Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-22 20:12:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-2578: HttpSessionSecurityContextRepository traverses HttpServletResponseWrapper

Browse Source
This commit is contained in:
Rob Winch 2014-05-02 15:06:28 -05:00
parent f73b579ad9
commit 2082d3747a
2 changed files with 36 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
View File

@ -18,6 +18,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.web.util.WebUtils;
/**
* A {@code SecurityContextRepository} implementation which stores the security context in the {@code HttpSession}
@ -105,7 +106,10 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
}
public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response) {
SaveContextOnUpdateOrErrorResponseWrapper responseWrapper = (SaveContextOnUpdateOrErrorResponseWrapper)response;
SaveContextOnUpdateOrErrorResponseWrapper responseWrapper = WebUtils.getNativeResponse(response, SaveContextOnUpdateOrErrorResponseWrapper.class);
if(responseWrapper == null) {
throw new IllegalStateException("Cannot invoke saveContext on response " + response + ". You must use the HttpRequestResponseHolder.response after invoking loadContext");
}
// saveContext() might already be called by the response wrapper
// if something in the chain called sendError() or sendRedirect(). This ensures we only call it
// once per request.

35
web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
View File

@ -29,9 +29,7 @@ import static org.springframework.security.web.context.HttpSessionSecurityContex
import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.servlet.http.*;
import org.junit.After;
import org.junit.Test;
@ -495,4 +493,33 @@ public class HttpSessionSecurityContextRepositoryTests {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
repo.setTrustResolver(null);
}
}
// SEC-2578
@Test
public void traverseWrappedRequests() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
SecurityContext context = repo.loadContext(holder);
assertNull(request.getSession(false));
// Simulate authentication during the request
context.setAuthentication(testToken);
repo.saveContext(context, new HttpServletRequestWrapper(holder.getRequest()), new HttpServletResponseWrapper(holder.getResponse()));
assertNotNull(request.getSession(false));
assertEquals(context, request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
}
@Test(expected = IllegalStateException.class)
public void failsWithStandardResponse() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
SecurityContext context = SecurityContextHolder.createEmptyContext();
context.setAuthentication(testToken);
repo.saveContext(context,request,response);
}
}