[jira] Moved: (KI-65) Do not create new session when response is committed (maybe grails specific)

["Alan Cabrera (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/KI-65?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alan Cabrera moved JSEC-58 to KI-65:
------------------------------------

        Fix Version/s:     (was: 1.0)
          Component/s:     (was: Web)
                           (was: Session Management)
    Affects Version/s:     (was: 0.9)
                  Key: KI-65  (was: JSEC-58)
              Project: Ki  (was: JSecurity)

> Do not create new session when response is committed (maybe grails specific)
> ----------------------------------------------------------------------------
>
>                 Key: KI-65
>                 URL: https://issues.apache.org/jira/browse/KI-65
>             Project: Ki
>          Issue Type: Improvement
>         Environment: grails1.1-SNAPSHOT, grails jsecurity plugin
>            Reporter: Luis Arias
>            Assignee: Les Hazlewood
>         Attachments: committed_session_rememberme_logout.patch
>
>
> I experienced an issue with the rememberMe cookie inside grails with the jsecurity plugin when attempting to logout through SecurityUtils.getSubject().logout()  If there is no JSESSIONID and a rememberMe cookie and the response is committed, SecurityUtils.getSubject() still tries to create a new session and causes the following stacktrace in tomcat.  Whatever the reason (maybe a grails bug), it would be better if jsecurity didn't try to create a new session if the response is committed.  I am submitting a simple patch and unit test for this.  I replaced the jsecurity jar in my grails app with the patched jar and the issue went away and the user is correctly logged out.
> [99105] 0-SNAPSHOT].[grails] Servlet.service() for servlet grails threw exception
> java.lang.IllegalStateException: Cannot create a session after the response has been committed
> 	at org.apache.catalina.connector.Request.doGetSession(Request.java:2221)if
> 	at org.apache.catalina.connector.Request.getSession(Request.java:2031)
> 	at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:832)
> 	at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216)
> 	at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:545)
> 	at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216)
> 	at org.jsecurity.web.servlet.JSecurityHttpServletRequest.getSession(JSecurityHttpServletRequest.java:143)
> 	at org.jsecurity.web.servlet.JSecurityHttpServletRequest.getSession(JSecurityHttpServletRequest.java:165)
> 	at org.jsecurity.web.session.ServletContainerSessionManager.createSession(ServletContainerSessionManager.java:78)
> 	at org.jsecurity.session.mgt.AbstractSessionManager.start(AbstractSessionManager.java:62)
> 	at org.jsecurity.mgt.SessionsSecurityManager.start(SessionsSecurityManager.java:178)
> 	at org.jsecurity.subject.DelegatingSubject.getSession(DelegatingSubject.java:284)
> 	at org.jsecurity.subject.DelegatingSubject.getSession(DelegatingSubject.java:272)
> 	at org.jsecurity.web.DefaultWebSecurityManager.bind(DefaultWebSecurityManager.java:242)
> 	at org.jsecurity.web.DefaultWebSecurityManager.bind(DefaultWebSecurityManager.java:235)
> 	at org.jsecurity.mgt.DefaultSecurityManager.getSubject(DefaultSecurityManager.java:418)
> 	at org.jsecurity.mgt.DefaultSecurityManager.getSubject(DefaultSecurityManager.java:424)
> 	at org.jsecurity.SecurityUtils.getSubject(SecurityUtils.java:53)
> 	at org.jsecurity.web.servlet.JSecurityHttpServletRequest.getSubject(JSecurityHttpServletRequest.java:88)
> 	at org.jsecurity.web.servlet.JSecurityHttpServletRequest.getSubjectPrincipal(JSecurityHttpServletRequest.java:93)
> 	at org.jsecurity.web.servlet.JSecurityHttpServletRequest.getUserPrincipal(JSecurityHttpServletRequest.java:111)
> 	at org.springframework.web.servlet.FrameworkServlet.getUsernameForRequest(FrameworkServlet.java:615)
> 	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:596)
> 	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:501)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:627)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> 	at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:679)
> 	at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:461)
> 	at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:399)
> 	at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
> 	at org.codehaus.groovy.grails.web.util.WebUtils.forwardRequestForUrlMappingInfo(WebUtils.java:231)
> 	at org.codehaus.groovy.grails.web.util.WebUtils.forwardRequestForUrlMappingInfo(WebUtils.java:208)
> 	at org.codehaus.groovy.grails.web.mapping.filter.UrlMappingsFilter.doFilterInternal(UrlMappingsFilter.java:165)
> 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> 	at org.codehaus.groovy.grails.web.sitemesh.GrailsPageFilter.parsePage(GrailsPageFilter.java:122)
> 	at org.codehaus.groovy.grails.web.sitemesh.GrailsPageFilter.doFilter(GrailsPageFilter.java:85)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> 	at org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
> 	at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> 	at org.codehaus.groovy.grails.web.servlet.mvc.GrailsWebRequestFilter.doFilterInternal(GrailsWebRequestFilter.java:65)
> 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> 	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:96)
> 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> 	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236)
> 	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
> 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
> 	at com.balsamiq.tomcat.CrossSubdomainSessionValve.invoke(CrossSubdomainSessionValve.java:94)
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
> 	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
> 	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
> 	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
> 	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
> 	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
> 	at java.lang.Thread.run(Thread.java:636)

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.