SEC-3070: Logout invalidate-session=false and Spring Session doesn't

work

web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java

@@ -337,7 +337,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
 					logger.debug("SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.");
 				}
 
-				if (httpSession != null && !contextObject.equals(contextBeforeExecution)) {
+				if (httpSession != null && authBeforeExecution != null) {
 					// SEC-1587 A non-anonymous context may still be in the session
 					// SEC-1735 remove if the contextBeforeExecution was not anonymous
 					httpSession.removeAttribute(springSecurityContextKey);

web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java

@@ -501,6 +501,24 @@ public class HttpSessionSecurityContextRepositoryTests {
 				request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
 	}
 
+	// SEC-3070
+	@Test
+	public void logoutInvalidateSessionFalseFails() throws Exception {
+		HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		SecurityContext ctxInSession = SecurityContextHolder.createEmptyContext();
+		ctxInSession.setAuthentication(testToken);
+		request.getSession().setAttribute(SPRING_SECURITY_CONTEXT_KEY, ctxInSession);
+
+		HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse());
+		repo.loadContext(holder);
+
+		ctxInSession.setAuthentication(null);
+		repo.saveContext(ctxInSession, holder.getRequest(), holder.getResponse());
+
+		assertNull(request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
+	}
+
 	@Test
 	@SuppressWarnings("deprecation")
 	public void sessionDisableUrlRewritingPreventsSessionIdBeingWrittenToUrl()