diff --git a/core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java b/core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java
index 8a434912b4..f27676295f 100644
--- a/core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java
+++ b/core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java
@@ -12,6 +12,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
+
package net.sf.acegisecurity.providers.anonymous;
import net.sf.acegisecurity.Authentication;
@@ -38,7 +39,7 @@ import javax.servlet.ServletResponse;
/**
* Detects if there is no Authentication object in the
* SecurityContextHolder, and populates it with one if needed.
- *
+ *
*
* Do not use this class directly. Instead configure
* web.xml to use the {@link
@@ -49,11 +50,18 @@ import javax.servlet.ServletResponse;
* @version $Id$
*/
public class AnonymousProcessingFilter implements Filter, InitializingBean {
+ //~ Static fields/initializers =============================================
+
private static final Log logger = LogFactory.getLog(AnonymousProcessingFilter.class);
+
+ //~ Instance fields ========================================================
+
private String key;
private UserAttribute userAttribute;
private boolean removeAfterRequest = true;
+ //~ Methods ================================================================
+
public void setKey(String key) {
this.key = key;
}
@@ -62,6 +70,31 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean {
return key;
}
+ /**
+ * Controls whether the filter will remove the Anonymous token after the
+ * request is complete. Generally this is desired to avoid the expense of
+ * a session being created by {@link
+ * net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter
+ * HttpSessionContextIntegrationFilter} simply to store the Anonymous
+ * authentication token.
+ *
+ *
+ * Defaults to true, being the most optimal and appropriate
+ * option (ie AnonymousProcessingFilter will clear the token
+ * at the end of each request, thus avoiding the session creation overhead
+ * in a typical configuration.
+ *
+ *
+ * @param removeAfterRequest DOCUMENT ME!
+ */
+ public void setRemoveAfterRequest(boolean removeAfterRequest) {
+ this.removeAfterRequest = removeAfterRequest;
+ }
+
+ public boolean isRemoveAfterRequest() {
+ return removeAfterRequest;
+ }
+
public void setUserAttribute(UserAttribute userAttributeDefinition) {
this.userAttribute = userAttributeDefinition;
}
@@ -78,8 +111,7 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean {
/**
* Does nothing - we reply on IoC lifecycle services instead.
*/
- public void destroy() {
- }
+ public void destroy() {}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
@@ -93,16 +125,16 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean {
if (logger.isDebugEnabled()) {
logger.debug(
- "Populated SecurityContextHolder with anonymous token: '" +
- SecurityContextHolder.getContext().getAuthentication() +
- "'");
+ "Populated SecurityContextHolder with anonymous token: '"
+ + SecurityContextHolder.getContext().getAuthentication()
+ + "'");
}
} else {
if (logger.isDebugEnabled()) {
logger.debug(
- "SecurityContextHolder not populated with anonymous token, as it already contained: '" +
- SecurityContextHolder.getContext().getAuthentication() +
- "'");
+ "SecurityContextHolder not populated with anonymous token, as it already contained: '"
+ + SecurityContextHolder.getContext().getAuthentication()
+ + "'");
}
}
}
@@ -110,7 +142,9 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean {
try {
chain.doFilter(request, response);
} finally {
- if (addedToken && removeAfterRequest) {
+ if (addedToken && removeAfterRequest
+ && createAuthentication(request).equals(SecurityContextHolder.getContext()
+ .getAuthentication())) {
SecurityContextHolder.getContext().setAuthentication(null);
}
}
@@ -121,9 +155,9 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean {
*
* @param ignored not used
*
+ * @throws ServletException DOCUMENT ME!
*/
- public void init(FilterConfig ignored) throws ServletException {
- }
+ public void init(FilterConfig ignored) throws ServletException {}
/**
* Enables subclasses to determine whether or not an anonymous
@@ -147,24 +181,4 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean {
return new AnonymousAuthenticationToken(key,
userAttribute.getPassword(), userAttribute.getAuthorities());
}
-
- public boolean isRemoveAfterRequest() {
- return removeAfterRequest;
- }
-
- /**
- * Controls whether the filter will remove the Anonymous token
- * after the request is complete. Generally this is desired to
- * avoid the expense of a session being created by
- * {@link net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter HttpSessionContextIntegrationFilter}
- * simply to store the Anonymous authentication token.
- *
- * Defaults to true,
- * being the most optimal and appropriate option (ie AnonymousProcessingFilter
- * will clear the token at the end of each request, thus avoiding the session creation
- * overhead in a typical configuration.
- */
- public void setRemoveAfterRequest(boolean removeAfterRequest) {
- this.removeAfterRequest = removeAfterRequest;
- }
}