SEC-539: Extracted populateSecurityContextFromSession() method.

2007-08-28 19:16:37 +00:00 · 2007-08-28 19:16:37 +00:00 · bcf69cbe3d
parent 6651a240de
commit bcf69cbe3d
1 changed files with 68 additions and 59 deletions
--- a/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java
+++ b/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java
@ -200,7 +200,6 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
        }
        HttpSession httpSession = null;
        boolean httpSessionExistedAtStartOfRequest = false;
        try {
            httpSession = ((HttpServletRequest) request).getSession(forceEagerSessionCreation);
@ -208,64 +207,9 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
        catch (IllegalStateException ignored) {
        }
-        if (httpSession != null) {
+        boolean httpSessionExistedAtStartOfRequest = httpSession != null;
            httpSessionExistedAtStartOfRequest = true;
-            Object contextFromSessionObject = httpSession.getAttribute(ACEGI_SECURITY_CONTEXT_KEY);
+        populateSecurityContextFromSession(httpSession);
            if (contextFromSessionObject != null) {
                // Clone if required (see SEC-356)
                if (cloneFromHttpSession) {
                    Assert.isInstanceOf(Cloneable.class, contextFromSessionObject,
                            "Context must implement Clonable and provide a Object.clone() method");
                    try {
                        Method m = contextFromSessionObject.getClass().getMethod("clone", new Class[]{});
                        if (!m.isAccessible()) {
                            m.setAccessible(true);
                        }
                        contextFromSessionObject = m.invoke(contextFromSessionObject, new Object[]{});
                    }
                    catch (Exception ex) {
                        ReflectionUtils.handleReflectionException(ex);
                    }
                }
                if (contextFromSessionObject instanceof SecurityContext) {
                    if (logger.isDebugEnabled()) {
                        logger.debug("Obtained from ACEGI_SECURITY_CONTEXT a valid SecurityContext and "
                                + "set to SecurityContextHolder: '" + contextFromSessionObject + "'");
                    }
                    SecurityContextHolder.setContext((SecurityContext) contextFromSessionObject);
                } else {
                    if (logger.isWarnEnabled()) {
                        logger
                                .warn("ACEGI_SECURITY_CONTEXT did not contain a SecurityContext but contained: '"
                                        + contextFromSessionObject
                                        + "'; are you improperly modifying the HttpSession directly "
                                        + "(you should always use SecurityContextHolder) or using the HttpSession attribute "
                                        + "reserved for this class? - new SecurityContext instance associated with "
                                        + "SecurityContextHolder");
                    }
                    SecurityContextHolder.setContext(generateNewContext());
                }
            } else {
                if (logger.isDebugEnabled()) {
                    logger.debug("HttpSession returned null object for ACEGI_SECURITY_CONTEXT - new "
                            + "SecurityContext instance associated with SecurityContextHolder");
                }
                SecurityContextHolder.setContext(generateNewContext());
            }
        } else {
            if (logger.isDebugEnabled()) {
                logger.debug("No HttpSession currently exists - new SecurityContext instance "
                        + "associated with SecurityContextHolder");
            }
            SecurityContextHolder.setContext(generateNewContext());
        }
        // Make the HttpSession null, as we want to ensure we don't keep
        // a reference to the HttpSession laying around in case the
@ -358,6 +302,71 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
        }
    }
    /**
     * Extracts the security context from the session (if available) and sets it on SecurityContextHolder.
     *
     * @param httpSession the session obtained from the request.
     */
    private void populateSecurityContextFromSession(HttpSession httpSession) throws ServletException {
        if (httpSession != null) {
            Object contextFromSessionObject = httpSession.getAttribute(ACEGI_SECURITY_CONTEXT_KEY);
            if (contextFromSessionObject != null) {
                // Clone if required (see SEC-356)
                if (cloneFromHttpSession) {
                    Assert.isInstanceOf(Cloneable.class, contextFromSessionObject,
                            "Context must implement Clonable and provide a Object.clone() method");
                    try {
                        Method m = contextFromSessionObject.getClass().getMethod("clone", new Class[]{});
                        if (!m.isAccessible()) {
                            m.setAccessible(true);
                        }
                        contextFromSessionObject = m.invoke(contextFromSessionObject, new Object[]{});
                    }
                    catch (Exception ex) {
                        ReflectionUtils.handleReflectionException(ex);
                    }
                }
                if (contextFromSessionObject instanceof SecurityContext) {
                    if (logger.isDebugEnabled()) {
                        logger.debug("Obtained from ACEGI_SECURITY_CONTEXT a valid SecurityContext and "
                                + "set to SecurityContextHolder: '" + contextFromSessionObject + "'");
                    }
                    SecurityContextHolder.setContext((SecurityContext) contextFromSessionObject);
                } else {
                    if (logger.isWarnEnabled()) {
                        logger
                                .warn("ACEGI_SECURITY_CONTEXT did not contain a SecurityContext but contained: '"
                                        + contextFromSessionObject
                                        + "'; are you improperly modifying the HttpSession directly "
                                        + "(you should always use SecurityContextHolder) or using the HttpSession attribute "
                                        + "reserved for this class? - new SecurityContext instance associated with "
                                        + "SecurityContextHolder");
                    }
                    SecurityContextHolder.setContext(generateNewContext());
                }
            } else {
                if (logger.isDebugEnabled()) {
                    logger.debug("HttpSession returned null object for ACEGI_SECURITY_CONTEXT - new "
                            + "SecurityContext instance associated with SecurityContextHolder");
                }
                SecurityContextHolder.setContext(generateNewContext());
            }
        } else {
            if (logger.isDebugEnabled()) {
                logger.debug("No HttpSession currently exists - new SecurityContext instance "
                        + "associated with SecurityContextHolder");
            }
            SecurityContextHolder.setContext(generateNewContext());
        }
    }
    public SecurityContext generateNewContext() throws ServletException {
        try {
            return (SecurityContext) this.context.newInstance();
@ -401,5 +410,5 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
    public void setForceEagerSessionCreation(boolean forceEagerSessionCreation) {
        this.forceEagerSessionCreation = forceEagerSessionCreation;
-	}
+    }
 }