Results 1 to 3 of 3

Thread: AnonymousProcessingFilter/WebAuthenticationDetails bug?

  1. Mar 22nd, 2006, 09:51 AM #1
    arthur.branham
    arthur.branham is offline Junior Member
    Join Date
    Mar 2006
    Posts
    25

    Default AnonymousProcessingFilter/WebAuthenticationDetails bug?

    I am receiving an exception from AnonymousProcessingFilter java.lang.IllegalStateException: Cannot create a session after the response has been committed. After looking at the source code I found that the filter attempts to create a WebAuthenticationDetails object after the remainder of the filter chain is processed. In my case I have begun writing content to the response from a servlet down the pipeline. The WebAuthenticationDetails object in its constructor attempts to create a new session:

    this.sessionId = request.getSession(true).

    I believe the bug is here, shouldn't it be doing request.getSession(). Why force the creation of a new session??
  2. Mar 22nd, 2006, 11:45 AM #2
    arthur.branham
    arthur.branham is offline Junior Member
    Join Date
    Mar 2006
    Posts
    25

    Default

    I will again answer my own question since no one seems to have any input.
    A call to request.getSession() will also throw the same exception as request.getSession(true) because the response is committed and this call could result in the creation of a new session. Therefore the problem lies in the fact that AnonymousProcessingFilter attempts to create a WebAuthenticationDetails object on the response path of the filter chain. This is not a valid usage since the response may be committed anywhere down the pipeline. I modified the source code and have a patch for this if anyone is interested.

    It seems the WebAuthenticationDetails object is simply created in order to compare against the current Security Context's Authentication object to see that it has not changed over the course of the request. If it matches and we are only anonymous for the current request we need to set the Authentication object to null so that we wipe it out in the case that there is a session context integration filter. Herein lies the problem - why create another Authentication object just to check for equality. The author should have held a reference before the filter chain resumed processing and used that reference for comparison thus avoiding the unessary and invalid creation of a session.
  3. Apr 14th, 2006, 05:55 AM #3
    Ben Alex
    Ben Alex is offline Senior Member Spring Team
    Join Date
    Aug 2004
    Location
    Sydney, Australia
    Posts
    2,768

    Default

    We've fixed this in CVS HEAD, which will be part of the next official release.
    Ben Alex
    Project Founder, Spring UAA, Spring Roo and Spring Security
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules