0

I need sessions to be stored in database. I used the database-session plugin from Robert Fischer ( https://github.com/RobertFischer/grails-database-session ) in version 1.2.0 and updated it to grails 2.1. I installed the plugin in my main project and everything works fine except the logout function in spring security core. When i log out via the spring security logout-controller i get the following exception:

URI: /myProject/j_spring_security_logout
Class: grails.plugin.databasesession.InvalidatedSessionException
Message: Session ABD84995E13B9D1AD4DBD228C0E5902C is invalid; cannot access/modify it.

Screenshot

Maybe you know a solution to fix this?

My environment:

Grails 2.1
Spring Security Core 1.2.7
grails-database-session 1.2.0 by Robert Fischer (see Github)
mySQL-Database is connected (JDBC)
whitenexx
  • 1,350
  • 2
  • 25
  • 53
  • For some reason, it looks like Spring is invalidating the session and then attempting to remove an attribute from it. Can you fire up your debugger and figure out what is causing that? – Robert Fischer Sep 05 '12 at 03:38
  • Yes that's it. After the session got invalidated spring security wants to access to the FLASH_SCOPE wich is saved in the session? I raised a bugrequest in jiira http://jira.grails.org/browse/GPSPRINGSECURITYCORE-193 – whitenexx Sep 05 '12 at 14:17

1 Answers1

1

This is a bug in Spring Security Core: it is trying to access an invalidated session, which is a violation of the Servlet spec. But, until they fix that, you can set the config.grails.plugin.databasesession.ignoreinvalid property to true and you won't get an exception.

Robert Fischer
  • 1,436
  • 12
  • 26
  • After logging out, the getAttribute() method gets called and this method calls the checkAccess() method wich throws the Exception because the session doesn't exist anymore (it's already invalidated). I checked wich Attribute spring security wants to check: It's the FLASH_SCOPE. (org.codehaus.groovy.grails.FLASH_SCOPE) What would you prefer to fix this issue? – whitenexx Sep 04 '12 at 23:34
  • That's behaving to spec: see https://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/http/HttpSession.html -- so it's Spring Security's bug. However, I've got a work-around for the broken library: see the updated answer. – Robert Fischer Sep 06 '12 at 04:25