlet - Testing handler map [org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping@2717f065] in DispatcherServlet with name 'Spring MVC Servlet'
TRACE: org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping - No handler mapping found for [/login]
TRACE: org.springframework.web.servlet.DispatcherServlet - Testing handler map [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping@3929d28] in DispatcherServlet with name 'Spring MVC Servlet'
TRACE: org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - No handler mapping found for [/login]
TRACE: org.springframework.web.servlet.DispatcherServlet - Testing handler map [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping@74895110] in DispatcherServlet with name 'Spring MVC Servlet'
DEBUG: org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - Mapping [/login] to HandlerExecutionChain with handler [org.springframework.web.servlet.mvc.ParameterizableViewController@70f293db] and 2 interceptors
TRACE: org.springframework.web.servlet.DispatcherServlet - Testing handler adapter [org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter@555aad0c]
DEBUG: org.springframework.web.servlet.DispatcherServlet - Last-Modified value for [/webflow-primefaces-showcase-1.0.0-BUILD-SNAPSHOT/app/login] is: -1
DEBUG: org.springframework.web.servlet.DispatcherServlet - Rendering view [org.springframework.faces.mvc.JsfView: name 'login'; URL [/WEB-INF/views/login.xhtml]] in DispatcherServlet with name 'Spring MVC Servlet'
TRACE: org.springframework.faces.mvc.JsfView - Rendering view with name 'login' with model null and static attributes {}
DEBUG: org.springframework.faces.support.RequestLoggingPhaseListener - Entering JSF Phase: RESTORE_VIEW 1
DEBUG: org.springframework.faces.mvc.JsfView - Asking faces lifecycle to render
DEBUG: org.springframework.faces.support.RequestLoggingPhaseListener - Entering JSF Phase: RENDER_RESPONSE 6
DEBUG: org.springframework.faces.mvc.JsfView - View rendering complete