search

spring-projects / spring-framework

Spring Framework
https://spring.io/projects/spring-framework
Apache License 2.0
56.46k stars 38.09k forks source link

ServletRequestAttributes wrongly returns a null http session on child threads. [SPR-4434] #9112

Closed spring-projects-issues closed 12 years ago

spring-projects-issues commented 16 years ago

Sergio Bossa opened SPR-4434 and commented

The protected ServletRequestAttributes#getSession(boolean ) method returns a null session on child threads. This is wrong because it doesn't get into account what happens in the constructor:

[code] public ServletRequestAttributes(HttpServletRequest request) { Assert.notNull(request, "Request must not be null"); this.request = request; // Fetch existing session reference early, to have it available even // after request completion (for example, in a custom child thread). this.session = request.getSession(false); } [/code]

I think that the following code into the getSession method:

[code] this.session = this.request.getSession(allowCreate); return this.session; [/code]

Should be as follows:

[code] HttpSession newSession = this.request.getSession(allowCreate); if (newSession != null) { this.session = newSession; } return this.session; [/code]

Affects: 2.0.7, 2.0.8, 2.5.1

Issue Links:

Backported to: 2.0.9

spring-projects-issues commented 16 years ago

Sergio Bossa commented

I've tested the patch above and it works well.

spring-projects-issues commented 16 years ago

Juergen Hoeller commented

We'd expect "request.getSession" to throw an IllegalStateException in such a case... Still, should be easy enough to work around a null value in that case as well, as you suggested.

Juergen

spring-projects-issues commented 16 years ago

Juergen Hoeller commented

ServletRequestAttributes keeps hold onto the original session if a "request.getSession" call suddenly returns null, and protects itself against IllegalStateExceptions thrown from invalidated sessions (which may happen now if we keep hold onto the original session even if "request.getSession" returns null).

This will be available in tonight's 2.5.2 snapshot, with 2.5.2 going GA within the next few days. I've also backported it to 2.0.9; however, 2.0.9 won't be released for another two months. I'll release a 2.0.9 snapshot once 2.5.2 goes out so that at least a snapshot will be available in advance.

Juergen

spring-projects-issues commented 16 years ago

Sergio Bossa commented

Perfect. Thank you for your quick fix (as usual), Cheers,

Sergio B.