From 6a36b92e68c51061ae83ccb2980abe437cfb4b99 Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Tue, 11 Apr 2017 08:33:29 +0200
Subject: [PATCH] Fix regression with http session not created for remoting.

---
 .../src/org/argeo/cms/auth/HttpSessionLoginModule.java | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
index dd01e4b53..9d41cea69 100644
--- a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
@@ -14,6 +14,7 @@ import javax.security.auth.login.LoginException;
 import javax.security.auth.spi.LoginModule;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.logging.Log;
@@ -68,7 +69,14 @@ public class HttpSessionLoginModule implements LoginModule {
 			return false;
 		authorization = (Authorization) request.getAttribute(HttpContext.AUTHORIZATION);
 		if (authorization == null) {// search by session ID
-			String httpSessionId = request.getSession(false).getId();
+			HttpSession httpSession = request.getSession(false);
+			if (httpSession == null) {
+				// TODO make sure this is always safe
+				if (log.isTraceEnabled())
+					log.trace("Create http session");
+				httpSession = request.getSession(true);
+			}
+			String httpSessionId = httpSession.getId();
 			// authorization = (Authorization)
 			// request.getSession().getAttribute(HttpContext.AUTHORIZATION);
 			// if (authorization == null) {
-- 
2.30.2