Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-27 06:12:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

HttpSessionContextIntegrationFilter now handles HttpSession invalidation without redirection.

Browse Source
This commit is contained in:
Ben Alex 2005-03-18 00:50:12 +00:00
parent 8592e3bcbf
commit a056946c49
2 changed files with 24 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java
View File

@ -76,13 +76,13 @@ import javax.servlet.http.HttpSession;
* similar clients that will never present the same <code>jsessionid</code> * similar clients that will never present the same <code>jsessionid</code>
* etc), the {@link #setAllowSessionCreation(boolean)} should be set to * etc), the {@link #setAllowSessionCreation(boolean)} should be set to
* <code>false</code>. Only do this if you really need to conserve server * <code>false</code>. Only do this if you really need to conserve server
* memory and ensure all classes using the <code>ContextHolder</code> * memory and ensure all classes using the <code>ContextHolder</code> are
* are designed to have no persistence of the <code>Context</code> between web * designed to have no persistence of the <code>Context</code> between web
* requests. * requests.
* </p> * </p>
* *
* <p> * <p>
* This filter MUST be executed BEFORE any authentication processing mechanisms. * This filter MUST be executed BEFORE any authentication procesing mechanisms.
* Authentication processing mechanisms (eg BASIC, CAS processing filters etc) * Authentication processing mechanisms (eg BASIC, CAS processing filters etc)
* expect the <code>ContextHolder</code> to contain a valid * expect the <code>ContextHolder</code> to contain a valid
* <code>SecureContext</code> by the time they execute. * <code>SecureContext</code> by the time they execute.
@ -166,12 +166,15 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
} }
HttpSession httpSession = null; HttpSession httpSession = null;
boolean httpSessionExistedAtStartOfRequest = false;
try { try {
httpSession = ((HttpServletRequest) request).getSession(false); httpSession = ((HttpServletRequest) request).getSession(false);
} catch (IllegalStateException ignored) {} } catch (IllegalStateException ignored) {}
if (httpSession != null) { if (httpSession != null) {
httpSessionExistedAtStartOfRequest = true;
Object contextObject = httpSession.getAttribute(ACEGI_SECURITY_CONTEXT_KEY); Object contextObject = httpSession.getAttribute(ACEGI_SECURITY_CONTEXT_KEY);
if (contextObject != null) { if (contextObject != null) {
@ -213,6 +216,11 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
} }
} }
// Make the HttpSession null, as we want to ensure we don't keep
// a reference to the HttpSession laying around in case the
// chain.doFilter() invalidates it.
httpSession = null;
// Proceed with chain // Proceed with chain
chain.doFilter(request, response); chain.doFilter(request, response);
@ -221,8 +229,15 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
httpSession = ((HttpServletRequest) request).getSession(false); httpSession = ((HttpServletRequest) request).getSession(false);
} catch (IllegalStateException ignored) {} } catch (IllegalStateException ignored) {}
if ((httpSession == null) && httpSessionExistedAtStartOfRequest) {
if (logger.isDebugEnabled()) {
logger.debug(
"HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session");
}
}
// Generate a HttpSession only if we need to // Generate a HttpSession only if we need to
if (httpSession == null) { if ((httpSession == null) && !httpSessionExistedAtStartOfRequest) {
if (!allowSessionCreation) { if (!allowSessionCreation) {
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
logger.debug( logger.debug(

7
doc/xdocs/changes.xml
View File

@ -26,11 +26,14 @@
</properties> </properties>
<body> <body>
<release version="0.8.1" date="In CVS"> <release version="0.8.1" date="In CVS">
<action dev="benalex" type="add">X509 (certificate-based) authentication support</action>
<action dev="benalex" type="update">ContextHolderAwareRequestWrapper methods returns null if user is anonymous</action>
<action dev="benalex" type="update">AbstractBasicAclEntry improved compatibility with Hibernate</action>
<action dev="benalex" type="fix">SecurityEnforcementFilter caused NullPointerException when anonymous authentication used with BasicProcessingFilterEntryPoint</action> <action dev="benalex" type="fix">SecurityEnforcementFilter caused NullPointerException when anonymous authentication used with BasicProcessingFilterEntryPoint</action>
<action dev="benalex" type="fix">FilterChainProxy now supports replacement of ServletRequest and ServetResponse by Filter beans</action> <action dev="benalex" type="fix">FilterChainProxy now supports replacement of ServletRequest and ServetResponse by Filter beans</action>
<action dev="benalex" type="fix">Corrected Authz parsing of whitespace in GrantedAuthoritys</action> <action dev="benalex" type="fix">Corrected Authz parsing of whitespace in GrantedAuthoritys</action>
<action dev="benalex" type="update">ContextHolderAwareRequestWrapper methods returns null if user is anonymous</action> <action dev="benalex" type="fix">TokenBasedRememberMeServices now respects expired users, expired credentials and disabled users</action>
<action dev="benalex" type="update">AbstractBasicAclEntry improved compatibility with Hibernate</action> <action dev="benalex" type="fix">HttpSessionContextIntegrationFilter now handles HttpSession invalidation without redirection</action>
</release> </release>
<release version="0.8.0" date="2005-03-03"> <release version="0.8.0" date="2005-03-03">
<action dev="benalex" type="add">Added Digest Authentication support (RFC 2617 and RFC 2069)</action> <action dev="benalex" type="add">Added Digest Authentication support (RFC 2617 and RFC 2069)</action>