spring - Failed to create a session, as response has been committed. Unable to store SecurityContext -

summary

we have configured filterchain in applicationcontext.xml file mentioned below.

<bean id="springsecurityfilterchain" class="org.springframework.security.web.filterchainproxy">         <sec:filter-chain-map path-type="ant" >             <sec:filter-chain pattern="/**" filters="requestcontextfilter,securitycontextfilter,exceptiontranslationfilter,userroleprocessingfilter" />         </sec:filter-chain-map>     </bean>      <bean id="requestcontextfilter" class="org.springframework.web.filter.requestcontextfilter"/>      <bean id="securitycontextfilter" class="org.springframework.security.web.context.securitycontextpersistencefilter">          <property name="securitycontextrepository">                 <bean class="org.springframework.security.web.context.httpsessionsecuritycontextrepository"></bean>          </property>          <property name="forceeagersessioncreation" value="false"/>     </bean>      <bean id="exceptiontranslationfilter" class="org.springframework.security.web.access.exceptiontranslationfilter" >         <property name="authenticationentrypoint">             <bean class="org.springframework.security.web.authentication.http403forbiddenentrypoint" />         </property>     </bean>      <bean id="userroleprocessingfilter"                 class="org.springframework.security.web.authentication.preauth.requestheaderauthenticationfilter">                 <property name="principalrequestheader" value="cc_user" />                 <property name="credentialsrequestheader" value="cc_cred" />                 <property name="authenticationmanager" ref="authenticationmanager" />                 <property name="continuefilterchainonunsuccessfulauthentication" value="false" />                 <property name="exceptionifheadermissing" value="false"></property>                 <property name="checkforprincipalchanges" value="true"></property>         </bean>  <bean id="authenticationmanager" class="org.springframework.security.authentication.providermanager" >         <property name="providers" >             <list>                 <ref local="authenticationprovider" />             </list>         </property>     </bean> <bean id="authenticationprovider" class="com.powerup.common.authorization.spring.xxx.authenticationprovider" >         <property name="preauthenticateduserdetailsservice">             <bean class="com.powerup.common.authorization.spring.xxx.userdetailsservice">             </bean>         </property>     </bean> 

and web.xml configured shown below.

<web-app> <!------->     <filter>         <filter-name>springsecurityfilterchain</filter-name>         <filter-class>org.springframework.web.filter.delegatingfilterproxy</filter-class>         <init-param>             <param-name>targetbeanname</param-name>             <param-value>springsecurityfilterchain</param-value>         </init-param>     </filter>      <filter-mapping>         <filter-name>springsecurityfilterchain</filter-name>         <url-pattern>/remoting/*</url-pattern>     </filter-mapping> </web-app> 

actual behavior

spring security supposed persist sessions whenever there successful authentication request in our case, not able persist session @ times (this behavior not consistent) , leading creation of new session causes application go actual authentication again. please note behavior inconsistent.

i seeing below messages in spring security log file.

