• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Spring Security - After logout able to access application

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

We are using spring-security 3.1.2. The issue is, when someone is logged-in and trying to get something (assume it's a heavy request and taking a lot of time to serve), meanwhile if he does log out from another tab. When the original request is served, after that he is able to use the application as if he is logged into the application.

I debugged it and found that problem lies with the thread local implementation of SecurityContextHolderStrategy (ThreadLocalSecurityContextHolderStrategy).
So basically if the user log out, his logged-in session is invalidated, but when the original request is served, a new session is created and spring security populates the securityContext from ThreadLocalSecurityContextHolderStrategy into the new session.


Please help, are we doing something wrong, or do we need to write custom SecurityContextHolderStrategy implementation?

Thanks for any help.
 
Rancher
Posts: 2759
32
Eclipse IDE Spring Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The right thing to do will be to NOT do a heavy operation in a web request, and move the heavy request to the background. You really don't want requests to be taking very long. It makes the Internet go all wonky
 
Anil Maheshwari
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Jayesh, I completely agree with your thoughts, but still we cannot leave this issue as it is (fundamentally it's a bug)?
Did none face similar issue.
 
reply
    Bookmark Topic Watch Topic
  • New Topic