Hello,
I'm using Anonymous Authentication for the public pages on a site I'm developing. If I go to a page that is successful an anonymous authentication token is made and the reset by the AnonymousProcessingFilter so that no fromSession is created for that request. However, if the page I go to results in an error (like 404 or 500) an fromSession is created with the anonymous authentication token saved within.
I think that it is because the fromSessionContextIntegrationFilter wraps the response so that it can try and save the context on sendError/sendRedirect calls, however the AnonymousProcessingFilter isn't given a chance to remove the anonymous authentication token, the result is that a session is created.
Is there a way to clear out the context before the wrapped response tries save it to a new session? I really don't want a session made if it is just an anonymous authentication token.
Thanks,
-Corey
Yes, you're right. Thanks for raising this. Ideally the wrapper should check that the user isn't anonymous and not try to save the authentication object if they are. Can you add raise an issue in the tracker please?
I created the issue SEC-776. I used the same title and description as this thread, hope that is ok. Let me know if there is anything else I can help with. |
Post at 2011-4-15 14:33
| This Author's Posts Only
