Hi Daniel, There is an issue filed here: https://issues.apache.org/jira/browse/JSEC-58
This happens because Spring is calling httpServletRequest.getUserPrincipal() after logout. The JSecurityHttpServletRequest wrapper will just call SecurityUtils.getSubject(), without regard to if logout has been called yet or not. If logout has already been called, SecurityUtils.getSubject().getSession() will create a new session and that shouldn't occur during requests that have already been invalidated. The implementation fix will ensure that, if the subject has logged out or the session has been invalidated, that we'll probably return null in those cases. On Mon, Feb 16, 2009 at 2:38 PM, Daniel J. Lauk <[email protected]>wrote: > Hi List. > > We're having some trouble with the assume identity stuff I posted > about a month ago. > (I attached the classes enabling this functionality to > https://issues.apache.org/jira/browse/JSEC-37) > > When we logout on Tomcat or Glassfish (grails' jetty is no problem) an > exception occurs. > > My best guess is, that the logout invalidates the session. And as my > implementation of an assumed identity decorator stores the assumed > identity in the session, this seems to upset the servlet container. > I have the strange feeling that this is related with the > "releaseIdentity" not working properly (i.e. the field in the session > is empty, but getPrincipal() still returns the assumed identity) and > my implementation of getPrincipals. > > Any input is highly appreciated! > > Kind regards, > DJ > > For completeness' sake, this is the stacktrace: > > SEVERE: ApplicationDispatcher[] PWC1231: Servlet.service() for servlet > grails threw exception > java.lang.IllegalStateException: PWC3999: Cannot create a session > after the response has been committed > at org.apache.catalina.connector.Request.doGetSession(Request.java:2835) > at org.apache.catalina.connector.Request.getSession(Request.java:2570) > at > org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:910) > at > javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:227) > at > org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:645) > at > javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:227) > at > org.jsecurity.web.servlet.JSecurityHttpServletRequest.getSession(JSecurityHttpServletRequest.java:143) > at > org.jsecurity.web.servlet.JSecurityHttpServletRequest.getSession(JSecurityHttpServletRequest.java:165) > at > org.jsecurity.web.session.ServletContainerSessionManager.createSession(ServletContainerSessionManager.java:78) > at > org.jsecurity.session.mgt.AbstractSessionManager.start(AbstractSessionManager.java:62) > at > org.jsecurity.mgt.SessionsSecurityManager.start(SessionsSecurityManager.java:178) > at > org.jsecurity.subject.DelegatingSubject.getSession(DelegatingSubject.java:284) > at > org.jsecurity.subject.DelegatingSubject.getSession(DelegatingSubject.java:272) > at > org.jsecurity.subject.AbstractSubjectDecorator.getSession(AbstractSubjectDecorator.java:65) > at > org.jsecurity.subject.AssumeIdentitySubject.getAssumedPrincipal(AssumeIdentitySubject.java:118) > at > org.jsecurity.subject.AssumeIdentitySubject.getPrincipals(AssumeIdentitySubject.java:142) > at > org.jsecurity.web.DefaultWebSecurityManager.bind(DefaultWebSecurityManager.java:240) > at > org.jsecurity.web.DefaultWebSecurityManager.bind(DefaultWebSecurityManager.java:235) > at > org.jsecurity.mgt.DefaultSecurityManager.getSubject(DefaultSecurityManager.java:418) > at > org.jsecurity.mgt.DefaultSecurityManager.getSubject(DefaultSecurityManager.java:424) > at org.jsecurity.SecurityUtils.getSubject(SecurityUtils.java:53) > at > org.jsecurity.web.servlet.JSecurityHttpServletRequest.getSubject(JSecurityHttpServletRequest.java:88) > at > org.jsecurity.web.servlet.JSecurityHttpServletRequest.getSubjectPrincipal(JSecurityHttpServletRequest.java:93) > at > org.jsecurity.web.servlet.JSecurityHttpServletRequest.getUserPrincipal(JSecurityHttpServletRequest.java:111) > at > org.springframework.web.servlet.FrameworkServlet.getUsernameForRequest(FrameworkServlet.java:615) > at > org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:596) > at > org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:501) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) > at > org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:431) > at > org.apache.catalina.core.ApplicationDispatcher.doInvoke(ApplicationDispatcher.java:885) > at > org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:732) > at > org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:554) > at > org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:485) > at > org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:377) > at > org.codehaus.groovy.grails.web.util.WebUtils.forwardRequestForUrlMappingInfo(WebUtils.java:207) > at > org.codehaus.groovy.grails.web.util.WebUtils.forwardRequestForUrlMappingInfo(WebUtils.java:196) > at > org.codehaus.groovy.grails.web.mapping.filter.UrlMappingsFilter.doFilterInternal(UrlMappingsFilter.java:129) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:250) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:218) > at > org.codehaus.groovy.grails.web.sitemesh.GrailsPageFilter.parsePage(GrailsPageFilter.java:122) > at > org.codehaus.groovy.grails.web.sitemesh.GrailsPageFilter.doFilter(GrailsPageFilter.java:85) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:250) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:218) > at > org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382) > at > org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:250) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:218) > at > org.codehaus.groovy.grails.web.servlet.filter.GrailsReloadServletFilter.doFilterInternal(GrailsReloadServletFilter.java:101) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:250) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:218) > at > org.codehaus.groovy.grails.web.servlet.mvc.GrailsWebRequestFilter.doFilterInternal(GrailsWebRequestFilter.java:65) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:250) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:218) > at > org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:96) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:250) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:218) > at > org.apache.catalina.core.StandardWrapperValve.preInvoke(StandardWrapperValve.java:460) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:139) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:186) > at > org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:719) > at > org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:657) > at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:96) > at > com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:98) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:187) > at > org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:719) > at > org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:657) > at > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:651) > at > org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1030) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:142) > at > org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:719) > at > org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:657) > at > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:651) > at > org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1030) > at > org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:325) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:242) > at > com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:180) > at > com.sun.grizzly.http.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:633) > at > com.sun.grizzly.http.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:570) > at > com.sun.grizzly.http.DefaultProcessorTask.process(DefaultProcessorTask.java:827) > at > com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:152) > at > com.sun.enterprise.v3.services.impl.GlassfishProtocolChain.executeProtocolFilter(GlassfishProtocolChain.java:71) > at > com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:103) > at > com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:89) > at > com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76) > at > com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:67) > at > com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:56) > at > com.sun.grizzly.util.WorkerThreadImpl.processTask(WorkerThreadImpl.java:325) > at com.sun.grizzly.util.WorkerThreadImpl.run(WorkerThreadImpl.java:184) >
