Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-23 20:42:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-1587: Add explicit call to removeAttribute() to remove the context from the session if the current context is empty or anonymous.

Browse Source 
Allows for the situation where a user is logged out without invalidating the session.
This commit is contained in:
Luke Taylor 2010-11-10 13:01:49 +00:00
parent e88f47a96a
commit 82d105cbc3
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
View File

@ -10,6 +10,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
@ -328,16 +329,22 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
*/
@Override
protected void saveContext(SecurityContext context) {
final Authentication authentication = context.getAuthentication();
HttpSession httpSession = request.getSession(false);
// See SEC-776
if (authenticationTrustResolver.isAnonymous(context.getAuthentication())) {
if (authentication == null || authenticationTrustResolver.isAnonymous(authentication)) {
if (logger.isDebugEnabled()) {
logger.debug("SecurityContext contents are anonymous - context will not be stored in HttpSession. ");
logger.debug("SecurityContext is empty or anonymous - context will not be stored in HttpSession. ");
}
if (httpSession != null) {
// SEC-1587 A non-anonymous context may still be in the session
httpSession.removeAttribute(SPRING_SECURITY_CONTEXT_KEY);
}
return;
}
HttpSession httpSession = request.getSession(false);
if (httpSession == null) {
httpSession = createNewSessionIfAllowed(context);
}