Reputation: 26870
Spring warning output in tomcat "Failed to create a session"
I'm getting following messages and I don't know what they mean. Everything seems to be functioning properly but I just want to be on safe side. Is there something that can be done about these warnings:
2011-01-25/23:30:06.856/EST [http-80-exec-1] WARN Failed to create a session, as response has been committed. Unable to store SecurityContext.
2011-01-25/23:30:09.597/EST [http-80-exec-3] WARN Authentication event InteractiveAuthenticationSuccessEvent: [email protected]; details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 170.9.26.16; SessionId: null
I'm running spring 3 and tomcat 6 with spring security 3
UPDATE
I reconfigured the following bean based on the this info (from here):
create-session
Controls the eagerness with which an HTTP session is created. If not set, defaults to "ifRequired". Other options are "always" and "never". The setting of this attribute affect the allowSessionCreation and forceEagerSessionCreation properties of HttpSessionContextIntegrationFilter. allowSessionCreation will always be true unless this attribute is set to "never". forceEagerSessionCreation is "false" unless it is set to "always". So the default configuration allows session creation but does not force it. The exception is if concurrent session control is enabled, when forceEagerSessionCreation will be set to true, regardless of what the setting is here. Using "never" would then cause an exception during the initialization of HttpSessionContextIntegrationFilter.
<bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.web.context.HttpSessionContextIntegrationFilter">
<property name="allowSessionCreation" value="false"/>
</bean>
Upvotes: 5
Views: 7506
Answers (2)
Reputation:
According to the spring documentation http://docs.spring.io/spring-security/site/docs/3.1.x/reference/technical-overview.html section 6.3.2
you might need to pre-emptively create an HTTP session to cache the context between requests, before you write the response to the client, It isn't possible to create a session once the response has been committed.
Using grails, spring-security-core plugin, X509 authentication this work for me.
In conf/Config.groovy add
grails.plugins.springsecurity.useSecurityEventListener = true
grails.plugins.springsecurity.onInteractiveAuthenticationSuccessEvent = { e, appCtx -> RequestContextHolder.currentRequestAttributes().getSession().getId()}
Upvotes: 1
Reputation: 693
Add the following to your config: http session-creation='never'> More on Spring forum: http://forum.springsource.org/showthread.php?t=82196
Upvotes: 3
Related Questions
- Tomcat 7.0.25 SessionIdGenerator exception
- spring session initialization error
- Spring Security - Enable Tomcat session persistence
- Tomcat SSL - IllegalStateException: SSL session ID not available
- Error creating bean sessionFactory, threw exception
- Why is a new session created before I login?
- spring security session throws an error when instantiated
- spring-security not invalidating http sessions
- Conflict between spring security and basic authorization of Tomcat
- Too many sessions are created when accessing the login page?