Skip to main content

Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Virgo » snaps session sharing
snaps session sharing [message #668279] Wed, 04 May 2011 19:40 Go to next message
Eric Hough is currently offline Eric HoughFriend
Messages: 14
Registered: July 2010
Junior Member
Following up on my use of Spring Security w/ Snaps post, I ran into another issue.

I'd like all my hosts and snaps to share the same security context, so when the user logs in via my /authenticate snap, another arbitrary snap can obtain the security context and thus identify the user.

The problem is that SnapHttpSession qualifies all its attribute names with ##/snapname. So in my case, the /authenticate snap stores the context into ##/authenticate.SPRING_SECURITY_CONTEXT. In turn, no other host/snap can read the security context.

I was able to fix this by simply getting rid of the qualifying mechanism, in essence allowing all snaps to share the exact same session attributes.

--- a/org.eclipse.virgo.snaps.core/src/main/java/org/eclipse/virgo/snaps/core/internal/webapp/container/
+++ b/org.eclipse.virgo.snaps.core/src/main/java/org/eclipse/virgo/snaps/core/internal/webapp/container/
@@ -54,7 +54,7 @@ public final class SnapHttpSession extends HttpSessionWrapper {
     private String qualifyName(String baseName) {
-        return QUALIFIED_NAME_MARKER + this.snapServletContext.getSnapContextPath() + "." + baseName;
+        return baseName;

We're only using the session for security, so this shouldn't bring up any other side effects for us. I saw a bit of discussion on the dev list regarding snaps sharing session state. Maybe this would be a good time to tackle the issue? I'm up for helping!

Re: snaps session sharing [message #668365 is a reply to message #668279] Thu, 05 May 2011 12:42 Go to previous message
Dmitry Sklyut is currently offline Dmitry SklyutFriend
Messages: 279
Registered: January 2010
Senior Member
Hi Eric,

You should not need to managed attributes in the shared session.

Here is an example of Spring Security config you can use on the snap side to get that done. Idea is that host does authentication but snap does authorization on the particular subset of urls.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns=""

    <!-- manually configure the filter chain to better control security filter behavior -->
    <beans:bean id="springSecurityFilterChain" class="">
        <filter-chain-map path-type="ant">

            <!-- ignore static resources -->
            <filter-chain pattern="/r/**" filters="none"/>
            <filter-chain pattern="/assets/**" filters="none"/>

            <!-- ignore theme resources -->
            <filter-chain pattern="/themes/**" filters="none"/>

			<!-- only deal with urls for this slice -->
            <filter-chain pattern="/slice/**"

    <!-- FilterSecurityInterceptor - last filter in the filter chain  == FILTER_SECURITY_INTERCEPTOR -->
    <!-- in this set-up it is the only filter that we need, as host will provide authentication and exception translation mechanism -->
    <beans:bean id="customFilterSecurityInterceptor"

        <!-- we will always have an authenticated request here - or at least we should -->
        <beans:property name="authenticationManager">
            <beans:bean class=".....PassThroughAuthenticationManager"/>
        <beans:property name="accessDecisionManager">
            <beans:bean class="">
                <beans:property name="decisionVoters">
                        <beans:bean class=""/>
                        <beans:bean class=""/>
        <beans:property name="securityMetadataSource">
            <!-- NOTE: url security configuration goes here -->
            <filter-security-metadata-source lowercase-comparisons="true" path-type="ant">
                <intercept-url pattern="/admin" access="ROLE_ADMIN"/>
                <intercept-url pattern="/admin/status" access="ROLE_ADMIN"/>
        <!-- THIS IS IMPORTANT - force it to re-evaluate -->
        <beans:property name="observeOncePerRequest" value="false"/>
    <!-- end FilterSecurityInterceptor -->

PassThroughAuthenticationManager is very simple:
public final class PassThroughAuthenticationManager implements AuthenticationManager {
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        return authentication;

Also make sure you have this flag set:
<!-- THIS IS IMPORTANT - force it to re-evaluate -->
        <beans:property name="observeOncePerRequest" value="false"/>

Ping back if you have questions.

Previous Topic:Dependency Problem?
Next Topic:osgi console
Goto Forum:

Current Time: Tue Mar 09 07:23:47 GMT 2021

Powered by FUDForum. Page generated in 0.01770 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top