Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-04 09:42:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-1788: Avoid unnecessary call to getPreAuthenticatedPrincipal() in AbstractPreAuthenticatedProcessingFilter when not checking for principal changes is not enabled.

Browse Source
This commit is contained in:
Luke Taylor 2011-08-04 14:33:54 +01:00
parent 7399c9a7a5
commit 0c2a950fa0
1 changed files with 20 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
View File

@ -130,24 +130,28 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
return true; return true;
} }
Object principal = getPreAuthenticatedPrincipal(request); if (!checkForPrincipalChanges) {
if (checkForPrincipalChanges && return false;
!currentUser.getName().equals(principal)) {
logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");
if (invalidateSessionOnPrincipalChange) {
HttpSession session = request.getSession(false);
if (session != null) {
logger.debug("Invalidating existing session");
session.invalidate();
}
}
return true;
} }
return false; Object principal = getPreAuthenticatedPrincipal(request);
if (currentUser.getName().equals(principal)) {
return false;
}
logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");
if (invalidateSessionOnPrincipalChange) {
HttpSession session = request.getSession(false);
if (session != null) {
logger.debug("Invalidating existing session");
session.invalidate();
}
}
return true;
} }
/** /**