From 35ca25f085c5c8167c57488c4a4e5977ed3bafa1 Mon Sep 17 00:00:00 2001
From: Ben Alex <ben.alex@springsource.com>
Date: Thu, 8 Sep 2005 11:15:48 +0000
Subject: [PATCH] BasicAuthenticationProcessingFilter no longer creates
 HttpSession via WebAuthenticationDetails call.

---
 .../ui/WebAuthenticationDetails.java          | 21 +++++-----
 .../ui/basicauth/BasicProcessingFilter.java   | 40 +++++++++----------
 doc/xdocs/changes.xml                         |  1 +
 3 files changed, 30 insertions(+), 32 deletions(-)

diff --git a/core/src/main/java/org/acegisecurity/ui/WebAuthenticationDetails.java b/core/src/main/java/org/acegisecurity/ui/WebAuthenticationDetails.java
index 75b2cfcc45..b29845d0d6 100644
--- a/core/src/main/java/org/acegisecurity/ui/WebAuthenticationDetails.java
+++ b/core/src/main/java/org/acegisecurity/ui/WebAuthenticationDetails.java
@@ -12,7 +12,6 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
 package net.sf.acegisecurity.ui;
 
 import java.io.Serializable;
@@ -27,16 +26,12 @@ import javax.servlet.http.HttpServletRequest;
  * @version $Id$
  */
 public class WebAuthenticationDetails implements Serializable {
-    //~ Instance fields ========================================================
-
     private String remoteAddress;
     private String sessionId;
 
-    //~ Constructors ===========================================================
-
     /**
      * Constructor.
-     * 
+     *
      * <p>
      * NB: This constructor will cause a <code>HttpSession</code> to be created
      * (this is considered reasonable as all Acegi Security authentication
@@ -48,7 +43,14 @@ public class WebAuthenticationDetails implements Serializable {
      */
     public WebAuthenticationDetails(HttpServletRequest request) {
         this.remoteAddress = request.getRemoteAddr();
-        this.sessionId = request.getSession().getId();
+        this.sessionId = request.getSession(true).getId();
+        doPopulateAdditionalInformation(request);
+    }
+
+    public WebAuthenticationDetails(HttpServletRequest request,
+        boolean forceSessionCreation) {
+        this.remoteAddress = request.getRemoteAddr();
+        this.sessionId = request.getSession(forceSessionCreation).getId();
         doPopulateAdditionalInformation(request);
     }
 
@@ -56,8 +58,6 @@ public class WebAuthenticationDetails implements Serializable {
         throw new IllegalArgumentException("Cannot use default constructor");
     }
 
-    //~ Methods ================================================================
-
     /**
      * Indicates the TCP/IP address the authentication request was received
      * from.
@@ -92,5 +92,6 @@ public class WebAuthenticationDetails implements Serializable {
      *
      * @param request that the authentication request was received from
      */
-    protected void doPopulateAdditionalInformation(HttpServletRequest request) {}
+    protected void doPopulateAdditionalInformation(HttpServletRequest request) {
+    }
 }
diff --git a/core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java b/core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java
index 4f8b5166bd..37003f933f 100644
--- a/core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java
+++ b/core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java
@@ -12,7 +12,6 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
 package net.sf.acegisecurity.ui.basicauth;
 
