Spring Security session-management setting and IllegalStateException

Question

I'm trying to add <session-management> in my Spring Security namespace configuration so that I can provide a different message than the login page when the session times out. As soon as I add it to my configuration it starts throwing "IllegalStateException: Cannot create a session after the response has been committed" when I access the app.

I'm using Spring Security 3 and Tomcat 6. Here's my configuration:

<http>
    <intercept-url pattern="/go.htm" access="ROLE_RESPONDENT" />
    <intercept-url pattern="/complete.htm" access="ROLE_RESPONDENT" />                          
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <form-login login-processing-url="/j_spring_security_check" 
                login-page="/login.htm" 
                authentication-failure-url="/login.htm?error=true" 
                default-target-url="/go.htm"
    />      
    <anonymous/>
    <logout logout-success-url="/logout_message.htm"/>  
    <session-management invalid-session-url="/login.htm" />     

</http>

Everything works great until I add in the <session-management> line. What am I missing?

Answer 1

This works for me

<session-management invalid-session-url="/taac/login">
    <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>

Answer 2

Maybe including the auto-config="true" attribute in the <http> tag helps, you might be missing some required filters or settings.

Answer 3

I do have the same problem! When inserting the "session-management"-tag in my context-security.xml

<session-management invalid-session-url="/startpage.htm" />

I am always getting an IllegalStateException ("Cannot create a session after the response has been committed "). I'm also using Spring Security (3.0.0.RELEASE from Maven Repo) and Apache Tomcat (V6.0.24). Here is my context-security.xml:

<http access-decision-manager-ref="authenticatedAccessDecisionManager" access-denied-page="/accessDenied.htm" use-expressions="true">
    <intercept-url pattern="/login**" filters="none"/>
    <intercept-url pattern="/index**" filters="none"/>
    <intercept-url pattern="/startpage**" filters="none"/>
    <intercept-url pattern="/**" access="isAuthenticated()"/>
    <logout logout-url="/j_spring_security_logout"/>
    <form-login authentication-failure-handler-ref="myAuthFailureHandler"
                login-page="/startpage.htm"
                authentication-success-handler-ref="myAuthSuccessHandler"/>
    <custom-filter ref="userLockFilter" after="SESSION_MANAGEMENT_FILTER"/> 
</http>

<!-- User lock filter, will be processed on every request to check if principal is being locked by an administrator -->
<beans:bean id="userLockFilter" class="com.example.UserLockFilter">
    <beans:property name="securityServices" ref="securityServices"/>
    <beans:property name="lockedUrl" value="/j_spring_security_logout"/>
</beans:bean>

<!-- Access decision manager -->
<beans:bean id="authenticatedAccessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
    <beans:property name="decisionVoters">
        <beans:list>
             <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
        </beans:list>
    </beans:property>
</beans:bean>

<!-- Custom authentication failure handler for logging/locking/redirecting -->
<beans:bean id="myAuthFailureHandler" class="com.example.UserAuthenticationFailureHandler">
    <beans:property name="failureUrl" value="/login.htm?message=web.security.login.denied"/>
    <beans:property name="accountLockedUrl" value="/login.htm?message=web.security.login.locked"/>
</beans:bean>

<!-- Custom authentication success handler when login is permitted -->
<beans:bean id="myAuthSuccessHandler" class="com.example.UserAuthenticationSuccessHandler">
    <beans:property name="defaultTargetUrl" value="/welcome.htm"/>
    <beans:property name="authenticationService" ref="authService"/>
</beans:bean>

<!-- Authentication manager that will do the login stuff -->
<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="authService">
        <password-encoder ref="passwordEncoder"/>
    </authentication-provider>
</authentication-manager>

<!-- Other stuff not relevant... -->

I really dont know what do as this is the second project that caused this trouble. My "workaround" has been to exclude the "session-management"-tag, so no exception is being thrown and the user gets redirected to the startpage (by omitting an "invalid session message" for the user).

Did I miss an entry?

Appreciate your help :)

Answer 4

You are probably hitting this bug:

https://jira.springsource.org/browse/SEC-1346

Try using the up-to-date version (3.0.2.RELEASE).