SEC-1241: Make sure saved request is removed after a match.

web/src/main/java/org/springframework/security/web/savedrequest/HttpSessionRequestCache.java

@@ -71,6 +71,8 @@ public class HttpSessionRequestCache implements RequestCache {
             return null;
         }
 
+        removeRequest(request, response);
+
         return new SavedRequestAwareWrapper(saved, request);
     }
 

web/src/main/java/org/springframework/security/web/savedrequest/RequestCache.java

@@ -39,7 +39,7 @@ public interface RequestCache {
     HttpServletRequest getMatchingRequest(HttpServletRequest request, HttpServletResponse response);
 
     /**
-     * Removes and returns the cached request
+     * Removes the cached request
      * @param currentRequest
      */
     void removeRequest(HttpServletRequest request, HttpServletResponse response);

web/src/test/java/org/springframework/security/web/savedrequest/RequestCacheAwareFilterTests.java

@@ -0,0 +1,27 @@
+package org.springframework.security.web.savedrequest;
+
+import static org.junit.Assert.*;
+
+import org.junit.Test;
+import org.springframework.mock.web.MockFilterChain;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+
+public class RequestCacheAwareFilterTests {
+
+
+    @Test
+    public void savedRequestIsRemovedAfterMatch() throws Exception {
+        RequestCacheAwareFilter filter = new RequestCacheAwareFilter();
+        HttpSessionRequestCache cache = new HttpSessionRequestCache();
+
+        MockHttpServletRequest request = new MockHttpServletRequest("POST", "/destination");
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        cache.saveRequest(request, response);
+        assertNotNull(request.getSession().getAttribute(SavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY));
+
+        filter.doFilter(request, response, new MockFilterChain());
+        assertNull(request.getSession().getAttribute(SavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY));
+    }
+
+}