From 37aacc5e02c541134d47ff5bf080ac0d043f4039 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@gopivotal.com>
Date: Tue, 20 Oct 2015 13:50:04 -0500
Subject: [PATCH] SEC-3070: Logout invalidate-session=false and Spring Session
 doesn't work

---
 .../HttpSessionSecurityContextRepository.java |  2 +-
 ...SessionSecurityContextRepositoryTests.java | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
index 817feb6967..cf980c81e7 100644
--- a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
+++ b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
@@ -304,7 +304,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
                     logger.debug("SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.");
                 }
 
-                if (httpSession != null && !contextObject.equals(contextBeforeExecution)) {
+                if (httpSession != null && authBeforeExecution != null) {
                     // SEC-1587 A non-anonymous context may still be in the session
                     // SEC-1735 remove if the contextBeforeExecution was not anonymous
                     httpSession.removeAttribute(springSecurityContextKey);
diff --git a/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java b/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
index 4f9c7e3610..10051b888f 100644
--- a/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
+++ b/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
@@ -429,6 +429,25 @@ public class HttpSessionSecurityContextRepositoryTests {
         assertSame(ctxInSession,request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
     }
 
+
+    // SEC-3070
+    @Test
+    public void logoutInvalidateSessionFalseFails() throws Exception {
+        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        SecurityContext ctxInSession = SecurityContextHolder.createEmptyContext();
+        ctxInSession.setAuthentication(testToken);
+        request.getSession().setAttribute(SPRING_SECURITY_CONTEXT_KEY, ctxInSession);
+
+        HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse());
+        repo.loadContext(holder);
+
+        ctxInSession.setAuthentication(null);
+        repo.saveContext(ctxInSession, holder.getRequest(), holder.getResponse());
+
+        assertNull(request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
+    }
+
     @Test
     @SuppressWarnings("deprecation")
     public void sessionDisableUrlRewritingPreventsSessionIdBeingWrittenToUrl() throws Exception {