Results 1 to 2 of 2

Thread: Has anyone come up with a SEC-1998 workaround ?

Hybrid View

  1. Nov 9th, 2012, 02:13 PM #1
    kwest
    kwest is offline Junior Member
    Join Date
    May 2005
    Location
    Boston, MA
    Posts
    17

    Default Has anyone come up with a SEC-1998 workaround ?

    Hi All,

    We are getting bit by this bug when DWR requests hit the security:filter-chain and the httpSessionContextIntegrationFilter cannot find the SPRING_SECURITY_CONTEXT_KEY attribute in the session for a given thread because the Authentication object is either null or is Anonymous (when we are requiring ROLE_ADMINISTRATOR or ROLE_USER):

    Code:
    DEBUG HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper saveContext SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
    Here is a related issue:

    https://jira.springsource.org/browse/SEC-2067

    I was wondering how others had approached this problem.

    Thanks,
    KW
    Last edited by kwest; Nov 9th, 2012 at 02:31 PM.
    Reply With Quote Reply With Quote
  2. Nov 12th, 2012, 04:33 PM #2
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,834

    Default

    It depends on what exactly is causing your issue. If you are spawning your own threads to process the request/response you will likely need to ensure to propagate the SecurityContext to the new Thread. You can see an example of async support in the security branch of my fork of spring-mvc-showcase that uses Spring Security 3.2.0.BUILD-SNAPSHOT. If you want to use the async support demoed you can look at this commit.
    Rob Winch
    Twitter @rob_winch
    Spring Security Lead
    Spring by Pivotal
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules