Uploaded image for project: 'atlassian-seraph'
  1. atlassian-seraph
  2. SER-92

Session is needlessly created by HttpSecurityWrapper::getUserPrincipal

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Low
    • 0.8
    • 0.7.23
    • None
    • true

    Description

      In HttpSecurityWrapper::getUserPrincipal session creation is forced when trying to retrieve the servlet context

      public Principal getUserPrincipal()
{
        if (securityConfig == null)
        {
            securityConfig = (SecurityConfig) request.getSession().getServletContext().getAttribute(SecurityConfig.STORAGE_KEY);
        }

        Principal user = securityConfig.getAuthenticator().getUser(request);
        return user;
}

      This can interfere with the SecurityFilter which uses the fact that a session exists to attempt to find a logged in user. It is also a generally bad practice to create a session needlessly.

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-7378 "Remember me" does not work with sun application servers

          • Medium - Medium priority issues
          • Closed
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. SER-95 Cookie login fails if a previous filter creates a session

          • Medium - Medium priority issues
          • Closed

          Activity

            People

              christopher.owen@atlassian.com Christopher Owen [Atlassian]
              christopher.owen@atlassian.com Christopher Owen [Atlassian]
              Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                16 years, 38 weeks, 4 days ago