Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-01 09:42:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-1429: Removed cached authentication from session after successful authentication.

Browse Source
This commit is contained in:
Luke Taylor 2010-03-05 00:07:35 +00:00
parent 89d8c8cc83
commit 43f0e11106
2 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
web/src/main/java/org/springframework/security/web/authentication/SavedRequestAwareAuthenticationSuccessHandler.java
View File

@ -46,7 +46,6 @@ import org.springframework.util.StringUtils;
* </li> * </li>
* </ul> * </ul>
* *
*
* @author Luke Taylor * @author Luke Taylor
* @since 3.0 * @since 3.0
*/ */
@ -73,6 +72,8 @@ public class SavedRequestAwareAuthenticationSuccessHandler extends SimpleUrlAuth
return; return;
} }
clearAuthenticationAttributes(request);
// Use the DefaultSavedRequest URL // Use the DefaultSavedRequest URL
String targetUrl = savedRequest.getRedirectUrl(); String targetUrl = savedRequest.getRedirectUrl();
logger.debug("Redirecting to DefaultSavedRequest Url: " + targetUrl); logger.debug("Redirecting to DefaultSavedRequest Url: " + targetUrl);

22
web/src/main/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandler.java
View File

@ -5,8 +5,10 @@ import java.io.IOException;
import javax.servlet.ServletException; import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.web.WebAttributes;
/** /**
* <tt>AuthenticationSuccessHandler</tt> which can be configured with a default URL which users should be * <tt>AuthenticationSuccessHandler</tt> which can be configured with a default URL which users should be
@ -30,9 +32,29 @@ public class SimpleUrlAuthenticationSuccessHandler extends AbstractAuthenticatio
setDefaultTargetUrl(defaultTargetUrl); setDefaultTargetUrl(defaultTargetUrl);
} }
/**
* Calls the parent class {@code handle()} method to forward or redirect to the target URL, and
* then calls {@code clearAuthenticationAttributes()} to remove any leftover session data.
*/
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException { Authentication authentication) throws IOException, ServletException {
handle(request, response, authentication); handle(request, response, authentication);
clearAuthenticationAttributes(request);
}
/**
* Removes temporary authentication-related data which may have been stored in the session
* during the authentication process.
*/
protected final void clearAuthenticationAttributes(HttpServletRequest request) {
HttpSession session = request.getSession(false);
if (session == null) {
return;
}
session.removeAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);
session.removeAttribute(WebAttributes.LAST_USERNAME);
} }
} }