Flex+BlazeDS+Spring Security=>Cannot create a session after the response has been com

ceetah · #1 May 28th, 2008, 06:49 AM

Hi,

I made a flex application. I'm using Blaze Data Services.
On the serverside, I use the latest Spring Security.

I get this :

Code:

java.lang.IllegalStateException: Cannot create a session after the response has been committed

in BaseHTTPEndpoint.class at this instruction :

Code:

res.flushBuffer();

can anybody help please?

web.xml:

Code:

<filter>
         <filter-name>springSecurityFilterChain</filter-name>
         <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>	
<filter-mapping>
	<filter-name>springSecurityFilterChain</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>

applicationContext-security.xml:

Code:

	<http>
	    <form-login />
	    <anonymous />
	    <http-basic />
	    <logout />
	    <remember-me user-service-ref="myUserDetailsService"/>
	</http>
	
	<beans:bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
		<beans:property name="userDetailsService" ref="myUserDetailsService"/>
	</beans:bean>  

	<beans:bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
		<beans:property name="providers">
			<beans:list>
				<beans:ref local="daoAuthenticationProvider"/>
			</beans:list>
		</beans:property>
	</beans:bean>
	
	<global-method-security secured-annotations="enabled" jsr250-annotations="enabled" />

everithing works well.. I get the my user from my db.. it gets authenticated.. gets roles.. and then that error

Luke Taylor · #2 May 28th, 2008, 09:27 AM

What is the stacktrace?

ceetah · #3 May 28th, 2008, 10:39 AM

and the stacktrace:

Code:

java.lang.IllegalStateException: Cannot create a session after the response has been committed
	at org.apache.catalina.connector.Request.doGetSession(Request.java:2221)
	at org.apache.catalina.connector.Request.getSession(Request.java:2031)
	at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:832)
	at org.springframework.security.util.SessionUtils.startNewSessionIfRequired(SessionUtils.java:56)
	at org.springframework.security.ui.SessionFixationProtectionFilter.startNewSessionIfRequired(SessionFixationProtectionFilter.java:106)
	at org.springframework.security.ui.SessionFixationProtectionFilter.doFilterHttp(SessionFixationProtectionFilter.java:71)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
	at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
	at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
	at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
	at org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:174)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
	at java.lang.Thread.run(Unknown Source)
[BlazeDS] Channel endpoint my-amf received request.

ceetah · #4 May 29th, 2008, 02:49 AM

the same worked great with acegi !
anyone ecountered this problem?

Luke Taylor · #5 May 29th, 2008, 05:04 AM

It looks like an issue with the session fixation filter:

http://jira.springframework.org/browse/SEC-834

This should be fixed in the latest release snapshots. You can try one of them or use session-fixation-protection='none' in the <http> element.

ceetah · #6 May 29th, 2008, 06:26 AM

thank you thank you thank you!

I used the quick option: session-fixation-protection="none" and it works.
I will look into the others also.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode