Thanks Les -- I appreciate this. I took a look at this a couple of weeks
ago and it wasn't clear to me how to apply the changes to the refactored
code.
Brad
Les Hazlewood wrote:
Hi Brad - gimme a bit - I think I can commit a solution for that
sometime today (might be late tonight though).
Cheers,
Les
On Thu, Feb 19, 2009 at 11:44 AM, Brad Whitaker <[email protected]
<mailto:[email protected]>> wrote:
Yes, I have been building from apache hosted subversion. Are you
referring to the 0.9.0 zip from sourceforge?
I decided to use subversion because I'm running my WAR as ROOT and
need the fix for JSEC-34. (At least I think I do.)
Daniel J. Lauk wrote:
Did you try to build from subversion?
I did not find tags on the subversion tree, so I download the zipped
package.
Cheers,
DJ
2009/2/19 Brad Whitaker <[email protected]> <mailto:[email protected]>:
I was unable to apply this patch. The source files seem to have changed
significantly. How were you able to do this?
Daniel J. Lauk wrote:
Hi there.
I'm back and have good news: With the patch applied the logout is
working just fine.
Thanks a lot, Les!
Kind regards,
DJ
2009/2/18 Daniel J. Lauk <[email protected]>
<mailto:[email protected]>:
Hi Les,
thank you very much for pointing this out.
I'll try my luck with the patch there and report the results later.
Cheers,
DJ
2009/2/18 Les Hazlewood <[email protected]>
<mailto:[email protected]>:
Hi Daniel,
There is an issue filed here: https://issues.apache.org/jira/browse/JSEC-58
This happens because Spring is calling httpServletRequest.getUserPrincipal()
after logout. The JSecurityHttpServletRequest wrapper will just call
SecurityUtils.getSubject(), without regard to if logout has been called yet
or not. If logout has already been called,
SecurityUtils.getSubject().getSession() will create a new session and that
shouldn't occur during requests that have already been invalidated.
The implementation fix will ensure that, if the subject has logged out or
the session has been invalidated, that we'll probably return null in those
cases.
On Mon, Feb 16, 2009 at 2:38 PM, Daniel J. Lauk <[email protected]>
<mailto:[email protected]>
wrote:
Hi List.
We're having some trouble with the assume identity stuff I posted
about a month ago.
(I attached the classes enabling this functionality to
https://issues.apache.org/jira/browse/JSEC-37)
When we logout on Tomcat or Glassfish (grails' jetty is no problem) an
exception occurs.
My best guess is, that the logout invalidates the session. And as my
implementation of an assumed identity decorator stores the assumed
identity in the session, this seems to upset the servlet container.
I have the strange feeling that this is related with the
"releaseIdentity" not working properly (i.e. the field in the session
is empty, but getPrincipal() still returns the assumed identity) and
my implementation of getPrincipals.
Any input is highly appreciated!
