Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-25 05:22:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Optimize HttpSessionSecurityContextRepository

Browse Source 
Closes gh-9387
This commit is contained in:
Rob Winch 2021-01-22 16:43:14 -06:00 committed by Josh Cummings
parent 357446ba9d
commit c72a6fac04
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
View File

@ -136,12 +136,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
SaveContextOnUpdateOrErrorResponseWrapper.class); SaveContextOnUpdateOrErrorResponseWrapper.class);
Assert.state(responseWrapper != null, () -> "Cannot invoke saveContext on response " + response Assert.state(responseWrapper != null, () -> "Cannot invoke saveContext on response " + response
+ ". You must use the HttpRequestResponseHolder.response after invoking loadContext"); + ". You must use the HttpRequestResponseHolder.response after invoking loadContext");
// saveContext() might already be called by the response wrapper if something in responseWrapper.saveContext(context);
// the chain called sendError() or sendRedirect(). This ensures we only call it
// once per request.
if (!responseWrapper.isContextSaved()) {
responseWrapper.saveContext(context);
}
} }
@Override @Override
@ -296,6 +291,8 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
private final Authentication authBeforeExecution; private final Authentication authBeforeExecution;
private boolean isSaveContextInvoked;
/** /**
* Takes the parameters required to call <code>saveContext()</code> successfully * Takes the parameters required to call <code>saveContext()</code> successfully
* in addition to the request and the response object we are wrapping. * in addition to the request and the response object we are wrapping.
@ -339,6 +336,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
// SEC-1587 A non-anonymous context may still be in the session // SEC-1587 A non-anonymous context may still be in the session
// SEC-1735 remove if the contextBeforeExecution was not anonymous // SEC-1735 remove if the contextBeforeExecution was not anonymous
httpSession.removeAttribute(springSecurityContextKey); httpSession.removeAttribute(springSecurityContextKey);
this.isSaveContextInvoked = true;
} }
if (this.logger.isDebugEnabled()) { if (this.logger.isDebugEnabled()) {
if (authentication == null) { if (authentication == null) {
@ -358,6 +356,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
// is set SEC-1561 // is set SEC-1561
if (contextChanged(context) || httpSession.getAttribute(springSecurityContextKey) == null) { if (contextChanged(context) || httpSession.getAttribute(springSecurityContextKey) == null) {
httpSession.setAttribute(springSecurityContextKey, context); httpSession.setAttribute(springSecurityContextKey, context);
this.isSaveContextInvoked = true;
if (this.logger.isDebugEnabled()) { if (this.logger.isDebugEnabled()) {
this.logger.debug(LogMessage.format("Stored %s to HttpSession [%s]", context, httpSession)); this.logger.debug(LogMessage.format("Stored %s to HttpSession [%s]", context, httpSession));
} }
@ -366,7 +365,8 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
} }
private boolean contextChanged(SecurityContext context) { private boolean contextChanged(SecurityContext context) {
return context != this.contextBeforeExecution || context.getAuthentication() != this.authBeforeExecution; return this.isSaveContextInvoked || context != this.contextBeforeExecution
|| context.getAuthentication() != this.authBeforeExecution;
} }
private HttpSession createNewSessionIfAllowed(SecurityContext context) { private HttpSession createNewSessionIfAllowed(SecurityContext context) {