Announcement Announcement Module
Collapse
No announcement yet.
2 opened tabs: after login, Spring does not redirect to the 'protected resource' Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • 2 opened tabs: after login, Spring does not redirect to the 'protected resource'

    I have the simplest web-app, containing a single servlet, that is protected by Spring Security. When I try to reach it, I am redirected to the Spring's default login page. Till here everything works great.

    The problem starts when I open 2 tabs in the browser, and from both I try to get to my servlet. In both tabs I get the user/password login screen (expected). On one of them I enter my credentials correctly, and redirected back to the servlet (perfect). When I enter my creds (correctly) on the 2nd tab, I am redirected to the root of the app (instead of to the servlet), and of course I get error 404.

    Am I missing something? or is it a bug? if it is - then is there an opened Jira on it? When I try the behavior of Google/Facebook/etc (even the SpringSource forum) - they work well on the same scenario.

    EDIT

    In the docs (SavedRequests and the RequestCache Interface), they talk about ExceptionTranslationFilter job to cache the current request before invoking the AuthenticationEntryPoint. This allows the request to be restored - by the SavedRequestAwareAuthenticationSuccessHandler in my case, which is the default - but I've noted another evel filter: RequestCacheAwareFilter.
    AFTER the redirection to the origional request, I saw that RequestCacheAwareFilter is invoked by the chain, and he calls 'getMachineRequest()', that gets the request, and then removes it from the cache! then, when the second authentication succeeds (from the 2nd tab), there is no URL in the cache, so Spring does not know where to redirect me to. so this is the root-cause of the problem.

    Can someone tell me why we need this Filter? is it necessary? if not - how can I get rid of it?

    EDIT -2-
    I've found out that this issue was born due to this jira:
    SEC-1241: SavedRequest not destroyed after successful authentication

    Thnx in advance.
    Last edited by OhadR; Dec 22nd, 2012, 02:26 PM. Reason: after research - RequestCacheAwareFilter is the problem!

  • #2
    anyone?
    please advise ...

    Comment

    Working...
    X