Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-06 10:42:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Optimize HttpSessionSecurityContextRepository

Browse Source 
Closes gh-9387
This commit is contained in:
Rob Winch 2021-01-28 16:54:32 -06:00
parent 996ccc08a4
commit 38e9e8ca52
1 changed files with 5 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
View File

@ -142,14 +142,8 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
+ response + response
+ ". You must use the HttpRequestResponseHolder.response after invoking loadContext"); + ". You must use the HttpRequestResponseHolder.response after invoking loadContext");
} }
// saveContext() might already be called by the response wrapper
// if something in the chain called sendError() or sendRedirect(). This ensures we
// only call it
// once per request.
if (!responseWrapper.isContextSaved()) {
responseWrapper.saveContext(context); responseWrapper.saveContext(context);
} }
}
public boolean containsContext(HttpServletRequest request) { public boolean containsContext(HttpServletRequest request) {
HttpSession session = request.getSession(false); HttpSession session = request.getSession(false);
@ -305,6 +299,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
private final boolean httpSessionExistedAtStartOfRequest; private final boolean httpSessionExistedAtStartOfRequest;
private final SecurityContext contextBeforeExecution; private final SecurityContext contextBeforeExecution;
private final Authentication authBeforeExecution; private final Authentication authBeforeExecution;
private boolean isSaveContextInvoked;
/** /**
* Takes the parameters required to call <code>saveContext()</code> successfully * Takes the parameters required to call <code>saveContext()</code> successfully
@ -355,6 +350,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
// SEC-1587 A non-anonymous context may still be in the session // SEC-1587 A non-anonymous context may still be in the session
// SEC-1735 remove if the contextBeforeExecution was not anonymous // SEC-1735 remove if the contextBeforeExecution was not anonymous
httpSession.removeAttribute(springSecurityContextKey); httpSession.removeAttribute(springSecurityContextKey);
this.isSaveContextInvoked = true;
} }
return; return;
} }
@ -371,7 +367,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
if (contextChanged(context) if (contextChanged(context)
|| httpSession.getAttribute(springSecurityContextKey) == null) { || httpSession.getAttribute(springSecurityContextKey) == null) {
httpSession.setAttribute(springSecurityContextKey, context); httpSession.setAttribute(springSecurityContextKey, context);
this.isSaveContextInvoked = true;
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
logger.debug("SecurityContext '" + context logger.debug("SecurityContext '" + context
+ "' stored to HttpSession: '" + httpSession); + "' stored to HttpSession: '" + httpSession);
@ -381,7 +377,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
} }
private boolean contextChanged(SecurityContext context) { private boolean contextChanged(SecurityContext context) {
return context != contextBeforeExecution return this.isSaveContextInvoked || context != contextBeforeExecution
|| context.getAuthentication() != authBeforeExecution; || context.getAuthentication() != authBeforeExecution;
} }