Dec 1st, 2009, 08:04 AM
Lost session - SWFUpload
I'm using on my jsp pages flash application for multiple file upload (FancyUpload/SWFUpload). There is a servlet on server side (doPost).
I have a problem with upload request authentication on my java application server (jetty).
HttpServletRequest on upload web page includes session attribute SPRING_SECURITY_CONTEXT that contains security information string. Spring Security framework filter reads this attribute and creates Authentication object with additional info (SecurityContextHolder.getContext().getAuthenticat ion().getPrincipal()).
However, If I try to upload file from disk via flash application, the request in upload servlet does not contain this session attribute and SecurityContextHolder.getContext() is empty. This problem occurs in Firefox, Opera and Chrome. IE 8.0 is suprisingly OK (Spring security context attribute is inserted into flash request).
I could include session id (from jsp) into url string parameter, but how to restore Authentication object in my servlet?
Thanks a lot for any help.
Dec 2nd, 2009, 08:02 AM
The Authentication is stored in the session. It must be that SWFUpload isn't sending along the cookie and/or URL param that identifies your session (with the Authentication stored in it). Solve this problem and you will have solved the authentication problem.
Peter Mularien | Blog
Author, Spring Security 3 (Book) - Packt Publishing, Available in print and eBook form
SCJP 5, Oracle DBA
Any postings are my own opinion, and should not be attributed to my employer or clients.
Dec 3rd, 2009, 10:09 AM
SWFUpload SEND session and JSESSIONID but any own flash session id that is not associated with login credentials.
Session ID printed via <% out.println(session.getId()); %> on my jsp page:
gr4rjzzesp3d (the same value is saved in my JSESSIONID cookie).
Session id from server HttpServletRequest.getSession().getId() if I use single upload multiple request (without flash) - gr4rjzzesp3d => Authentication object is OK.
If I use SWFUpload, HttpServletRequest.getSession().getId() print 1hqu648me45a2 => this is not the same session id that is saved in JSESSIONID cookie. => Authentication object is empty.
Btw - request attribute from flash upload contains "Cookie: JSESSIONID=1hqu648me45a2".
The session id sent by www.domain.com/url?jsessionid=<% out.print(session.getId()); %> also doesn't work because my Jetty server prefer cookie session id over URL session id (if defined both).
My proposed solution could be manually restore Authentication object from session id as URL parameter (jsessionid=xxx) but I don't know wheter is that possible.
Dec 16th, 2009, 06:01 AM
I had the same problem some time ago. As I remember it could be browser depending problem. Try it with IE and Firefox.
Hint 2: look at lumisfera dot pl portal. Decompile swfupload from this site and look at action script code
Tags for this Thread