SEC-1211: Set the default AuthenticatedSessionStrategy to a null implementation to preserve existing behaviour.

2009-07-28 23:57:46 +00:00 · 2009-07-28 23:57:46 +00:00 · 5e285b3692
parent 609a68b12a
commit 5e285b3692
2 changed files with 22 additions and 3 deletions
--- a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java
@ -38,7 +38,7 @@ import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.SpringSecurityFilter;
 import org.springframework.security.web.session.AuthenticatedSessionStrategy;
-import org.springframework.security.web.session.DefaultAuthenticatedSessionStrategy;
+import org.springframework.security.web.session.NullAuthenticatedSessionStrategy;
 import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;

@ -129,7 +129,7 @@ public abstract class AbstractAuthenticationProcessingFilter extends SpringSecur

    private boolean continueChainBeforeSuccessfulAuthentication = false;

-    private AuthenticatedSessionStrategy sessionStrategy = new DefaultAuthenticatedSessionStrategy();
+    private AuthenticatedSessionStrategy sessionStrategy = new NullAuthenticatedSessionStrategy();

    private boolean allowSessionCreation = true;

@ -393,7 +393,7 @@ public abstract class AbstractAuthenticationProcessingFilter extends SpringSecur
     * successfully processed. Used, for example, to handle changing of the session identifier to prevent session
     * fixation attacks.
     *
-     * @param sessionStrategy the implementation to use. If not set a {@link DefaultAuthenticatedSessionStrategy} is
+     * @param sessionStrategy the implementation to use. If not set a null implementation is
     * used.
     */
    public void setAuthenticatedSessionStrategy(AuthenticatedSessionStrategy sessionStrategy) {
--- a/web/src/main/java/org/springframework/security/web/session/NullAuthenticatedSessionStrategy.java
+++ b/web/src/main/java/org/springframework/security/web/session/NullAuthenticatedSessionStrategy.java
@ -0,0 +1,19 @@
+package org.springframework.security.web.session;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.core.Authentication;
+
+/**
+ *
+ * @author Luke Taylor
+ * @version $Id$
+ * @since 3.0
+ */
+public final class NullAuthenticatedSessionStrategy implements AuthenticatedSessionStrategy {
+
+    public void onAuthenticationSuccess(Authentication authentication, HttpServletRequest request,
+            HttpServletResponse response) {
+    }
+}