stormpath-sdk-java icon indicating copy to clipboard operation
stormpath-sdk-java copied to clipboard

Published 20 hours ago verified publisher icon stormpath

Spring Web Integration - If access_token cookie is present the Stormpath filter is executed twice

Open josebarrueta opened this issue 9 years ago • 1 comments

This happens at least in the /login route

josebarrueta avatar Oct 29 '16 02:10 josebarrueta

I think, for the /login route, the Stormpath filter is executed and returns a 302 for some URL like / if the user is already logged in (i.e. access_token is present). So I think that's normal behavior?

Attached a debugger to a running application, with stormpath SDK Java 1.1.4, then accessed a role /restricted that requires authentication.

  1. StormpathFilter#filter called for /restricted and a HTTP response 302
  2. StormpathFilter#filter called for /login?next=%2Frestricted
  3. StormpathFilter#filter called for /assets/css/stormpath.css
  4. StormpathFilter#filter called for /assets/js/stormpath.js

The cals #3 and #4 are permitted as StormpathWebSecurityConfigurer calls permitAll for them. The first one is the redirect, and the second is the login. After logging in, you should see the debugger stopping at least 4 times again when going to /login.

First a redirect, then some page like /, and then the two asset URL's (assuming you are also using the vanilla login page).

Hope that helps Bruno

kinow avatar Nov 15 '16 02:11 kinow