SEC-1788: Avoid unnecessary call to getPreAuthenticatedPrincipal() in AbstractPreAuthenticatedProcessingFilter when not checking for principal changes is not enabled.

2011-08-04 14:33:54 +01:00 · 2011-08-04 14:33:54 +01:00 · 0c2a950fa0
parent 7399c9a7a5
commit 0c2a950fa0
1 changed files with 20 additions and 16 deletions
--- a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
@ -130,9 +130,16 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
            return true;
        }

+        if (!checkForPrincipalChanges) {
+            return false;
+        }
+
        Object principal = getPreAuthenticatedPrincipal(request);
-        if (checkForPrincipalChanges &&
-                !currentUser.getName().equals(principal)) {
+
+        if (currentUser.getName().equals(principal)) {
+            return false;
+        }
+
        logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");

        if (invalidateSessionOnPrincipalChange) {
@ -147,9 +154,6 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
        return true;
    }

-        return false;
-    }
-
    /**
     * Puts the <code>Authentication</code> instance returned by the
     * authentication manager into the secure context.