2016-05-10 09:41:22,042 debug [org.springframework.security.web.filterchainproxy] /remoting/viewservice @ position 1 of 4 in additional filter chain; firing filter: 'requestcontextfilter' 2016-05-10 09:41:22,042 debug [org.springframework.security.web.filterchainproxy] /remoting/viewservice @ position 2 of 4 in additional filter chain; firing filter: 'securitycontextpersistencefilter' 2016-05-10 09:41:22,042 debug [org.springframework.security.web.context.httpsessionsecuritycontextrepository] no httpsession exists 2016-05-10 09:41:22,042 debug [org.springframework.security.web.context.httpsessionsecuritycontextrepository] no securitycontext available httpsession: null. new 1 created. 2016-05-10 09:41:22,042 debug [org.springframework.security.web.filterchainproxy] /remoting/viewservice @ position 3 of 4 in additional filter chain; firing filter: 'exceptiontranslationfilter' 2016-05-10 09:41:22,042 debug [org.springframework.security.web.filterchainproxy] /remoting/viewservice @ position 4 of 4 in additional filter chain; firing filter: 'requestheaderauthenticationfilter' 2016-05-10 09:41:22,042 debug [org.springframework.security.web.authentication.preauth.requestheaderauthenticationfilter] checking secure context token: null 2016-05-10 09:41:22,042 debug [org.springframework.security.web.authentication.preauth.requestheaderauthenticationfilter] preauthenticatedprincipal = snme, trying authenticate 2016-05-10 09:41:22,064 debug [org.springframework.security.web.authentication.preauth.preauthenticatedauthenticationprovider] preauthenticated authentication request: org.springframework.security.web.authentication.preauth.preauthenticatedauthenticationtoken@6bc667b: principal: snme; credentials: [protected]; authenticated: false; details: org.springframework.security.web.authentication.webauthenticationdetails@7798: remoteipaddress: 144.5.156.254; sessionid: null; not granted authorities 2016-05-10 09:41:22,068 debug [org.springframework.security.web.authentication.preauth.requestheaderauthenticationfilter] authentication success: org.springframework.security.web.authentication.preauth.preauthenticatedauthenticationtoken@e031ed5f: principal: org.springframework.security.core.userdetails.user@35f133: username: snme; password: [protected]; enabled: true; accountnonexpired: true; credentialsnonexpired: true; accountnonlocked: true; granted authorities: uim-user; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@7798: remoteipaddress: 144.5.156.254; sessionid: null; granted authorities: uim-user 2016-05-10 09:41:22,068 debug [org.springframework.security.web.filterchainproxy] /remoting/viewservice reached end of additional filter chain; proceeding original chain 2016-05-10 09:41:22,342 debug [org.springframework.security.web.context.httpsessionsecuritycontextrepository] httpsession being created securitycontext non-default 2016-05-10 09:41:22,342 warn [org.springframework.security.web.context.httpsessionsecuritycontextrepository] failed create session, response has been committed. unable store securitycontext. 2016-05-10 09:41:22,342 debug [org.springframework.security.web.context.httpsessionsecuritycontextrepository] httpsession being created securitycontext non-default 2016-05-10 09:41:22,342 warn [org.springframework.security.web.context.httpsessionsecuritycontextrepository] failed create session, response has been committed. unable store securitycontext. 2016-05-10 09:41:22,342 debug [org.springframework.security.web.context.httpsessionsecuritycontextrepository] httpsession being created securitycontext non-default 2016-05-10 09:41:22,342 warn [org.springframework.security.web.context.httpsessionsecuritycontextrepository] failed create session, response has been committed. unable store securitycontext. 2016-05-10 09:41:22,343 debug [org.springframework.security.web.access.exceptiontranslationfilter] chain processed 2016-05-10 09:41:22,343 debug [org.springframework.security.web.context.securitycontextpersistencefilter] securitycontextholder cleared, request processing completed 2016-05-10 09:41:23,254 debug [org.springframework.security.web.filterchainproxy] /remoting/lockingservice @ position 1 of 4 in additional filter chain; firing filter: 'requestcontextfilter' 2016-05-10 09:41:23,254 debug [org.springframework.security.web.filterchainproxy] /remoting/lockingservice @ position 2 of 4 in additional filter chain; firing filter: 'securitycontextpersistencefilter' 2016-05-10 09:41:23,254 debug [org.springframework.security.web.context.httpsessionsecuritycontextrepository] no httpsession exists 2016-05-10 09:41:23,254 debug [org.springframework.security.web.context.httpsessionsecuritycontextrepository] no securitycontext available httpsession: null. new 1 created. 2016-05-10 09:41:23,255 debug [org.springframework.security.web.filterchainproxy] /remoting/lockingservice @ position 3 of 4 in additional filter chain; firing filter: 'exceptiontranslationfilter' 2016-05-10 09:41:23,255 debug [org.springframework.security.web.filterchainproxy] /remoting/lockingservice @ position 4 of 4 in additional filter chain; firing filter: 'requestheaderauthenticationfilter' 2016-05-10 09:41:23,255 debug [org.springframework.security.web.authentication.preauth.requestheaderauthenticationfilter] checking secure context token: null 2016-05-10 09:41:23,255 debug [org.springframework.security.web.authentication.preauth.requestheaderauthenticationfilter] preauthenticatedprincipal = snme, trying authenticate

expected behavior

had context been stored, not have unnecessarily gone new authentication request.

version

spring 4.0.6 , spring security 3.2.4

spring-security-config-3.2.4.release.jar spring-security-core-3.2.4.release.jar spring-security-crypto-3.2.4.release.jar spring-security-web-3.2.4.release.jar

spring-core-4.0.6.release.jar

any appreciated.