Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent Save @Transient Authentication with existing HttpSession #9993

Closed
wants to merge 1 commit into from
Closed

Prevent Save @Transient Authentication with existing HttpSession #9993

wants to merge 1 commit into from

Conversation

rwinch
Copy link
Member

@rwinch rwinch commented Jun 23, 2021

Previously, @Transient Authentication would get saved if an existing
HttpSession existed but it shouldn't.

This commit always prevents @Transient Authentication from being saved.

Closes gh-9992

@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: bug A general bug labels Jun 23, 2021
@rwinch rwinch added this to the 5.6.0-M1 milestone Jun 23, 2021
@rwinch rwinch requested a review from jzheaux June 23, 2021 19:31
jzheaux
jzheaux requested changes Jun 28, 2021
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, @rwinch. I left a polish suggestion inline.

...main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java Show resolved Hide resolved
@rwinch
Prevent Save @transient Authentication with existing HttpSession
87f38d8 
Previously, @transient Authentication would get saved if an existing
HttpSession existed but it shouldn't.

This commit always prevents @transient Authentication from being saved.

Closes spring-projectsgh-9992
@rwinch rwinch force-pushed the gh-9992-transient-with-session branch from 2c01e41 to 87f38d8 Compare June 28, 2021 21:19
@eleftherias eleftherias modified the milestones: 5.6.0-M1, 5.6.0-M2 Jul 19, 2021
@rwinch rwinch modified the milestones: 5.6.0-M2, 5.6.0-M3 Aug 16, 2021
@sjohnr sjohnr modified the milestones: 5.6.0-M3, 5.6.0-RC1 Sep 20, 2021
@rwinch rwinch modified the milestones: 5.6.0-RC1, 5.6.0 Oct 19, 2021
@rwinch rwinch modified the milestones: 5.6.0, 5.7.0-M1 Nov 12, 2021
@rwinch rwinch mentioned this pull request Nov 16, 2021
Closed
@rwinch
Copy link
Member Author

rwinch commented Nov 16, 2021

Merged via 96a6fef

@rwinch rwinch closed this Nov 16, 2021
jgrandja added a commit to spring-projects/spring-authorization-server that referenced this pull request Dec 7, 2021
@jgrandja
HttpSessionSecurityContextRepository does not persist @transient Auth…
d0e1107 
…entication

Related spring-projects/spring-security#9993

Closes gh-482
@jgrandja jgrandja mentioned this pull request Dec 7, 2021
Closed
@jawherallani
Copy link

jawherallani commented Jul 28, 2022
edited
Loading

This breaks my app when I switched from 5.6.6 to 5.7, as JwtAuthenticationToken which has @transient is being used:
the regular flow with 5.6.6:

  • request A (websocket handshake) is fired, no http session yet, it fails and will retry
  • api request B includes a bearer token in the headers, JwtAuthenticationToken authentication takes place and is then used to attach the SecurityContext on the http session as SPRING_SECURITY_CONTEXT attribute.
  • request A, being retried, uses the http session to get the SecurityContext that was just saved and so is authenticated.

This flow breaks because of the isTransient method now.

Is there something wrong with this flow? and why should @transient Authentication be prevented from saving? Any suggestions?

@jawherallani jawherallani mentioned this pull request Aug 3, 2022
Closed
doba16 pushed a commit to doba16/spring-authorization-server that referenced this pull request Apr 21, 2023
@jgrandja
HttpSessionSecurityContextRepository does not persist @transient Auth…
4d9f040 
…entication

Related spring-projects/spring-security#9993

Closes spring-projectsgh-482
BlueDream0911 pushed a commit to BlueDream0911/spring-authorization-server that referenced this pull request Sep 13, 2024
@jgrandja
HttpSessionSecurityContextRepository does not persist @transient Auth…
c7b4759 
…entication

Related spring-projects/spring-security#9993

Closes gh-482
BlueDream0911 added a commit to BlueDream0911/spring-authorization-server that referenced this pull request Sep 14, 2024
@BlueDream0911
HttpSessionSecurityContextRepository does not persist @transient Auth…
2f27a49 
…entication

Related spring-projects/spring-security#9993

Closes gh-482
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux requested changes

Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
5.7.0-M1
Development

Successfully merging this pull request may close these issues.

HttpSecurityContextRepository saves @Transient Authentication if HttpSession already exists
5 participants
@rwinch @jawherallani @jzheaux @sjohnr @eleftherias