Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-1968: AbstractPreAuthenticatedProcessingFilter clears SecurityContext on null principal change with invalidateSessionOnPrincipalChange = true

This commit is contained in:
Rob Winch 2012-06-27 15:12:48 -05:00
parent e1068b84ea
commit b6ec700640
2 changed files with 37 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
View File

@ -143,6 +143,8 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated"); logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");
if (invalidateSessionOnPrincipalChange) { if (invalidateSessionOnPrincipalChange) {
SecurityContextHolder.clearContext();
HttpSession session = request.getSession(false); HttpSession session = request.getSession(false);
if (session != null) { if (session != null) {

37
web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java
View File

@ -7,6 +7,7 @@ import static org.mockito.Mockito.*;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import org.junit.After;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.mockito.invocation.InvocationOnMock; import org.mockito.invocation.InvocationOnMock;
@ -16,6 +17,7 @@ import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
@ -33,7 +35,12 @@ public class AbstractPreAuthenticatedProcessingFilterTests {
return "doesntmatter"; return "doesntmatter";
} }
}; };
SecurityContextHolder.getContext().setAuthentication(null); SecurityContextHolder.clearContext();
}
@After
public void tearDown() {
SecurityContextHolder.clearContext();
} }
@Test @Test
@ -80,6 +87,31 @@ public class AbstractPreAuthenticatedProcessingFilterTests {
testDoFilter(false); testDoFilter(false);
} }
// SEC-1968
@Test
public void nullPreAuthenticationClearsPreviousUser() throws Exception {
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("oldUser", "pass","ROLE_USER"));
ConcretePreAuthenticatedProcessingFilter filter = new ConcretePreAuthenticatedProcessingFilter();
filter.principal = null;
filter.setCheckForPrincipalChanges(true);
filter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain());
assertEquals(null, SecurityContextHolder.getContext().getAuthentication());
}
@Test
public void nullPreAuthenticationPerservesPreviousUserCheckPrincipalChangesFalse() throws Exception {
TestingAuthenticationToken authentication = new TestingAuthenticationToken("oldUser", "pass","ROLE_USER");
SecurityContextHolder.getContext().setAuthentication(authentication);
ConcretePreAuthenticatedProcessingFilter filter = new ConcretePreAuthenticatedProcessingFilter();
filter.principal = null;
filter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain());
assertEquals(authentication, SecurityContextHolder.getContext().getAuthentication());
}
private void testDoFilter(boolean grantAccess) throws Exception { private void testDoFilter(boolean grantAccess) throws Exception {
MockHttpServletRequest req = new MockHttpServletRequest(); MockHttpServletRequest req = new MockHttpServletRequest();
MockHttpServletResponse res = new MockHttpServletResponse(); MockHttpServletResponse res = new MockHttpServletResponse();
@ -107,8 +139,9 @@ public class AbstractPreAuthenticatedProcessingFilterTests {
} }
private static class ConcretePreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter { private static class ConcretePreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter {
private String principal = "testPrincipal";
protected Object getPreAuthenticatedPrincipal(HttpServletRequest httpRequest) { protected Object getPreAuthenticatedPrincipal(HttpServletRequest httpRequest) {
return "testPrincipal"; return principal;
} }
protected Object getPreAuthenticatedCredentials(HttpServletRequest httpRequest) { protected Object getPreAuthenticatedCredentials(HttpServletRequest httpRequest) {
return "testCredentials"; return "testCredentials";