SEC-2055: SaveContextServletOutputStream flush/close delegates to original ServletOutputStream instead of using super

2025-06-25 05:22:16 +00:00 · 2012-09-19 08:59:39 -05:00 · 2012-09-19 08:59:39 -05:00 · 0350c2833e
commit 0350c2833e
parent 7406e03306
2 changed files with 36 additions and 4 deletions
--- a/web/src/main/java/org/springframework/security/web/context/SaveContextOnUpdateOrErrorResponseWrapper.java
+++ b/web/src/main/java/org/springframework/security/web/context/SaveContextOnUpdateOrErrorResponseWrapper.java
@ -203,16 +203,14 @@ public abstract class SaveContextOnUpdateOrErrorResponseWrapper extends HttpServ
            this.delegate.write(b);
        }

-        @Override
        public void flush() throws IOException {
            doSaveContext();
-            super.flush();
+            delegate.flush();
        }

-        @Override
        public void close() throws IOException {
            doSaveContext();
-            super.close();
+            delegate.close();
        }
    }
 }
--- a/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
+++ b/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
@ -13,8 +13,12 @@
 package org.springframework.security.web.context;

 import static org.junit.Assert.*;
+import static org.mockito.Mockito.*;
 import static org.springframework.security.web.context.HttpSessionSecurityContextRepository.*;

+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletResponse;
+
 import org.junit.After;
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
@ -242,6 +246,36 @@ public class HttpSessionSecurityContextRepositoryTests {
       assertEquals(SecurityContextHolder.getContext(), request.getSession().getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY));
    }

+    // SEC-SEC-2055
+    @Test
+    public void outputStreamCloseDelegate() throws Exception {
+        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        HttpServletResponse response = mock(HttpServletResponse.class);
+        ServletOutputStream outputstream = mock(ServletOutputStream.class);
+        when(response.getOutputStream()).thenReturn(outputstream);
+        HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
+        SecurityContextHolder.setContext(repo.loadContext(holder));
+        SecurityContextHolder.getContext().setAuthentication(testToken);
+        holder.getResponse().getOutputStream().close();
+        verify(outputstream).close();
+    }
+
+    // SEC-SEC-2055
+    @Test
+    public void outputStreamFlushesDelegate() throws Exception {
+        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        HttpServletResponse response = mock(HttpServletResponse.class);
+        ServletOutputStream outputstream = mock(ServletOutputStream.class);
+        when(response.getOutputStream()).thenReturn(outputstream);
+        HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
+        SecurityContextHolder.setContext(repo.loadContext(holder));
+        SecurityContextHolder.getContext().setAuthentication(testToken);
+        holder.getResponse().getOutputStream().flush();
+        verify(outputstream).flush();
+    }
+
    @Test
    public void noSessionIsCreatedIfSessionWasInvalidatedDuringTheRequest() throws Exception {
        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();