spring-security

Spring Security

java framework spring spring-framework security

Tree: 83f1d76c16

Rob Winch 5f9dfb73be SEC-2111: Disable auto save of SecurityContext when response committed after startAsync invoked Previously Spring Security would disable automatically saving the SecurityContext when the Thread was different than the Thread that created the SaveContextOnUpdateOrErrorResponseWrapper. This worked for many cases, but could cause issues when a timeout occurred. The problem is that a Thread can be reused to process the timeout since the Threads are pooled. This means that a timeout of a request trigger an apparent logout as described in the following workflow: - The SecurityContext was established on the SecurityContextHolder - An Async request was made - The SecurityContextHolder would be cleared out - The Async request times out - The Async request would be dispatched back to the container upon timing out. If the container reused the same Thread to process the timeout as the original request, Spring Security would attempt to save the SecurityContext when the response was committed. Since the SecurityContextHolder was still cleared out it removes the SecurityContext from the HttpSession Spring Security will now prevent the SecurityContext from automatically being saved when the response is committed as soon as HttpServletRequest#startAsync() or ServletRequest#startAsync(ServletRequest,ServletResponse) is called.	13 years ago
..
main/java/org/springframework/security/web	SEC-2111: Disable auto save of SecurityContext when response committed after startAsync invoked	13 years ago
test	SEC-2111: Disable auto save of SecurityContext when response committed after startAsync invoked	13 years ago

Rob Winch 5f9dfb73be SEC-2111: Disable auto save of SecurityContext when response committed after startAsync invoked

Previously Spring Security would disable automatically saving the
SecurityContext when the Thread was different than the Thread that
created the SaveContextOnUpdateOrErrorResponseWrapper. This worked for
many cases, but could cause issues when a timeout occurred. The problem
is that a Thread can be reused to process the timeout since the Threads
are pooled. This means that a timeout of a request trigger an apparent
logout as described in the following workflow:

  - The SecurityContext was established on the SecurityContextHolder
  - An Async request was made
  - The SecurityContextHolder would be cleared out
  - The Async request times out
  - The Async request would be dispatched back to the container upon
    timing out. If the container reused the same Thread to process the
    timeout as the original request, Spring Security would attempt to
    save the SecurityContext when the response was committed. Since the
    SecurityContextHolder was still cleared out it removes the
    SecurityContext from the HttpSession

Spring Security will now prevent the SecurityContext from automatically
being saved when the response is committed as soon as
HttpServletRequest#startAsync() or
ServletRequest#startAsync(ServletRequest,ServletResponse) is called.

13 years ago

main/java/org/springframework/security/web

SEC-2111: Disable auto save of SecurityContext when response committed after startAsync invoked

13 years ago

test

SEC-2111: Disable auto save of SecurityContext when response committed after startAsync invoked

13 years ago