Background :

We have a class that listens for HttpSessionDestroyedEvent Spring event from Acegi (version 0.8.1)

When a User logs out -

1) HttpSessionDestroyedEvent is fired, 2) We capture the event and grab the SecureContext [SecureContext context = SecureContextUtils.getSecureContext();], 3) Grab the principal from the SecureContext 4) And perform some clean up business logic operations based on the principal instance.

The Problem :

When a user explicitly logs out (by clicking the logout button), we invalidate the session, the HttpSessionDestroyedEvent is fired and the above logic works great.

However, on Http Session timeouts, even though a HttpSessionDestroyedEvent is fired, we run into an exception getting the SecureContext.

This is the Exception :

DEBUG Exception getting the context -java.lang.IllegalStateException: ContextHolder invalid: 'null': are your filters ordered correctly? HttpSessionContextIntegrationFilter should have already executed by this time (look for it in the stack dump below)

This is the stack trace :

2005-10-24 20:27:22,855 DEBUG net.sf.acegisecurity.context.security.SecureContex tUtils.getSecureContext(SecureContextUtils.java:38 )
2005-10-24 20:27:22,855 DEBUG com.galt.ldn.security.AuthenticationListener.onApp licationEvent(AuthenticationListener.java:70)
2005-10-24 20:27:22,855 DEBUG org.springframework.context.event.SimpleApplicatio nEventMulticaster.multicastEvent(SimpleApplication EventMulticaster.java:68)
2005-10-24 20:27:22,855 DEBUG org.springframework.context.support.AbstractApplic ationContext.publishEvent(AbstractApplicationConte xt.java:218)
2005-10-24 20:27:22,855 DEBUG net.sf.acegisecurity.ui.session.HttpSessionEventPu blisher.sessionDestroyed(HttpSessionEventPublisher .java:104)
2005-10-24 20:27:22,856 DEBUG org.mortbay.jetty.servlet.AbstractSessionManager$S ession.invalidate(AbstractSessionManager.java:627)
2005-10-24 20:27:22,856 DEBUG org.mortbay.jetty.servlet.AbstractSessionManager.s cavenge(AbstractSessionManager.java:429)
2005-10-24 20:27:22,856 DEBUG org.mortbay.jetty.servlet.AbstractSessionManager.a ccess$100(AbstractSessionManager.java:47)
2005-10-24 20:27:22,856 DEBUG org.mortbay.jetty.servlet.AbstractSessionManager$S essionScavenger.run(AbstractSessionManager.java:46 2)

Question :

why are we seeing this exception only on Session Timeouts and not on Explicit Session Invalidation ? Whats the solution ?

Is there any other way to get at the user associated with the destroyed Http Session without having to get the SecureContext instance ?

Thanks. Any help greatly appreciated.