Announcement Announcement Module
Collapse
No announcement yet.
Cannot create a session after the response has been committed Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cannot create a session after the response has been committed

    Hello,

    I configure the applicationContext.xml to use x509 authentication.

    An exception is throw in SessionFixationProtectionFilter always when I autenticate for the first time.

    Is this a bug?

    Here is the log:

    19:24:12,640 INFO LoggerListener:84 - Security authorized for authenticated principal: org.springframework.security.providers.anonymous.A [email protected]: Principal: roleAnonymous; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationD [email protected]: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS; secure object: FilterInvocation: URL: /index.jsp; configuration attributes: [IS_AUTHENTICATED_ANONYMOUSLY]
    19:24:20,203 WARN LoggerListener:100 - Security authorization failed due to: org.springframework.security.AccessDeniedException : Access is denied; authenticated principal: org.springframework.security.providers.anonymous.A [email protected]: Principal: roleAnonymous; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationD [email protected]: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS; secure object: FilterInvocation: URL: /novo_contrato.htm; configuration attributes: [ROLE_SUPERVISOR]
    19:24:25,937 WARN LoggerListener:100 - Authentication event AuthenticationSuccessEvent: CLIENTE 1; details: org.springframework.security.ui.WebAuthenticationD [email protected]: RemoteIpAddress: 127.0.0.1; SessionId: 90FC16E8A230EA4B828001722ED59365
    19:24:25,937 WARN LoggerListener:100 - Authentication event InteractiveAuthenticationSuccessEvent: CLIENTE 1; details: org.springframework.security.ui.WebAuthenticationD [email protected]: RemoteIpAddress: 127.0.0.1; SessionId: 90FC16E8A230EA4B828001722ED59365
    19:24:25,937 INFO LoggerListener:84 - Security authorized for authenticated principal: org.springframework.security.providers.preauth.Pre [email protected]: Principal: [email protected] f00: Username: CLIENTE 1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ANONYMOUS, ROLE_SUPERVISOR; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationD [email protected]: RemoteIpAddress: 127.0.0.1; SessionId: 90FC16E8A230EA4B828001722ED59365; Granted Authorities: ROLE_ANONYMOUS, ROLE_SUPERVISOR; secure object: FilterInvocation: URL: /novo_contrato.htm; configuration attributes: [ROLE_SUPERVISOR]

    19:24:26,156 ERROR [crsec]:64 - Servlet.service() for servlet crsec threw exception
    java.lang.IllegalStateException: Cannot create a session after the response has been committed
    at org.apache.catalina.connector.Request.doGetSession (Request.java:2195)
    at org.apache.catalina.connector.Request.getSession(R equest.java:2017)
    at org.apache.catalina.connector.RequestFacade.getSes sion(RequestFacade.java:822)
    at org.springframework.security.util.SessionUtils.sta rtNewSessionIfRequired(SessionUtils.java:56)
    at org.springframework.security.ui.SessionFixationPro tectionFilter.startNewSessionIfRequired(SessionFix ationProtectionFilter.java:99)
    at org.springframework.security.ui.SessionFixationPro tectionFilter.doFilterHttp(SessionFixationProtecti onFilter.java:68)
    at org.springframework.security.ui.SpringSecurityFilt er.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy $VirtualFilterChain.doFilter(FilterChainProxy.java :372)
    at org.springframework.security.context.HttpSessionCo ntextIntegrationFilter.doFilterHttp(HttpSessionCon textIntegrationFilter.java:237)
    at org.springframework.security.ui.SpringSecurityFilt er.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy $VirtualFilterChain.doFilter(FilterChainProxy.java :372)
    at org.springframework.security.securechannel.Channel ProcessingFilter.doFilterHttp(ChannelProcessingFil ter.java:116)
    at org.springframework.security.ui.SpringSecurityFilt er.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy $VirtualFilterChain.doFilter(FilterChainProxy.java :372)
    at org.springframework.security.util.FilterChainProxy .doFilter(FilterChainProxy.java:174)
    at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:183)
    at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:138)
    at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:202)
    at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:173)
    at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:213)
    at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:178)
    at org.apache.catalina.authenticator.AuthenticatorBas e.invoke(AuthenticatorBase.java:407)
    at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:126)
    at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:105)
    at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:107)
    at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:148)
    at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:856)
    at org.apache.coyote.http11.Http11Protocol$Http11Conn ectionHandler.processConnection(Http11Protocol.jav a:744)
    at org.apache.tomcat.util.net.PoolTcpEndpoint.process Socket(PoolTcpEndpoint.java:527)
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThr ead.runIt(LeaderFollowerWorkerThread.java:80)
    at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:684)
    at java.lang.Thread.run(Thread.java:619)

  • #2
    Here is my configuration

    Comment


    • #3
      Maybe this happen because the browser swith from HTTP -> HTTPS in the first login ?

      Comment


      • #4
        I guess the response has been committed, so the container cannot create a new session when you go from an unauthenticated to an authenticated state. I've opened an issue to check the response state

        http://jira.springframework.org/browse/SEC-767

        If you set

        Code:
        <http session-fixation-protection="none">
        then this will prevent it from trying to create a new session.

        Comment


        • #5
          Thanks!!!!

          Comment


          • #6
            Originally posted by Luke View Post
            I guess the response has been committed, so the container cannot create a new session when you go from an unauthenticated to an authenticated state. I've opened an issue to check the response state

            http://jira.springframework.org/browse/SEC-767

            If you set

            Code:
            <http session-fixation-protection="none">
            then this will prevent it from trying to create a new session.
            Luke,

            Is possible to override some method in SessionFixationProtectionResponseWrapper (like ServletResponse.flushBuffer) to create a new session before respose commit?

            If possible, is better than log a warning.

            Thanks.

            Comment


            • #7
              That is true. I will look into adding that to the wrapper. This still won't guarantee that you won't get the same error though, depending on your buffer size.
              Last edited by Luke Taylor; Apr 13th, 2008, 04:24 PM.

              Comment

              Working...
              X