Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-1429: Removed cached authentication from session after successful authentication.

This commit is contained in:
Luke Taylor 2010-03-05 00:07:35 +00:00
parent 89d8c8cc83
commit 43f0e11106
2 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
web/src/main/java/org/springframework/security/web/authentication/SavedRequestAwareAuthenticationSuccessHandler.java
View File

@ -46,7 +46,6 @@ import org.springframework.util.StringUtils;
* </li>
* </ul>
*
*
* @author Luke Taylor
* @since 3.0
*/
@ -73,6 +72,8 @@ public class SavedRequestAwareAuthenticationSuccessHandler extends SimpleUrlAuth
return;
}
clearAuthenticationAttributes(request);
// Use the DefaultSavedRequest URL
String targetUrl = savedRequest.getRedirectUrl();
logger.debug("Redirecting to DefaultSavedRequest Url: " + targetUrl);

22
web/src/main/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandler.java
View File

@ -5,8 +5,10 @@ import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.WebAttributes;
/**
* <tt>AuthenticationSuccessHandler</tt> which can be configured with a default URL which users should be
@ -30,9 +32,29 @@ public class SimpleUrlAuthenticationSuccessHandler extends AbstractAuthenticatio
setDefaultTargetUrl(defaultTargetUrl);
}
/**
* Calls the parent class {@code handle()} method to forward or redirect to the target URL, and
* then calls {@code clearAuthenticationAttributes()} to remove any leftover session data.
*/
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
handle(request, response, authentication);
clearAuthenticationAttributes(request);
}
/**
* Removes temporary authentication-related data which may have been stored in the session
* during the authentication process.
*/
protected final void clearAuthenticationAttributes(HttpServletRequest request) {
HttpSession session = request.getSession(false);
if (session == null) {
return;
}
session.removeAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);
session.removeAttribute(WebAttributes.LAST_USERNAME);
}
}