Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-1190: Added "invalidateSessionOnPrincipalChange" property to AbstactPreAuthenticatedProcessingFilter. If set to true (the default) and a new principal is detected, the existing session will be invalidated before proceeding to authenticate the user.

This commit is contained in:
Luke Taylor 2009-09-01 00:18:48 +00:00
parent 3cc47c9c4d
commit b2c2b93545
1 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
View File

@ -8,6 +8,7 @@ import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse; import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.beans.factory.InitializingBean; import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.ApplicationEventPublisher; import org.springframework.context.ApplicationEventPublisher;
@ -51,6 +52,8 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
private boolean checkForPrincipalChanges; private boolean checkForPrincipalChanges;
private boolean invalidateSessionOnPrincipalChange = true;
/** /**
* Check whether all required properties have been set. * Check whether all required properties have been set.
*/ */
@ -123,6 +126,15 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
!currentUser.getName().equals(principal)) { !currentUser.getName().equals(principal)) {
logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated"); logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");
if (invalidateSessionOnPrincipalChange) {
HttpSession session = request.getSession(false);
if (session != null) {
logger.debug("Invalidating existing session");
session.invalidate();
}
}
return true; return true;
} }
@ -197,6 +209,16 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
this.checkForPrincipalChanges = checkForPrincipalChanges; this.checkForPrincipalChanges = checkForPrincipalChanges;
} }
/**
* If <tt>checkForPrincipalChanges</tt> is set, and a change of principal is detected, determines whether
* any existing session should be invalidated before proceeding to authenticate the new principal.
*
* @param invalidateSessionOnPrincipalChange <tt>false</tt> to retain the existing session. Defaults to <tt>true</tt>.
*/
public void setInvalidateSessionOnPrincipalChange(boolean invalidateSessionOnPrincipalChange) {
this.invalidateSessionOnPrincipalChange = invalidateSessionOnPrincipalChange;
}
/** /**
* Override to extract the principal information from the current request * Override to extract the principal information from the current request
*/ */