root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 13 Packages Projects Releases Wiki Activity

SEC-1587: Add explicit call to removeAttribute() to remove the context from the session if the current context is empty or anonymous. 

Allows for the situation where a user is logged out without invalidating the session.
This commit is contained in:
Luke Taylor 2010-11-09 13:55:45 +00:00
parent 7754882ba9
commit 8b51c2c97d
2 changed files with 41 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
View File

@ -262,22 +262,28 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
*/ */
@Override @Override
protected void saveContext(SecurityContext context) { protected void saveContext(SecurityContext context) {
final Authentication authentication = context.getAuthentication();
HttpSession httpSession = request.getSession(false);
// See SEC-776 // See SEC-776
if (authenticationTrustResolver.isAnonymous(context.getAuthentication())) { if (authentication == null || authenticationTrustResolver.isAnonymous(authentication)) {
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
logger.debug("SecurityContext contents are anonymous - context will not be stored in HttpSession."); logger.debug("SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.");
}
if (httpSession != null) {
// SEC-1587 A non-anonymous context may still be in the session
httpSession.removeAttribute(SPRING_SECURITY_CONTEXT_KEY);
} }
return; return;
} }
HttpSession httpSession = request.getSession(false);
if (httpSession == null) { if (httpSession == null) {
httpSession = createNewSessionIfAllowed(context); httpSession = createNewSessionIfAllowed(context);
} }
// If HttpSession exists, store current SecurityContextHolder contents but only if // If HttpSession exists, store current SecurityContext but only if it has
// the SecurityContext has actually changed in this thread (see SEC-37, SEC-1307, SEC-1528) // actually changed in this thread (see SEC-37, SEC-1307, SEC-1528)
if (httpSession != null) { if (httpSession != null) {
// We may have a new session, so check also whether the context attribute is set SEC-1561 // We may have a new session, so check also whether the context attribute is set SEC-1561
if (contextChanged(context) || httpSession.getAttribute(SPRING_SECURITY_CONTEXT_KEY) == null) { if (contextChanged(context) || httpSession.getAttribute(SPRING_SECURITY_CONTEXT_KEY) == null) {

29
web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
View File

@ -170,6 +170,35 @@ public class HttpSessionSecurityContextRepositoryTests {
assertNull(request.getSession(false)); assertNull(request.getSession(false));
} }
// SEC-1587
@Test
public void contextIsRemovedFromSessionIfCurrentContextIsAnonymous() throws Exception {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
SecurityContext ctxInSession = SecurityContextHolder.createEmptyContext();
ctxInSession.setAuthentication(testToken);
request.getSession().setAttribute(SPRING_SECURITY_CONTEXT_KEY, ctxInSession);
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse());
repo.loadContext(holder);
SecurityContextHolder.getContext().setAuthentication(new AnonymousAuthenticationToken("x","x", testToken.getAuthorities()));
repo.saveContext(SecurityContextHolder.getContext(), holder.getRequest(), holder.getResponse());
assertNull(request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
}
@Test
public void contextIsRemovedFromSessionIfCurrentContextIsEmpty() throws Exception {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
SecurityContext ctxInSession = SecurityContextHolder.createEmptyContext();
ctxInSession.setAuthentication(testToken);
request.getSession().setAttribute(SPRING_SECURITY_CONTEXT_KEY, ctxInSession);
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse());
repo.loadContext(holder);
// Save an empty context
repo.saveContext(SecurityContextHolder.getContext(), holder.getRequest(), holder.getResponse());
assertNull(request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
}
@Test @Test
@SuppressWarnings("deprecation") @SuppressWarnings("deprecation")
public void sessionDisableUrlRewritingPreventsSessionIdBeingWrittenToUrl() throws Exception { public void sessionDisableUrlRewritingPreventsSessionIdBeingWrittenToUrl() throws Exception {