SEC-539: Refactored populateSecurityContextFromSession() to reduce nested blocks and clarify logic.

2007-08-28 20:16:19 +00:00 · 2007-08-28 20:16:19 +00:00 · ba88214d1d
parent 27ef2caf45
commit ba88214d1d
1 changed files with 60 additions and 50 deletions
--- a/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java
+++ b/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java
@ -246,15 +246,41 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi

    /**
     * Extracts the security context from the session (if available) and sets it on SecurityContextHolder.
+     * <p/>
+     * If the session is null, the context object is null or the context object stored in the session
+     * is not an instance of SecurityContext it will generate a new empty context and store this.
     *
     * @param httpSession the session obtained from the request.
     */
    private void populateSecurityContextFromSession(HttpSession httpSession) throws ServletException {
-        if (httpSession != null) {
+        if (httpSession == null) {
+            if (logger.isDebugEnabled()) {
+                logger.debug("No HttpSession currently exists - new SecurityContext instance "
+                        + "associated with SecurityContextHolder");
+            }
+
+            SecurityContextHolder.setContext(generateNewContext());
+
+            return;
+        }
+
+        // Session exists, so try to obtain a context from it.

        Object contextFromSessionObject = httpSession.getAttribute(ACEGI_SECURITY_CONTEXT_KEY);

-            if (contextFromSessionObject != null) {
+        if (contextFromSessionObject == null) {
+            if (logger.isDebugEnabled()) {
+                logger.debug("HttpSession returned null object for ACEGI_SECURITY_CONTEXT - new "
+                        + "SecurityContext instance associated with SecurityContextHolder");
+            }
+
+            SecurityContextHolder.setContext(generateNewContext());
+
+            return;
+        }
+
+        // We now have the security context object from the session.
+
        // Clone if required (see SEC-356)
        if (cloneFromHttpSession) {
            Assert.isInstanceOf(Cloneable.class, contextFromSessionObject,
@ -289,22 +315,6 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
                                + "SecurityContextHolder");
            }

-                    SecurityContextHolder.setContext(generateNewContext());
-                }
-            } else {
-                if (logger.isDebugEnabled()) {
-                    logger.debug("HttpSession returned null object for ACEGI_SECURITY_CONTEXT - new "
-                            + "SecurityContext instance associated with SecurityContextHolder");
-                }
-
-                SecurityContextHolder.setContext(generateNewContext());
-            }
-        } else {
-            if (logger.isDebugEnabled()) {
-                logger.debug("No HttpSession currently exists - new SecurityContext instance "
-                        + "associated with SecurityContextHolder");
-            }
-
            SecurityContextHolder.setContext(generateNewContext());
        }
    }