SEC-112: Bug when SecurityEnforcementFilter used with disabled Authentication and remember-me services.

2005-11-25 04:38:18 +00:00 · 2005-11-25 04:38:18 +00:00 · 9ccaf05cc7
parent 47166fe078
commit 9ccaf05cc7
1 changed files with 4 additions and 0 deletions
--- a/core/src/main/java/org/acegisecurity/intercept/web/SecurityEnforcementFilter.java
+++ b/core/src/main/java/org/acegisecurity/intercept/web/SecurityEnforcementFilter.java
@ -278,6 +278,10 @@ public class SecurityEnforcementFilter implements Filter, InitializingBean {
            ((HttpServletRequest) request).getSession().setAttribute(AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY,
                targetUrl);
        }
+        
+        // SEC-112: Clear the SecurityContextHolder's Authentication, as the
+        // existing Authentication is no longer considered valid
+        SecurityContextHolder.getContext().setAuthentication(null);

        authenticationEntryPoint.commence(request,
            (HttpServletResponse) fi.getResponse(), reason);