Closed spring-projects-issues closed 12 years ago
Sergio Bossa commented
I've tested the patch above and it works well.
Juergen Hoeller commented
We'd expect "request.getSession" to throw an IllegalStateException in such a case... Still, should be easy enough to work around a null value in that case as well, as you suggested.
Juergen
Juergen Hoeller commented
ServletRequestAttributes keeps hold onto the original session if a "request.getSession" call suddenly returns null, and protects itself against IllegalStateExceptions thrown from invalidated sessions (which may happen now if we keep hold onto the original session even if "request.getSession" returns null).
This will be available in tonight's 2.5.2 snapshot, with 2.5.2 going GA within the next few days. I've also backported it to 2.0.9; however, 2.0.9 won't be released for another two months. I'll release a 2.0.9 snapshot once 2.5.2 goes out so that at least a snapshot will be available in advance.
Juergen
Sergio Bossa opened SPR-4434 and commented
The protected ServletRequestAttributes#getSession(boolean ) method returns a null session on child threads. This is wrong because it doesn't get into account what happens in the constructor:
[code] public ServletRequestAttributes(HttpServletRequest request) { Assert.notNull(request, "Request must not be null"); this.request = request; // Fetch existing session reference early, to have it available even // after request completion (for example, in a custom child thread). this.session = request.getSession(false); } [/code]
I think that the following code into the getSession method:
[code] this.session = this.request.getSession(allowCreate); return this.session; [/code]
Should be as follows:
[code] HttpSession newSession = this.request.getSession(allowCreate); if (newSession != null) { this.session = newSession; } return this.session; [/code]
Affects: 2.0.7, 2.0.8, 2.5.1
Issue Links:
9111 ServletRequestAttributes wrongly returns a null http session on child threads. ("is duplicated by")
9113 ServletRequestAttributes wrongly returns a null http session on child threads. ("is duplicated by")
Backported to: 2.0.9