From 89c5c56849f9d94ae0ca25f55c7f1a68d7497a48 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@gopivotal.com>
Date: Tue, 22 Jul 2014 09:19:50 -0500
Subject: [PATCH] SEC-2599: HttpSessionEventPublisher get required
 ApplicationContext

In order to get better error messages (avoid NullPointerException) the
HttpSessionEventPublisher now gets the required ApplicationContext which
throws an IllegalStateException with a good error message.
---
 .../session/HttpSessionEventPublisher.java    |  2 +-
 .../HttpSessionEventPublisherTests.java       | 22 +++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/web/src/main/java/org/springframework/security/web/session/HttpSessionEventPublisher.java b/web/src/main/java/org/springframework/security/web/session/HttpSessionEventPublisher.java
index 5370da2ffc..fddd54f808 100644
--- a/web/src/main/java/org/springframework/security/web/session/HttpSessionEventPublisher.java
+++ b/web/src/main/java/org/springframework/security/web/session/HttpSessionEventPublisher.java
@@ -49,7 +49,7 @@ public class HttpSessionEventPublisher implements HttpSessionListener {
     //~ Methods ========================================================================================================
 
     ApplicationContext getContext(ServletContext servletContext) {
-        return WebApplicationContextUtils.getWebApplicationContext(servletContext);
+        return WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext);
     }
 
     /**
diff --git a/web/src/test/java/org/springframework/security/web/session/HttpSessionEventPublisherTests.java b/web/src/test/java/org/springframework/security/web/session/HttpSessionEventPublisherTests.java
index ff0a4ae2dc..2509473096 100644
--- a/web/src/test/java/org/springframework/security/web/session/HttpSessionEventPublisherTests.java
+++ b/web/src/test/java/org/springframework/security/web/session/HttpSessionEventPublisherTests.java
@@ -69,4 +69,26 @@ public class HttpSessionEventPublisherTests {
         assertNull(listener.getCreatedEvent());
         assertEquals(session, listener.getDestroyedEvent().getSession());
     }
+
+    // SEC-2599
+    @Test(expected=IllegalStateException.class)
+    public void sessionCreatedNullApplicationContext() {
+        HttpSessionEventPublisher publisher = new HttpSessionEventPublisher();
+        MockServletContext servletContext = new MockServletContext();
+        MockHttpSession session = new MockHttpSession(servletContext);
+        HttpSessionEvent event = new HttpSessionEvent(session);
+
+        publisher.sessionCreated(event);
+    }
+
+    // SEC-2599
+    @Test(expected=IllegalStateException.class)
+    public void sessionDestroyedNullApplicationContext() {
+        HttpSessionEventPublisher publisher = new HttpSessionEventPublisher();
+        MockServletContext servletContext = new MockServletContext();
+        MockHttpSession session = new MockHttpSession(servletContext);
+        HttpSessionEvent event = new HttpSessionEvent(session);
+
+        publisher.sessionDestroyed(event);
+    }
 }