Add to collection(s) Add to saved
  1. No category

[#SEC-3070] Logout invalidate-session=false and

advertisement 
[SEC-3070] Logout invalidate-session=false and Spring Session doesn't work
Created: 12/Aug/15 Updated: 06/Feb/16 Resolved: 20/Oct/15
Status:
Project:
Component/s:
Affects
Version/s:
Fix Version/s:
Closed
Spring Security
Web
None
Type:
Reporter:
Resolution:
Labels:
Remaining
Estimate:
Time Spent:
Original
Estimate:
Bug
Rob Winch
Fixed
None
Not Specified
3.2.9, 4.0.3, 4.1.0 M1
Priority:
Assignee:
Votes:
Major
Rob Winch
0
Not Specified
Not Specified
Attachments:
sample.zip
Reference URL: http://stackoverflow.com/questions/31977395/logout-user-in-spring-sessionredis-and-spring-security-without-invalidating-s
Description
The problem is that the HttpSessionSecurityContextRepository has:
if (httpSession != null &&
!contextObject.equals(contextBeforeExecution)) {
// SEC-1587 A non-anonymous context may still be in the
session
// SEC-1735 remove if the contextBeforeExecution was not
anonymous
httpSession.removeAttribute(springSecurityContextKey);
}
When using SecurityContextHolder.getContext().setAuthentication(null) it means that
contextObject.equals(contextBeforeExecution) will return true so the attribute is not removed
from session.
In a default servlet environment this is unnoticed since the HttpSession is stored in memory.
This means the setAuthentication(null)) updates the object in HttpSession.
In Spring Session (or any external HttpSession implementation) the session is stored externally,
so it will only be updated if the setAttribute is called.
A workaround is to invoke:
SecurityContextHolder.clearContext();
*NOTE* The invocation of setAuthentication(null) is unnecessary to log out when using
standard Servlet HttpSession. This is invoked to work around and . We will need to account for
the Authentication being removed as well.
Comments
Comment by Ninad Divadkar [ 13/Aug/15 ]
Thanks for the answer. In production this should be fine. However,
On our dev boxes, spring session is disabled. So not calling
'SecurityContextHolder.getContext().setAuthentication(null)' will cause issues? I guess a
workaround will be to only call the function if spring session is disabled.
Comment by Rob Winch [ 13/Aug/15 ]
Invoking the following will work with both scenarios.
SecurityContextHolder.clearContext()
Comment by Ninad Divadkar [ 13/Aug/15 ]
Tried that and although it works for spring-session, If I'm not using spring-session then the user
is not removed from context. I need to call setAuthentication(null)) to get the user logged out.
I'm using spring-security-core-3.2.7.RELEASE
Comment by Rob Winch [ 13/Aug/15 ]
I posted a sample that demonstrates that SecurityContextHolder.clearContext() will work
without Spring Session. To try it with Spring Session uncomment out the
springSessionRepositoryFilter mapping in the web.xml.
Comment by Spring Issuemaster [ 06/Feb/16 ]
This issue has been migrated to https://github.com/spring-projects/spring-security/issues/3273
Generated at Tue Feb 09 12:46:45 UTC 2016 using JIRA 6.4.11#64026sha1:78f6ec473a3f058bd5d6c30e9319c7ab376bdb9c.
Related documents
Objective 14 – Null Factor Law and Solving Quadratic Equations:
Objective 14 – Null Factor Law and Solving Quadratic Equations:
Step 1: Set up null and alternative hypotheses, since the alternative
Step 1: Set up null and alternative hypotheses, since the alternative
Youth & Young Adult Ministries - First United Methodist Church of
Youth & Young Adult Ministries - First United Methodist Church of
Nystrom-Sampling Distribution Models
Nystrom-Sampling Distribution Models
file - BioMed Central
file - BioMed Central
Psy 232 Stats/Methods II
Psy 232 Stats/Methods II
Regional - New Hampshire Educational Theater Guild
Regional - New Hampshire Educational Theater Guild
Stateful Session EJBs: Beasts of Burden Page 1 of 3
Stateful Session EJBs: Beasts of Burden Page 1 of 3
Download
advertisement