From 63decfeb937c6bcfda2e92a3ef9c842a5e112fde Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Tue, 22 Apr 2008 21:51:12 +0000
Subject: [PATCH] SEC-761: HttpSessionContextIntegrationFilter.contextObject
 should be created in afterPropertiesSet(), not the constructor
 http://jira.springframework.org/browse/SEC-761. Added call to
 generateNewContext() in the afterPropertiesSet() method to take account of
 custom security context classes.

---
 .../security/context/HttpSessionContextIntegrationFilter.java   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/core/src/main/java/org/springframework/security/context/HttpSessionContextIntegrationFilter.java b/core/src/main/java/org/springframework/security/context/HttpSessionContextIntegrationFilter.java
index e0b9aadbb4..1320691d28 100644
--- a/core/src/main/java/org/springframework/security/context/HttpSessionContextIntegrationFilter.java
+++ b/core/src/main/java/org/springframework/security/context/HttpSessionContextIntegrationFilter.java
@@ -180,6 +180,8 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
             throw new IllegalArgumentException(
                     "If using forceEagerSessionCreation, you must set allowSessionCreation to also be true");
         }
+        
+        contextObject = generateNewContext();
     }
 
     public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)