Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-10 04:13:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-1315: Modify HttpSessionSecurityContextRepository to check for anonymous token before creating a session. Moved the anonymity check to be before the session creation.

Browse Source
This commit is contained in:
Luke Taylor 2009-12-06 15:28:03 +00:00
parent aee6b8f3f9
commit b27d7afd24
2 changed files with 28 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
View File

@ -325,6 +325,14 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
*/ */
@Override @Override
void saveContext(SecurityContext context) { void saveContext(SecurityContext context) {
// See SEC-776
if (authenticationTrustResolver.isAnonymous(context.getAuthentication())) {
if (logger.isDebugEnabled()) {
logger.debug("SecurityContext contents are anonymous - context will not be stored in HttpSession. ");
}
return;
}
HttpSession httpSession = request.getSession(false); HttpSession httpSession = request.getSession(false);
if (httpSession == null) { if (httpSession == null) {
@ -334,18 +342,10 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
// If HttpSession exists, store current SecurityContextHolder contents but only if // If HttpSession exists, store current SecurityContextHolder contents but only if
// the SecurityContext has actually changed (see JIRA SEC-37) // the SecurityContext has actually changed (see JIRA SEC-37)
if (httpSession != null && context.hashCode() != contextHashBeforeChainExecution) { if (httpSession != null && context.hashCode() != contextHashBeforeChainExecution) {
// See SEC-776 httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, context);
// TODO: Move this so that a session isn't created if user is anonymous
if (authenticationTrustResolver.isAnonymous(context.getAuthentication())) {
if (logger.isDebugEnabled()) {
logger.debug("SecurityContext contents are anonymous - context will not be stored in HttpSession. ");
}
} else {
httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, context);
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
logger.debug("SecurityContext stored to HttpSession: '" + context + "'"); logger.debug("SecurityContext stored to HttpSession: '" + context + "'");
}
} }
} }
} }
@ -374,7 +374,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
if (contextObject.equals(context)) { if (contextObject.equals(context)) {
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
logger.debug("HttpSession is null, but SecurityContext has not changed from default: ' " logger.debug("HttpSession is null, but SecurityContext has not changed from default empty context: ' "
+ context + context
+ "'; not creating HttpSession or storing SecurityContext"); + "'; not creating HttpSession or storing SecurityContext");
} }

16
web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
View File

@ -5,8 +5,10 @@ import static org.junit.Assert.*;
import org.junit.Test; import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.context.HttpRequestResponseHolder; import org.springframework.security.web.context.HttpRequestResponseHolder;
@ -146,6 +148,20 @@ public class HttpSessionSecurityContextRepositoryTests {
assertNull(request.getSession(false)); assertNull(request.getSession(false));
} }
// SEC-1315
@Test
public void noSessionIsCreatedIfAnonymousTokenIsUsed() throws Exception {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
SecurityContextHolder.setContext(repo.loadContext(holder));
SecurityContextHolder.getContext().setAuthentication(
new AnonymousAuthenticationToken("key", "anon", AuthorityUtils.createAuthorityList("ANON")));
repo.saveContext(SecurityContextHolder.getContext(), holder.getRequest(), holder.getResponse());
assertNull(request.getSession(false));
}
@Test @Test
@Deprecated @Deprecated
public void settingCloneFromContextLoadsClonedContextObject() throws Exception { public void settingCloneFromContextLoadsClonedContextObject() throws Exception {