Spring Security SEC-2721: SaveContextOnUpdateOrErrorResponseWrapper.SaveContextServletOutputStream does not implement Servlet 3.1 abstract methods

Jon Nermut (Migrated from SEC-2721) said:

If one tries to call setWriteListener on a ServletOutputStream on a stream that has been wrapped by SaveContextOnUpdateOrErrorResponseWrapper.SaveContextServletOutputStream, you get an abstract method exception, as SaveContextServletOutputStream does not implement and delegate these new methods in the Servlet 3.1 spec:

    /**
     * Checks if a non-blocking write will succeed. If this returns
     * <code>false</code>, it will cause a callback to
     * {@link WriteListener#onWritePossible()} when the buffer has emptied. If
     * this method returns <code>false</code> no further data must be written
     * until the contain calls {@link WriteListener#onWritePossible()}.
     *
     * @return <code>true</code> if data can be written, else <code>false</code>
     *
     * @since Servlet 3.1
     */
    public abstract boolean isReady();

    /**
     * Sets the {@link WriteListener} for this {@link ServletOutputStream} and
     * thereby switches to non-blocking IO. It is only valid to switch to
     * non-blocking IO within async processing or HTTP upgrade processing.
     *
     * @param listener  The non-blocking IO write listener
     *
     * @throws IllegalStateException    If this method is called if neither
     *                                  async nor HTTP upgrade is in progress or
     *                                  if the {@link WriteListener} has already
     *                                  been set
     * @throws NullPointerException     If listener is null
     *
     * @since Servlet 3.1
     */
    public abstract void setWriteListener(javax.servlet.WriteListener listener);

It just needs to delegate them through to the wrapped object.

Comment From: spring-projects-issues

Ivan Pavlukhin said:

Hello.

I work on project that use spring web security and cometd. Currently I am trying to upgrade cometd from version 2.1.1 to 3.0.3. There is a DelegatingFilterProxy before CometDServlet. At some moment I have encountered a problem java.lang.AbstractMethodError: javax.servlet.ServletOutputStream.setWriteListener(Ljavax/servlet/WriteListener;)V This happens inside org.cometd.server.transport.AsyncJSONTranport:91 where following code is executed ServletOutputStream output = response.getOutputStream(); output.setWriteListener(new Writer(request, response, asyncContext, session, startInterval, messages, replies)); Here "output" is an instance of SaveContextServletOutputStream class.

So I am wondering is there some workaround to solve this problem? Or is it planned to include this fix in next web security release?

P.S. I could provide more details of web and spring security configurations of the project if needed.

Comment From: lukecarroll

Is there any way to fix this? Is Spring Security going to compile against javax-servlet-api 3.1 any time soon?

Comment From: rwinch

@lukecarroll The problem is ensuring that we still support previous versions of the Servlet APIs.

Comment From: lt-schmidt-jr

@rwinch, any update on getting this issue resolved?

Comment From: rwinch

This was fixed as a part of gh-4080