IllegalStateException from call to response.sendRedirect in successfulAuthentication

[Luke Taylor]

These are just the redesign changes related to how the user is redirected after logging in. This has no bearing on why the response has committed. That has nothing to do with "modifying the request in a filter".

[fsoares]

These are just the redesign changes related to how the user is redirected after logging in. This has no bearing on why the response has committed. That has nothing to do with "modifying the request in a filter".

Hello Luke.
I think that that the user case presented by cirorezende was exactly the some that I exposed.
And I got exactly the some error when I try something like him, by example using the:

Code:

MyTargetUrl = "/xxx.html"
getRedirectStrategy().sendRedirect(request, response, MyTargetUrl);

when extending SimpleUrlAuthenticationSuccessHandler.

But if there is a better way to obtain the desired result...

[Luke Taylor]

You said

That state illegal exception appear in my opinion from the some reason that we can't modify the request in a filter, without a wrapper.

The exception comes from a call to response.sendRedirect(). If you check the servlet spec or Javadoc (or as above, the Tomcat source) you will see that this raises an IllegalStateException "If the response has already been committed".

So the issue is not related to accessing the request object.

[fsoares]

You said



The exception comes from a call to response.sendRedirect(). If you check the servlet spec or Javadoc (or as above, the Tomcat source) you will see that this raises an IllegalStateException "If the response has already been committed".

So the issue is not related to accessing the request object.

Luke, the reason is your side.
I look again to the original code and is invoking a response.redirect and I was mistaken because I struggle with the some problem, but not using the response, of course.

[TheMCME]

Hi guys,

I get the same error with tomcat, but that works when I use jetty.

Any update on that stuff?

Thanks.

[Luke Taylor]

If you are getting the same error - i.e. because the response is committed - then you'll need to debug the difference between the two containers to work out why one thinks it has and the other doesn't. It could be due to differences in response buffering or something. But it is a normal issue when dealing with the serlvet API - it isn't a Spring Security question.

[TheMCME]

So, why with the same container, that works with Spring Security 2, but that doesn't with Spring Security 3?

[Luke Taylor]

I don't know. Only you have access to your application so you'll have to work out at what point the response is committed and why. That happens before the redirect is called, once the server starts writing the output back to the client, so you have to use a debugger and track the response throughout the request.

[vw729]

I don't know. ..., so you have to use a debugger and track the response throughout the request.

I get the same error in the same situation on TC 5 with SS 3.0. In the onAuthenticationSuccess method of the SimpleUrlAuthenticationSuccessHandler class,

Code:

	public void onAuthenticationSuccess(HttpServletRequest request,
			HttpServletResponse response, Authentication authentication)
			throws IOException, ServletException {

                super.onAuthenticationSuccess(request, response, authentication);

...
      }

The exception no longer occurs after removing the invoking the same method in its super class and getting out the method, that is "return", right after invoking the sendRedirect.