Open stnor opened 5 months ago
Thanks, @stnor, and sorry you are having trouble.
I imagine that the SAML, JWT, and other pieces of configuration are unrelated. Would you be able to post a minimal GitHub sample that reproduces the issue?
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
I was able to recreate this locally a few times (it seems pretty rare) with:
curl -X POST http:\/\/127.0.0.1:8080\/ws\/684\/0jl1hqqe\/xhr_streaming\?t=1712565509693
I don't fully understand what it takes to get the error to occur, but it's related to SecurityContextPersistenceFilter
and eager session creation. The exception seems to pop up much later than I do anything with curl...
Any ideas on how to proceed would be appreciated.
java.lang.IllegalStateException: Cannot create a session after the response has been committed
at org.apache.catalina.connector.Request.doGetSession(Request.java:2907)
at org.apache.catalina.connector.Request.getSession(Request.java:2381)
at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:639)
at jakarta.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:221)
at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:553)
at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:500)
at jakarta.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:229)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:99)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
When I'm setting a breakpoint at SecurityContextPersistenceFilter:99
I get one invocation per request I make with curl.
But then I sometimes get another invocation a bit later... What would cause a this code to get initiated, not related to an http-request initiated by me?
The ApplicationHttpRequest.requestDispatcherPath
is set to "/error"
already.
The filterChain (when I get the error), currentPosition
is 5.
Oddly, the ForceEagerSessionCreationFilter is twice in the list...
There seems to be a nested java.io.IOException: Broken pipe
that causes this, which would explain the random/delayed invocation.
See errorException here:
Any ideas how the "Broken Pipe" related exceptions end up here @jzheaux?
These "errors" are ineviatable for websockets given that people close their laptops etc.
Describe the bug I recently upgraded from Boot 2.7 to 3.2.7. Since then I am getting a lot of
java.lang.IllegalStateException: Cannot create a session after the response has been committed
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:99)`2024-04-08T10:39:14.519+02:00 E o.a.c.c.C.[.[.[.[dispatcherServlet] - Servlet.service() for servlet [dispatcherServlet] threw exception java.lang.IllegalStateException: Cannot create a session after the response has been committed`
It seems to be related to Websocket requests that fallback to XHR:
[08/Apr/2024:10:39:14 +0200] "POST /ws/684/0jl1hqqe/xhr_streaming?t=1712565509691 HTTP/1.1" 500 83 "***" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" 50009522
I am using
requireExplicitSave = false
for the context andSessionCreationPolicy.ALWAYS
SecurityConfig: