BlazeDS and Spring Session Fixation
i'm trying flex client talk spring application, seem having problems spring session-fixation-protection option.
if, in spring security:http settings, leave session-fixation-protection default value, understanding should create new session when authentication occurs, , migrate attributes original session new one. however, intermittent errors this:
[java] [blazeds] flexsession id '19423d12b4cb9513ce49304b26fcb504' http-based client connection has been invalidated.
[java] [blazeds] cannot create session after response has been committed
[java] java.lang.illegalstateexception: cannot create session after response has been committed
[java] @ org.apache.catalina.connector.request.dogetsession(request.java:2214)
[java] @ org.apache.catalina.connector.request.getsession(request.java:2024)
[java] @ org.apache.catalina.connector.requestfacade.getsession(requestfacade.java:831)
[java] @ javax.servlet.http.httpservletrequestwrapper.getsession(httpservletrequestwrapper.java:21 5)
[java] @ org.springframework.security.util.sessionutils.startnewsessionifrequired(sessionutils.jav a:56)
[java] @ org.springframework.security.ui.sessionfixationprotectionfilter.startnewsessionifrequired (sessionfixationprotectionfilter.java:106)
[java] @ org.springframework.security.ui.sessionfixationprotectionfilter$sessionfixationprotection responsewrapper.startnewsession(sessionfixationprotectionfilter.java:166)
[java] @ org.springframework.security.ui.sessionfixationprotectionfilter$sessionfixationprotection responsewrapper.flushbuffer(sessionfixationprotectionfilter.java:155)
[java] @ flex.messaging.endpoints.basehttpendpoint.service(basehttpendpoint.java:293)
[java] @ flex.messaging.messagebrokerservlet.service(messagebrokerservlet.java:377)
[.....]
if set session-fixation-protection "none" seems work ok (except have no protection against session fixation attacks, obviously).
has else come across this, chance?
-chrisl
if, in spring security:http settings, leave session-fixation-protection default value, understanding should create new session when authentication occurs, , migrate attributes original session new one. however, intermittent errors this:
[java] [blazeds] flexsession id '19423d12b4cb9513ce49304b26fcb504' http-based client connection has been invalidated.
[java] [blazeds] cannot create session after response has been committed
[java] java.lang.illegalstateexception: cannot create session after response has been committed
[java] @ org.apache.catalina.connector.request.dogetsession(request.java:2214)
[java] @ org.apache.catalina.connector.request.getsession(request.java:2024)
[java] @ org.apache.catalina.connector.requestfacade.getsession(requestfacade.java:831)
[java] @ javax.servlet.http.httpservletrequestwrapper.getsession(httpservletrequestwrapper.java:21 5)
[java] @ org.springframework.security.util.sessionutils.startnewsessionifrequired(sessionutils.jav a:56)
[java] @ org.springframework.security.ui.sessionfixationprotectionfilter.startnewsessionifrequired (sessionfixationprotectionfilter.java:106)
[java] @ org.springframework.security.ui.sessionfixationprotectionfilter$sessionfixationprotection responsewrapper.startnewsession(sessionfixationprotectionfilter.java:166)
[java] @ org.springframework.security.ui.sessionfixationprotectionfilter$sessionfixationprotection responsewrapper.flushbuffer(sessionfixationprotectionfilter.java:155)
[java] @ flex.messaging.endpoints.basehttpendpoint.service(basehttpendpoint.java:293)
[java] @ flex.messaging.messagebrokerservlet.service(messagebrokerservlet.java:377)
[.....]
if set session-fixation-protection "none" seems work ok (except have no protection against session fixation attacks, obviously).
has else come across this, chance?
-chrisl
More discussions in Configuration and Getting Started
adobe
Comments
Post a Comment