SEC-1797: Create a new session in AbstractPreAuthenticatedProcessingFilter when the existing session is invalidated on detecting a principal change.

2011-08-12 19:07:17 +01:00 · 2011-08-12 19:07:17 +01:00 · 6333909107
parent 74daa68691
commit 6333909107
2 changed files with 3 additions and 2 deletions
--- a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
@ -148,6 +148,7 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
            if (session != null) {
                logger.debug("Invalidating existing session");
                session.invalidate();
+                request.getSession();
            }
        }

--- a/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java
+++ b/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java
@ -105,12 +105,12 @@ public class SessionManagementFilter extends GenericFilterBean {
     * Sets the strategy object which handles the session management behaviour when a
     * user has been authenticated during the current request.
     *
-     * @param sessionStrategy the strategy object. If not set, a {@link SessionFixationProtectionStrategy} is used.
+     * @param sessionAuthenticationStrategy the strategy object. If not set, a {@link SessionFixationProtectionStrategy} is used.
     * @deprecated Use constructor injection
     */
    @Deprecated
    public void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy) {
-        Assert.notNull(sessionAuthenticationStrategy, "authenticatedSessionStratedy must not be null");
+        Assert.notNull(sessionAuthenticationStrategy, "authenticatedSessionStrategy must not be null");
        this.sessionAuthenticationStrategy = sessionAuthenticationStrategy;
    }