root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 5 Packages Projects Releases Wiki Activity

SEC-767: Added check for committed response before attempting to create a new session

This commit is contained in:
Luke Taylor 2008-04-12 23:18:03 +00:00
parent 48c5a5e7ce
commit a2f4ee1c58
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
core/src/main/java/org/springframework/security/ui/SessionFixationProtectionFilter.java
View File

@ -21,6 +21,9 @@ import org.springframework.security.util.SessionUtils;
* This is essentially a generalization of the functionality that was implemented for SEC-399. Additionally, it will * This is essentially a generalization of the functionality that was implemented for SEC-399. Additionally, it will
* update the configured SessionRegistry if one is in use, thus preventing problems when used with Spring Security's * update the configured SessionRegistry if one is in use, thus preventing problems when used with Spring Security's
* concurrent session control. * concurrent session control.
* <p>
* If the response has already been committed when the filter checks the authentication state, then it isn't possible
* to create a new session and the filter will print a warning to that effect.
* *
* @author Martin Algesten * @author Martin Algesten
* @author Luke Taylor * @author Luke Taylor
@ -65,7 +68,7 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
chain.doFilter(request, wrapper); chain.doFilter(request, wrapper);
} finally { } finally {
if (!wrapper.isNewSessionStarted()) { if (!wrapper.isNewSessionStarted()) {
startNewSessionIfRequired(request); startNewSessionIfRequired(request, response);
} }
} }
} }
@ -94,8 +97,12 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
* If the user is now authenticated, a new session will be created, the session attributes copied to it (if * If the user is now authenticated, a new session will be created, the session attributes copied to it (if
* <tt>migrateSessionAttributes</tt> is set and the sessionRegistry updated with the new session information. * <tt>migrateSessionAttributes</tt> is set and the sessionRegistry updated with the new session information.
*/ */
protected void startNewSessionIfRequired(HttpServletRequest request) { protected void startNewSessionIfRequired(HttpServletRequest request, HttpServletResponse response) {
if (isAuthenticated()) { if (isAuthenticated()) {
if (request.getSession(false) != null && response.isCommitted()) {
logger.warn("Response is already committed. Unable to create new session.");
}
SessionUtils.startNewSessionIfRequired(request, migrateSessionAttributes, sessionRegistry); SessionUtils.startNewSessionIfRequired(request, migrateSessionAttributes, sessionRegistry);
} }
} }
@ -151,7 +158,7 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
if (newSessionStarted) { if (newSessionStarted) {
return; return;
} }
startNewSessionIfRequired(request); startNewSessionIfRequired(request, this);
newSessionStarted = true; newSessionStarted = true;
} }