HttpSessionContextIntegrationFilter now handles HttpSession invalidation without redirection.

core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java

@@ -76,13 +76,13 @@ import javax.servlet.http.HttpSession;
  * similar clients that will never present the same <code>jsessionid</code>
  * etc), the  {@link #setAllowSessionCreation(boolean)} should be set to
  * <code>false</code>. Only do this if you really need to conserve server
- * memory and ensure all classes using the <code>ContextHolder</code>
- * are designed to have no persistence of the <code>Context</code> between web
+ * memory and ensure all classes using the <code>ContextHolder</code> are
+ * designed to have no persistence of the <code>Context</code> between web
  * requests.
  * </p>
  * 
  * <p>
- * This filter MUST be executed BEFORE any authentication processing mechanisms.
+ * This filter MUST be executed BEFORE any authentication procesing mechanisms.
  * Authentication processing mechanisms (eg BASIC, CAS processing filters etc)
  * expect the <code>ContextHolder</code> to contain a valid
  * <code>SecureContext</code> by the time they execute.
@@ -166,12 +166,15 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
             }
 
             HttpSession httpSession = null;
+            boolean httpSessionExistedAtStartOfRequest = false;
 
             try {
                 httpSession = ((HttpServletRequest) request).getSession(false);
             } catch (IllegalStateException ignored) {}
 
             if (httpSession != null) {
+                httpSessionExistedAtStartOfRequest = true;
+
                 Object contextObject = httpSession.getAttribute(ACEGI_SECURITY_CONTEXT_KEY);
 
                 if (contextObject != null) {
@@ -213,6 +216,11 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
                 }
             }
 
+            // Make the HttpSession null, as we want to ensure we don't keep
+            // a reference to the HttpSession laying around in case the
+            // chain.doFilter() invalidates it.
+            httpSession = null;
+
             // Proceed with chain
             chain.doFilter(request, response);
 
@@ -221,8 +229,15 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
                 httpSession = ((HttpServletRequest) request).getSession(false);
             } catch (IllegalStateException ignored) {}
 
+            if ((httpSession == null) && httpSessionExistedAtStartOfRequest) {
+                if (logger.isDebugEnabled()) {
+                    logger.debug(
+                        "HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session");
+                }
+            }
+
             // Generate a HttpSession only if we need to
-            if (httpSession == null) {
+            if ((httpSession == null) && !httpSessionExistedAtStartOfRequest) {
                 if (!allowSessionCreation) {
                     if (logger.isDebugEnabled()) {
                         logger.debug(

doc/xdocs/changes.xml

@@ -26,11 +26,14 @@
   </properties>
   <body>
     <release version="0.8.1" date="In CVS">
+      <action dev="benalex" type="add">X509 (certificate-based) authentication support</action>
+      <action dev="benalex" type="update">ContextHolderAwareRequestWrapper methods returns null if user is anonymous</action>
+      <action dev="benalex" type="update">AbstractBasicAclEntry improved compatibility with Hibernate</action>
       <action dev="benalex" type="fix">SecurityEnforcementFilter caused NullPointerException when anonymous authentication used with BasicProcessingFilterEntryPoint</action>
       <action dev="benalex" type="fix">FilterChainProxy now supports replacement of ServletRequest and ServetResponse by Filter beans</action>
       <action dev="benalex" type="fix">Corrected Authz parsing of whitespace in GrantedAuthoritys</action>
-      <action dev="benalex" type="update">ContextHolderAwareRequestWrapper methods returns null if user is anonymous</action>
-      <action dev="benalex" type="update">AbstractBasicAclEntry improved compatibility with Hibernate</action>
+      <action dev="benalex" type="fix">TokenBasedRememberMeServices now respects expired users, expired credentials and disabled users</action>
+      <action dev="benalex" type="fix">HttpSessionContextIntegrationFilter now handles HttpSession invalidation without redirection</action>
     </release>
     <release version="0.8.0" date="2005-03-03">
       <action dev="benalex" type="add">Added Digest Authentication support (RFC 2617 and RFC 2069)</action>