I have noticed somewhat odd behavior when using Spring Security and Cookie Session plugins together. A controller gets a request to create a new user account. As part of the processing, it (re-)authenticates the user to allow for seamless transition to the site's restricted area. The action concludes with a redirect (to prevent back button problems). There is however no authenticated user found within the action the flow was redirected to. After some debugging I figured this is because no session was actually created so far. That - looking at the code of SessionRepositoryResponseWrapper - means (logically) nothing is saved to cookie, including Spring Security Context. As result no authenticated user is available after the redirect.
Since Grails session is created upon accessing 'session' object within the controller, anything with 'session.' prior the redirect technically takes care of the problem. It is confusing since some operations (like working with flash scope) also create a session under the wraps.
It could be helpful to 1) mention this in plugin documentation (user needs to make sure a session exists if security context is expected to propagate) and 2) establish a configuration parameter that would allow for session creation in the response wrapper.
I have noticed somewhat odd behavior when using Spring Security and Cookie Session plugins together. A controller gets a request to create a new user account. As part of the processing, it (re-)authenticates the user to allow for seamless transition to the site's restricted area. The action concludes with a redirect (to prevent back button problems). There is however no authenticated user found within the action the flow was redirected to. After some debugging I figured this is because no session was actually created so far. That - looking at the code of SessionRepositoryResponseWrapper - means (logically) nothing is saved to cookie, including Spring Security Context. As result no authenticated user is available after the redirect.
Since Grails session is created upon accessing 'session' object within the controller, anything with 'session.' prior the redirect technically takes care of the problem. It is confusing since some operations (like working with flash scope) also create a session under the wraps.
It could be helpful to 1) mention this in plugin documentation (user needs to make sure a session exists if security context is expected to propagate) and 2) establish a configuration parameter that would allow for session creation in the response wrapper.