SEC-1190: Added "invalidateSessionOnPrincipalChange" property to AbstactPreAuthenticatedProcessingFilter. If set to true (the default) and a new principal is detected, the existing session will be invalidated before proceeding to authenticate the user.

2009-09-01 00:18:48 +00:00 · 2009-09-01 00:18:48 +00:00 · b2c2b93545
parent 3cc47c9c4d
commit b2c2b93545
1 changed files with 22 additions and 0 deletions
--- a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
@ -8,6 +8,7 @@ import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;

 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.context.ApplicationEventPublisher;
@ -51,6 +52,8 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi

    private boolean checkForPrincipalChanges;

+    private boolean invalidateSessionOnPrincipalChange = true;
+
    /**
     * Check whether all required properties have been set.
     */
@ -123,6 +126,15 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
                !currentUser.getName().equals(principal)) {
            logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");

+            if (invalidateSessionOnPrincipalChange) {
+                HttpSession session = request.getSession(false);
+
+                if (session != null) {
+                    logger.debug("Invalidating existing session");
+                    session.invalidate();
+                }
+            }
+
            return true;
        }

@ -197,6 +209,16 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
        this.checkForPrincipalChanges = checkForPrincipalChanges;
    }

+    /**
+     * If <tt>checkForPrincipalChanges</tt> is set, and a change of principal is detected, determines whether
+     * any existing session should be invalidated before proceeding to authenticate the new principal.
+     *
+     * @param invalidateSessionOnPrincipalChange <tt>false</tt> to retain the existing session. Defaults to <tt>true</tt>.
+     */
+    public void setInvalidateSessionOnPrincipalChange(boolean invalidateSessionOnPrincipalChange) {
+        this.invalidateSessionOnPrincipalChange = invalidateSessionOnPrincipalChange;
+    }
+
    /**
     * Override to extract the principal information from the current request
     */