SEC-3070: Logout invalidate-session=false and Spring Session doesn't

work
2015-10-20 14:58:57 -05:00 · 2015-10-20 14:58:57 -05:00 · cda6532c43
parent 3925ed90c4
commit cda6532c43
2 changed files with 20 additions and 2 deletions
--- a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
+++ b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
@ -337,7 +337,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
 					logger.debug("SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.");
 				}

-				if (httpSession != null && !contextObject.equals(contextBeforeExecution)) {
+				if (httpSession != null && authBeforeExecution != null) {
 					// SEC-1587 A non-anonymous context may still be in the session
 					// SEC-1735 remove if the contextBeforeExecution was not anonymous
 					httpSession.removeAttribute(springSecurityContextKey);
--- a/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
+++ b/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
@ -501,6 +501,24 @@ public class HttpSessionSecurityContextRepositoryTests {
 				request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
 	}

+	// SEC-3070
+	@Test
+	public void logoutInvalidateSessionFalseFails() throws Exception {
+		HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		SecurityContext ctxInSession = SecurityContextHolder.createEmptyContext();
+		ctxInSession.setAuthentication(testToken);
+		request.getSession().setAttribute(SPRING_SECURITY_CONTEXT_KEY, ctxInSession);
+
+		HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse());
+		repo.loadContext(holder);
+
+		ctxInSession.setAuthentication(null);
+		repo.saveContext(ctxInSession, holder.getRequest(), holder.getResponse());
+
+		assertNull(request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
+	}
+
 	@Test
 	@SuppressWarnings("deprecation")
 	public void sessionDisableUrlRewritingPreventsSessionIdBeingWrittenToUrl()
@ -600,4 +618,4 @@ public class HttpSessionSecurityContextRepositoryTests {

 		repo.saveContext(context, request, response);
 	}
-}
+}