SEC-3070: Logout invalidate-session=false and Spring Session doesn't

work
2025-06-08 05:02:13 +00:00 · 2015-10-20 13:50:04 -05:00 · 2015-10-20 13:50:04 -05:00 · 37aacc5e02
commit 37aacc5e02
parent 0284845289
2 changed files with 20 additions and 1 deletions
--- a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
+++ b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
@ -304,7 +304,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
                    logger.debug("SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.");
                }

-                if (httpSession != null && !contextObject.equals(contextBeforeExecution)) {
+                if (httpSession != null && authBeforeExecution != null) {
                    // SEC-1587 A non-anonymous context may still be in the session
                    // SEC-1735 remove if the contextBeforeExecution was not anonymous
                    httpSession.removeAttribute(springSecurityContextKey);
--- a/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
+++ b/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
@ -429,6 +429,25 @@ public class HttpSessionSecurityContextRepositoryTests {
        assertSame(ctxInSession,request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
    }

+
+    // SEC-3070
+    @Test
+    public void logoutInvalidateSessionFalseFails() throws Exception {
+        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        SecurityContext ctxInSession = SecurityContextHolder.createEmptyContext();
+        ctxInSession.setAuthentication(testToken);
+        request.getSession().setAttribute(SPRING_SECURITY_CONTEXT_KEY, ctxInSession);
+
+        HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse());
+        repo.loadContext(holder);
+
+        ctxInSession.setAuthentication(null);
+        repo.saveContext(ctxInSession, holder.getRequest(), holder.getResponse());
+
+        assertNull(request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
+    }
+
    @Test
    @SuppressWarnings("deprecation")
    public void sessionDisableUrlRewritingPreventsSessionIdBeingWrittenToUrl() throws Exception {