Open simasch opened 1 year ago
Thank you, that's an interesting finding indeed!
Technically, MockHttpSession
seems to be doing the right thing. The HttpSession.getAttribute()
javadoc says that the IllegalStateException
is thrown "if this method is called on an invalidated session". MockHttpSession.invalidate()
has been called, since the isValid
flag is set to false, as shown by the MockHttpSession.toString()
in the exception above: MockHttpSession(sessionId='1', ..., isValid=false)
.
This opens up a bunch of questions:
MockHttpSession.invalidate()
call - is it Vaadin, Spring or someone else?VaadinAwareSecurityContextHolderStrategy.getFromVaadinSession()
? If yes, that would imply that Tomcat's HttpSession behaves slightly differently, i.e. it allows access to an attribute even though the session is invalidated. If no, that implies that Karibu's mocking is somewhat imperfect.This can be worked around quite easily, by disabling checks in MockHttpSession
. But before embarking on that route, I'd really love to understand what exactly is going on - I'd love to have answers on the questions above. @simasch could you please investigate a bit and add more information in this regard?
The SecurityContextLogouthandler ist calling invalidate
Is the SecurityContextLogouthandler
also calling com.vaadin.flow.spring.security.AuthenticationContext.logout()
as seen in the first stacktrace? I'm curious whether Spring invalidates the session first, then calls AuthenticationContext.logout()
in the same request which manipulates attributes in the invalidated session. If that is what happens, then that goes against the Servlet spec. However, apparently Servlet containers are okay with that, so perhaps there's something we don't understand: e.g. when a session is invalidated, a new one is immediately created, with no attributes. However, that could lead to a NPE in the caller of VaadinAwareSecurityContextHolderStrategy.getFromVaadinSession()
.
It would be great to fully figure out the ordering of events and what's exactly going on, before we start disabling protective measurements on the Fake HttpSession implementation.
I migrated an app to Vaadin 24 and some of my tests fail. This one is happening when using Vaadins AuthenticatoinContext and calling logout