Do not create new session when response is committed (maybe grails specific)
----------------------------------------------------------------------------
Key: JSEC-58
URL: https://issues.apache.org/jira/browse/JSEC-58
Project: JSecurity
Issue Type: Improvement
Environment: grails1.1-SNAPSHOT, grails jsecurity plugin
Reporter: Luis Arias
Attachments: committed_session_rememberme_logout.patch
I experienced an issue with the rememberMe cookie inside grails with the
jsecurity plugin when attempting to logout through
SecurityUtils.getSubject().logout() If there is no JSESSIONID and a rememberMe
cookie and the response is committed, SecurityUtils.getSubject() still tries to
create a new session and causes the following stacktrace in tomcat. Whatever
the reason (maybe a grails bug), it would be better if jsecurity didn't try to
create a new session if the response is committed. I am submitting a simple
patch and unit test for this. I replaced the jsecurity jar in my grails app
with the patched jar and the issue went away and the user is correctly logged
out.
[99105] 0-SNAPSHOT].[grails] Servlet.service() for servlet grails threw
exception
java.lang.IllegalStateException: Cannot create a session after the response has
been committed
at
org.apache.catalina.connector.Request.doGetSession(Request.java:2221)if
at org.apache.catalina.connector.Request.getSession(Request.java:2031)
at
org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:832)
at
javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216)
at
org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:545)
at
javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216)
at
org.jsecurity.web.servlet.JSecurityHttpServletRequest.getSession(JSecurityHttpServletRequest.java:143)
at
org.jsecurity.web.servlet.JSecurityHttpServletRequest.getSession(JSecurityHttpServletRequest.java:165)
at
org.jsecurity.web.session.ServletContainerSessionManager.createSession(ServletContainerSessionManager.java:78)
at
org.jsecurity.session.mgt.AbstractSessionManager.start(AbstractSessionManager.java:62)
at
org.jsecurity.mgt.SessionsSecurityManager.start(SessionsSecurityManager.java:178)
at
org.jsecurity.subject.DelegatingSubject.getSession(DelegatingSubject.java:284)
at
org.jsecurity.subject.DelegatingSubject.getSession(DelegatingSubject.java:272)
at
org.jsecurity.web.DefaultWebSecurityManager.bind(DefaultWebSecurityManager.java:242)
at
org.jsecurity.web.DefaultWebSecurityManager.bind(DefaultWebSecurityManager.java:235)
at
org.jsecurity.mgt.DefaultSecurityManager.getSubject(DefaultSecurityManager.java:418)
at
org.jsecurity.mgt.DefaultSecurityManager.getSubject(DefaultSecurityManager.java:424)
at org.jsecurity.SecurityUtils.getSubject(SecurityUtils.java:53)
at
org.jsecurity.web.servlet.JSecurityHttpServletRequest.getSubject(JSecurityHttpServletRequest.java:88)
at
org.jsecurity.web.servlet.JSecurityHttpServletRequest.getSubjectPrincipal(JSecurityHttpServletRequest.java:93)
at
org.jsecurity.web.servlet.JSecurityHttpServletRequest.getUserPrincipal(JSecurityHttpServletRequest.java:111)
at
org.springframework.web.servlet.FrameworkServlet.getUsernameForRequest(FrameworkServlet.java:615)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:596)
at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:501)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:627)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at
org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:679)
at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:461)
at
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:399)
at
org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
at
org.codehaus.groovy.grails.web.util.WebUtils.forwardRequestForUrlMappingInfo(WebUtils.java:231)
at
org.codehaus.groovy.grails.web.util.WebUtils.forwardRequestForUrlMappingInfo(WebUtils.java:208)
at
org.codehaus.groovy.grails.web.mapping.filter.UrlMappingsFilter.doFilterInternal(UrlMappingsFilter.java:165)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at
org.codehaus.groovy.grails.web.sitemesh.GrailsPageFilter.parsePage(GrailsPageFilter.java:122)
at
org.codehaus.groovy.grails.web.sitemesh.GrailsPageFilter.doFilter(GrailsPageFilter.java:85)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at
org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
at
org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at
org.codehaus.groovy.grails.web.servlet.mvc.GrailsWebRequestFilter.doFilterInternal(GrailsWebRequestFilter.java:65)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:96)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at
com.balsamiq.tomcat.CrossSubdomainSessionValve.invoke(CrossSubdomainSessionValve.java:94)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
at java.lang.Thread.run(Thread.java:636)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
