HttpSessionIntegrationFilter and creating sessions

[Andreas Schildbach]

Hello again,

This time I've got an improvement to Acegi.

So my first question: Is there an issue tracking for Acegi? I couldn't find one on Sourceforge, and JIRA on springframework.org doesn't host Acegi.

So now for the improvement:

I think it is bad behaviour if a servlet filter creates HttpSessions unless it is absolutely neccesary. The enclosed resources may want to decide on their own if they want to create a session, or adapt their behaviour to the existance of a session.

This said, I propose that getSession() in HttpSessionIntegrationFilter.extractFromContainer( ) and AbstractProcessingFilter.successfulAuthentication( ) should be converted to getSession(false). When getting an attribute, it is not important to create the session if the attribute is not present. If there is no session available, so will be no attribute.

Best regards,

Andreas

[Ben Alex]

There's no issue tracker at present. As per my posting some weeks ago on acegisecurity-developer, the proposal for Acegi Security to become a Spring sub-project would probably mean we get added as a JIRA project to the existing Spring issue tracker.

Regarding your change, I have just committed it to CVS.