Kind regards,
DJ
For completeness' sake, this is the stacktrace:
SEVERE: ApplicationDispatcher[] PWC1231: Servlet.service() for servlet
grails threw exception
java.lang.IllegalStateException: PWC3999: Cannot create a session
after the response has been committed
at
org.apache.catalina.connector.Request.doGetSession(Request.java:2835)
at org.apache.catalina.connector.Request.getSession(Request.java:2570)
at
org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:910)
at
javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:227)
at
org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:645)
at
javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:227)
at
org.jsecurity.web.servlet.JSecurityHttpServletRequest.getSession(JSecurityHttpServletRequest.java:143)
at
org.jsecurity.web.servlet.JSecurityHttpServletRequest.getSession(JSecurityHttpServletRequest.java:165)
at
org.jsecurity.web.session.ServletContainerSessionManager.createSession(ServletContainerSessionManager.java:78)
at
org.jsecurity.session.mgt.AbstractSessionManager.start(AbstractSessionManager.java:62)
at
org.jsecurity.mgt.SessionsSecurityManager.start(SessionsSecurityManager.java:178)
at
org.jsecurity.subject.DelegatingSubject.getSession(DelegatingSubject.java:284)
at
org.jsecurity.subject.DelegatingSubject.getSession(DelegatingSubject.java:272)
at
org.jsecurity.subject.AbstractSubjectDecorator.getSession(AbstractSubjectDecorator.java:65)
at
org.jsecurity.subject.AssumeIdentitySubject.getAssumedPrincipal(AssumeIdentitySubject.java:118)
at
org.jsecurity.subject.AssumeIdentitySubject.getPrincipals(AssumeIdentitySubject.java:142)
at
org.jsecurity.web.DefaultWebSecurityManager.bind(DefaultWebSecurityManager.java:240)
at
org.jsecurity.web.DefaultWebSecurityManager.bind(DefaultWebSecurityManager.java:235)
at
org.jsecurity.mgt.DefaultSecurityManager.getSubject(DefaultSecurityManager.java:418)
at
org.jsecurity.mgt.DefaultSecurityManager.getSubject(DefaultSecurityManager.java:424)
at org.jsecurity.SecurityUtils.getSubject(SecurityUtils.java:53)
at
org.jsecurity.web.servlet.JSecurityHttpServletRequest.getSubject(JSecurityHttpServletRequest.java:88)
at
org.jsecurity.web.servlet.JSecurityHttpServletRequest.getSubjectPrincipal(JSecurityHttpServletRequest.java:93)
at
org.jsecurity.web.servlet.JSecurityHttpServletRequest.getUserPrincipal(JSecurityHttpServletRequest.java:111)
at
org.springframework.web.servlet.FrameworkServlet.getUsernameForRequest(FrameworkServlet.java:615)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:596)
at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:501)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at
org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:431)
at
org.apache.catalina.core.ApplicationDispatcher.doInvoke(ApplicationDispatcher.java:885)
at
org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:732)
at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:554)
at
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:485)
at
org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:377)
at
org.codehaus.groovy.grails.web.util.WebUtils.forwardRequestForUrlMappingInfo(WebUtils.java:207)
at
org.codehaus.groovy.grails.web.util.WebUtils.forwardRequestForUrlMappingInfo(WebUtils.java:196)
at
org.codehaus.groovy.grails.web.mapping.filter.UrlMappingsFilter.doFilterInternal(UrlMappingsFilter.java:129)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:250)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:218)
at
org.codehaus.groovy.grails.web.sitemesh.GrailsPageFilter.parsePage(GrailsPageFilter.java:122)
at
org.codehaus.groovy.grails.web.sitemesh.GrailsPageFilter.doFilter(GrailsPageFilter.java:85)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:250)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:218)
at
org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
at
org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:250)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:218)
at
org.codehaus.groovy.grails.web.servlet.filter.GrailsReloadServletFilter.doFilterInternal(GrailsReloadServletFilter.java:101)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:250)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:218)
at
org.codehaus.groovy.grails.web.servlet.mvc.GrailsWebRequestFilter.doFilterInternal(GrailsWebRequestFilter.java:65)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:250)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:218)
at
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:96)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:250)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:218)
at
org.apache.catalina.core.StandardWrapperValve.preInvoke(StandardWrapperValve.java:460)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:139)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:186)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:719)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:657)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:96)
at
com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:98)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:187)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:719)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:657)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:651)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1030)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:142)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:719)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:657)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:651)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1030)
at
org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:325)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:242)
at
com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:180)
at
com.sun.grizzly.http.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:633)
at
com.sun.grizzly.http.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:570)
at
com.sun.grizzly.http.DefaultProcessorTask.process(DefaultProcessorTask.java:827)
at
com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:152)
at
com.sun.enterprise.v3.services.impl.GlassfishProtocolChain.executeProtocolFilter(GlassfishProtocolChain.java:71)
at
com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:103)
at
com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:89)
at
com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
at
com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:67)
at
com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:56)
at
com.sun.grizzly.util.WorkerThreadImpl.processTask(WorkerThreadImpl.java:325)
at com.sun.grizzly.util.WorkerThreadImpl.run(WorkerThreadImpl.java:184)
