From 70d5ba536efa2c4a64694a48531c0b456fa3c396 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@vmware.com>
Date: Wed, 3 Oct 2012 09:20:31 -0500
Subject: [PATCH] SEC-2057: ConcurrentSessionFilter is now after
 SecurityContextPersistenceFilter

Previously, ConcurrentSessionFilter was placed after SecurityContextPersistenceFilter
which meant that the SecurityContextHolder was empty when ConcurrentSessionFilter was
invoked. This caused the Authentication to be null when performing a logout. It also
caused complications with LogoutHandler implementations that would be accessing the
SecurityContextHolder and potentially clear it out expecting that
SecurityContextPersistenceFilter would then clear the SecurityContextRepository.

The ConcurrentSessionFilter is now positioned after the
SecurityContextPersistenceFilter to ensure that the SecurityContextHolder is populated
and cleared out appropriately.
---
 .../security/config/http/SecurityFilters.java     |  2 +-
 .../HttpSecurityBeanDefinitionParserTests.java    |  2 +-
 docs/manual/src/docbook/namespace-config.xml      |  2 +-
 docs/manual/src/docbook/security-filter-chain.xml | 15 +++++++++------
 4 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/http/SecurityFilters.java b/config/src/main/java/org/springframework/security/config/http/SecurityFilters.java
index af9ea1926c..fee6f66e51 100644
--- a/config/src/main/java/org/springframework/security/config/http/SecurityFilters.java
+++ b/config/src/main/java/org/springframework/security/config/http/SecurityFilters.java
@@ -10,8 +10,8 @@ package org.springframework.security.config.http;
 enum SecurityFilters {
     FIRST (Integer.MIN_VALUE),
     CHANNEL_FILTER,
-    CONCURRENT_SESSION_FILTER,
     SECURITY_CONTEXT_FILTER,
+    CONCURRENT_SESSION_FILTER,
     LOGOUT_FILTER,
     X509_FILTER,
     PRE_AUTH_FILTER,
diff --git a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
index 0a94e12d81..a66fabe2af 100644
--- a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
@@ -787,7 +787,7 @@ public class HttpSecurityBeanDefinitionParserTests {
                 "</http>" + AUTH_PROVIDER_XML);
         List<Filter> filters = getFilters("/someurl");
 
-        assertTrue(filters.get(0) instanceof ConcurrentSessionFilter);
+        assertTrue(filters.get(1) instanceof ConcurrentSessionFilter);
         assertNotNull(appContext.getBean("sr"));
         SessionManagementFilter smf = getFilter(SessionManagementFilter.class);
         assertNotNull(smf);
diff --git a/docs/manual/src/docbook/namespace-config.xml b/docs/manual/src/docbook/namespace-config.xml
index 7d950f92fc..0596a99318 100644
--- a/docs/manual/src/docbook/namespace-config.xml
+++ b/docs/manual/src/docbook/namespace-config.xml
@@ -570,9 +570,9 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
                   align="center">Namespace Element or
                   Attribute</entry></row></thead><tbody><row><entry>
                     CHANNEL_FILTER</entry><entry><literal>ChannelProcessingFilter</literal></entry><entry><literal>http/intercept-url@requires-channel</literal></entry></row><row><entry>
+                  SECURITY_CONTEXT_FILTER</entry><entry><classname>SecurityContextPersistenceFilter</classname></entry><entry><literal>http</literal></entry></row><row><entry>
                   CONCURRENT_SESSION_FILTER</entry><entry><literal>ConcurrentSessionFilter</literal>
                 </entry><entry><literal>session-management/concurrency-control</literal></entry></row><row><entry>
-                  SECURITY_CONTEXT_FILTER</entry><entry><classname>SecurityContextPersistenceFilter</classname></entry><entry><literal>http</literal></entry></row><row><entry>
                   LOGOUT_FILTER
                     </entry><entry><literal>LogoutFilter</literal></entry><entry><literal>http/logout</literal></entry></row><row><entry>
                   X509_FILTER
diff --git a/docs/manual/src/docbook/security-filter-chain.xml b/docs/manual/src/docbook/security-filter-chain.xml
index 67d5e36e6b..3950c75e00 100644
--- a/docs/manual/src/docbook/security-filter-chain.xml
+++ b/docs/manual/src/docbook/security-filter-chain.xml
@@ -132,16 +132,19 @@
       filters you are actually using, the order should be as follows:
               <orderedlist><listitem><para><classname>ChannelProcessingFilter</classname>, because
             it might need to redirect to a different
-              protocol</para></listitem><listitem><para><classname>ConcurrentSessionFilter</classname>,
-            because it doesn't use any <classname>SecurityContextHolder</classname> functionality
-            but needs to update the <interfacename>SessionRegistry</interfacename> to reflect
-            ongoing requests from the
-              principal</para></listitem><listitem><para><classname>SecurityContextPersistenceFilter</classname>,
+              protocol</para></listitem><listitem><para><classname>SecurityContextPersistenceFilter</classname>,
             so a <interfacename>SecurityContext</interfacename> can be set up in the
               <classname>SecurityContextHolder</classname> at the beginning of a web request, and
             any changes to the <interfacename>SecurityContext</interfacename> can be copied to the
               <literal>HttpSession</literal> when the web request ends (ready for use with the next
-            web request)</para></listitem><listitem><para>Authentication processing mechanisms -
+            web request)</para></listitem>
+            <listitem>
+                <para><classname>ConcurrentSessionFilter</classname>, because it uses the
+                    <classname>SecurityContextHolder</classname> functionality but needs to update
+                    the <interfacename>SessionRegistry</interfacename> to reflect ongoing requests
+                    from the principal</para>
+            </listitem>
+            <listitem><para>Authentication processing mechanisms -
               <classname>UsernamePasswordAuthenticationFilter</classname>,
               <classname>CasAuthenticationFilter</classname>,
               <classname>BasicAuthenticationFilter</classname> etc - so that the