Announcement Announcement Module
Collapse
No announcement yet.
Has anyone come up with a SEC-1998 workaround ? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Has anyone come up with a SEC-1998 workaround ?

    Hi All,

    We are getting bit by this bug when DWR requests hit the security:filter-chain and the httpSessionContextIntegrationFilter cannot find the SPRING_SECURITY_CONTEXT_KEY attribute in the session for a given thread because the Authentication object is either null or is Anonymous (when we are requiring ROLE_ADMINISTRATOR or ROLE_USER):

    Code:
    DEBUG HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper saveContext SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
    Here is a related issue:

    https://jira.springsource.org/browse/SEC-2067

    I was wondering how others had approached this problem.

    Thanks,
    KW
    Last edited by kwest; Nov 9th, 2012, 03:31 PM.

  • #2
    It depends on what exactly is causing your issue. If you are spawning your own threads to process the request/response you will likely need to ensure to propagate the SecurityContext to the new Thread. You can see an example of async support in the security branch of my fork of spring-mvc-showcase that uses Spring Security 3.2.0.BUILD-SNAPSHOT. If you want to use the async support demoed you can look at this commit.

    Comment

    Working...
    X