From 69446ab80f17e43dadbdde53e1bd72e73bf77f4d Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Tue, 20 Oct 2015 14:58:57 -0500 Subject: [PATCH] SEC-3070: Logout invalidate-session=false and Spring Session doesn't work --- .../HttpSessionSecurityContextRepository.java | 2 +- ...SessionSecurityContextRepositoryTests.java | 20 ++++++++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java index 2017727283..e88362f204 100644 --- a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java +++ b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java @@ -337,7 +337,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo logger.debug("SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession."); } - if (httpSession != null && !contextObject.equals(contextBeforeExecution)) { + if (httpSession != null && authBeforeExecution != null) { // SEC-1587 A non-anonymous context may still be in the session // SEC-1735 remove if the contextBeforeExecution was not anonymous httpSession.removeAttribute(springSecurityContextKey); diff --git a/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java b/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java index ba82d6c199..63e8756e30 100644 --- a/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java +++ b/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java @@ -501,6 +501,24 @@ public class HttpSessionSecurityContextRepositoryTests { request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY)); } + // SEC-3070 + @Test + public void logoutInvalidateSessionFalseFails() throws Exception { + HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository(); + MockHttpServletRequest request = new MockHttpServletRequest(); + SecurityContext ctxInSession = SecurityContextHolder.createEmptyContext(); + ctxInSession.setAuthentication(testToken); + request.getSession().setAttribute(SPRING_SECURITY_CONTEXT_KEY, ctxInSession); + + HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse()); + repo.loadContext(holder); + + ctxInSession.setAuthentication(null); + repo.saveContext(ctxInSession, holder.getRequest(), holder.getResponse()); + + assertNull(request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY)); + } + @Test @SuppressWarnings("deprecation") public void sessionDisableUrlRewritingPreventsSessionIdBeingWrittenToUrl() @@ -600,4 +618,4 @@ public class HttpSessionSecurityContextRepositoryTests { repo.saveContext(context, request, response); } -} \ No newline at end of file +}