 import net.sf.acegisecurity.Authentication;
@@ -46,13 +45,13 @@ import javax.servlet.http.HttpServletResponse;
 /**
  * Processes a HTTP request's BASIC authorization headers, putting the result
  * into the <code>ContextHolder</code>.
- * 
+ *
  * <P>
  * For a detailed background on what this filter is designed to process, refer
  * to <A HREF="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section
  * 11.1</A>. Any realm name presented in the HTTP request is ignored.
  * </p>
- * 
+ *
  * <p>
  * In summary, this filter is responsible for processing any request that has a
  * HTTP request header of <code>Authorization</code> with an authentication
@@ -61,28 +60,28 @@ import javax.servlet.http.HttpServletResponse;
  * "Aladdin" with password "open sesame" the following header would be
  * presented:
  * </p>
- * 
+ *
  * <p>
  * <code>Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</code>.
  * </p>
- * 
+ *
  * <p>
  * This filter can be used to provide BASIC authentication services to both
  * remoting protocol clients (such as Hessian and SOAP) as well as standard
  * user agents (such as Internet Explorer and Netscape).
  * </p>
- * 
+ *
  * <P>
  * If authentication is successful, the resulting {@link Authentication} object
  * will be placed into the <code>ContextHolder</code>.
  * </p>
- * 
+ *
  * <p>
  * If authentication fails, an {@link AuthenticationEntryPoint} implementation
  * is called. Usually this should be {@link BasicProcessingFilterEntryPoint},
  * which will prompt the user to authenticate again via BASIC authentication.
  * </p>
- * 
+ *
  * <P>
  * Basic authentication is an attractive protocol because it is simple and
  * widely deployed. However, it still transmits a password in clear text and
@@ -91,7 +90,7 @@ import javax.servlet.http.HttpServletResponse;
  * authentication wherever possible. See {@link
  * net.sf.acegisecurity.ui.digestauth.DigestProcessingFilter}.
  * </p>
- * 
+ *
  * <P>
  * <B>Do not use this class directly.</B> Instead configure
  * <code>web.xml</code> to use the {@link
@@ -102,17 +101,10 @@ import javax.servlet.http.HttpServletResponse;
  * @version $Id$
  */
 public class BasicProcessingFilter implements Filter, InitializingBean {
-    //~ Static fields/initializers =============================================
-
     private static final Log logger = LogFactory.getLog(BasicProcessingFilter.class);
-
-    //~ Instance fields ========================================================
-
     private AuthenticationEntryPoint authenticationEntryPoint;
     private AuthenticationManager authenticationManager;
 
-    //~ Methods ================================================================
-
     public void setAuthenticationEntryPoint(
         AuthenticationEntryPoint authenticationEntryPoint) {
         this.authenticationEntryPoint = authenticationEntryPoint;
@@ -138,7 +130,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
             "An AuthenticationEntryPoint is required");
     }
 
-    public void destroy() {}
+    public void destroy() {
+    }
 
     public void doFilter(ServletRequest request, ServletResponse response,
         FilterChain chain) throws IOException, ServletException {
@@ -174,7 +167,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
 
             UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
                     password);
-            authRequest.setDetails(new WebAuthenticationDetails(httpRequest));
+            authRequest.setDetails(new WebAuthenticationDetails(httpRequest,
+                    false));
 
             Authentication authResult;
 
@@ -183,8 +177,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
             } catch (AuthenticationException failed) {
                 // Authentication failed
                 if (logger.isDebugEnabled()) {
-                    logger.debug("Authentication request for user: " + username
-                        + " failed: " + failed.toString());
+                    logger.debug("Authentication request for user: " +
+                        username + " failed: " + failed.toString());
                 }
 
                 SecurityContextHolder.getContext().setAuthentication(null);
@@ -195,7 +189,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
 
             // Authentication success
             if (logger.isDebugEnabled()) {
-                logger.debug("Authentication success: " + authResult.toString());
+                logger.debug("Authentication success: " +
+                    authResult.toString());
             }
 
             SecurityContextHolder.getContext().setAuthentication(authResult);
@@ -204,5 +199,6 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
         chain.doFilter(request, response);
     }
 
-    public void init(FilterConfig arg0) throws ServletException {}
+    public void init(FilterConfig arg0) throws ServletException {
+    }
 }
diff --git a/doc/xdocs/changes.xml b/doc/xdocs/changes.xml
index 4d4b07a72b..18d082e8cd 100644
--- a/doc/xdocs/changes.xml
+++ b/doc/xdocs/changes.xml
@@ -28,6 +28,7 @@
     <release version="0.9.0" date="In CVS">
       <action dev="markstg" type="add">SwitchUserProcessingFilter to provide user security context switching</action>
       <action dev="markstg" type="add">Java 1.5 annotation support</action>
+      <action dev="benalex" type="update">BasicAuthenticationProcessingFilter no longer creates HttpSession via WebAuthenticationDetails call</action>
       <action dev="benalex" type="update">JdbcDaoImpl modified to support synthetic primary keys</action>
       <action dev="benalex" type="update">Greatly improve BasicAclEntryAfterInvocationCollectionFilteringProvider performance with large collections (if the principal has access to relatively few collection elements)</action>
       <action dev="benalex" type="update">Reorder DaoAuthenticationProvider exception logic as per developer list discussion</action>