Fix for SEC-111. Added a try/finally block to make sure context is always reset after the invocation.

2005-11-23 16:09:44 +00:00 · 2005-11-23 16:09:44 +00:00 · 7847af2664
parent 58922e666a
commit 7847af2664
2 changed files with 32 additions and 7 deletions
--- a/core/src/main/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocation.java
+++ b/core/src/main/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocation.java
@ -117,15 +117,18 @@ public class ContextPropagatingRemoteInvocation extends RemoteInvocation {
                + securityContext);
        }

-        Object result = super.invoke(targetObject);
+        try {

-        SecurityContextHolder.setContext(new SecurityContextImpl());
+            return super.invoke(targetObject);

-        if (logger.isDebugEnabled()) {
-            logger.debug(
-                "Set SecurityContext to new instance of SecurityContextImpl");
+        } finally {
+
+            SecurityContextHolder.setContext(new SecurityContextImpl());
+
+            if (logger.isDebugEnabled()) {
+                logger.debug(
+                    "Set SecurityContext to new instance of SecurityContextImpl");
+            }
        }
-
-        return result;
    }
 }
--- a/core/src/test/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocationTests.java
+++ b/core/src/test/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocationTests.java
@ -85,6 +85,28 @@ public class ContextPropagatingRemoteInvocationTests extends TestCase {
            remoteInvocation.invoke(new TargetObject()));
    }

+    public void testContextIsResetEvenIfExceptionOccurs() throws Exception {
+        // Setup client-side context
+        Authentication clientSideAuthentication = new UsernamePasswordAuthenticationToken("marissa",
+                "koala");
+        SecurityContextHolder.getContext().setAuthentication(clientSideAuthentication);
+
+        ContextPropagatingRemoteInvocation remoteInvocation = getRemoteInvocation();
+
+        try {
+            // Set up the wrong arguments.
+            remoteInvocation.setArguments(new Object[] {});
+            remoteInvocation.invoke(TargetObject.class.newInstance());
+            fail("Expected IllegalArgumentException");
+        } catch(IllegalArgumentException e) {
+            // expected
+        }
+
+        assertNull("Authentication must be null ", SecurityContextHolder.getContext().getAuthentication());
+
+    }
+
+
    private ContextPropagatingRemoteInvocation getRemoteInvocation()
        throws Exception {
        Class clazz = TargetObject.class;