From 0c2a950fa072e9d0cd1a7aa1dedb56cf176dc39b Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Thu, 4 Aug 2011 14:33:54 +0100
Subject: [PATCH] SEC-1788: Avoid unnecessary call to
 getPreAuthenticatedPrincipal() in AbstractPreAuthenticatedProcessingFilter
 when not checking for principal changes is not enabled.

---
 ...tractPreAuthenticatedProcessingFilter.java | 36 ++++++++++---------
 1 file changed, 20 insertions(+), 16 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
index 637ff119c0..bc3053808f 100755
--- a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
@@ -130,24 +130,28 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
             return true;
         }
 
-        Object principal = getPreAuthenticatedPrincipal(request);
-        if (checkForPrincipalChanges &&
-                !currentUser.getName().equals(principal)) {
-            logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");
-
-            if (invalidateSessionOnPrincipalChange) {
-                HttpSession session = request.getSession(false);
-
-                if (session != null) {
-                    logger.debug("Invalidating existing session");
-                    session.invalidate();
-                }
-            }
-
-            return true;
+        if (!checkForPrincipalChanges) {
+            return false;
         }
 
-        return false;
+        Object principal = getPreAuthenticatedPrincipal(request);
+
+        if (currentUser.getName().equals(principal)) {
+            return false;
+        }
+
+        logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");
+
+        if (invalidateSessionOnPrincipalChange) {
+            HttpSession session = request.getSession(false);
+
+            if (session != null) {
+                logger.debug("Invalidating existing session");
+                session.invalidate();
+            }
+        }
+
+        return true;
     }
 
     /**