diff --git a/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java b/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java
index 1e2cbaa739..c8412df1be 100644
--- a/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java
+++ b/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java
@@ -209,7 +209,23 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
boolean httpSessionExistedAtStartOfRequest = httpSession != null;
- populateSecurityContextFromSession(httpSession);
+ SecurityContext contextFromSession = extractSecurityContextFromSession(httpSession);
+
+ // This is the only block in this class in which SecurityContextHolder.setContext() is called
+ if (contextFromSession != null) {
+ SecurityContextHolder.setContext(contextFromSession);
+
+ if (logger.isDebugEnabled()) {
+ logger.debug("Obtained a valid SecurityContext from ACEGI_SECURITY_CONTEXT and "
+ + "set to SecurityContextHolder: '" + contextFromSession + "'");
+ }
+ } else {
+ SecurityContextHolder.setContext(generateNewContext());
+
+ if (logger.isDebugEnabled()) {
+ logger.debug("New SecurityContext instance associated with SecurityContextHolder");
+ }
+ }
// Make the HttpSession null, as we want to ensure we don't keep
// a reference to the HttpSession laying around in case the
@@ -217,7 +233,7 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
httpSession = null;
// Proceed with chain
- int contextWhenChainProceeded = SecurityContextHolder.getContext().hashCode();
+ int contextHashWhenChainProceeded = SecurityContextHolder.getContext().hashCode();
request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
@@ -231,7 +247,7 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
finally {
// do clean up, even if there was an exception
// Store context back to HttpSession
- storeSecurityContextInSession(request, httpSessionExistedAtStartOfRequest, contextWhenChainProceeded);
+ storeSecurityContextInSession(request, httpSessionExistedAtStartOfRequest, contextHashWhenChainProceeded);
request.removeAttribute(FILTER_APPLIED);
@@ -245,23 +261,23 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
}
/**
- * Extracts the security context from the session (if available) and sets it on SecurityContextHolder.
+ * Extracts the security context from the session (if available) and returns it.
*
* If the session is null, the context object is null or the context object stored in the session
- * is not an instance of SecurityContext it will generate a new empty context and store this.
+ * is not an instance of SecurityContext it will return null.
+ *
+ * If cloneFromHttpSession is set to true, it will attempt to clone the context object
+ * and return the cloned instance.
*
* @param httpSession the session obtained from the request.
*/
- private void populateSecurityContextFromSession(HttpSession httpSession) throws ServletException {
+ private SecurityContext extractSecurityContextFromSession(HttpSession httpSession) {
if (httpSession == null) {
if (logger.isDebugEnabled()) {
- logger.debug("No HttpSession currently exists - new SecurityContext instance "
- + "associated with SecurityContextHolder");
+ logger.debug("No HttpSession currently exists");
}
- SecurityContextHolder.setContext(generateNewContext());
-
- return;
+ return null;
}
// Session exists, so try to obtain a context from it.
@@ -270,13 +286,10 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
if (contextFromSessionObject == null) {
if (logger.isDebugEnabled()) {
- logger.debug("HttpSession returned null object for ACEGI_SECURITY_CONTEXT - new "
- + "SecurityContext instance associated with SecurityContextHolder");
+ logger.debug("HttpSession returned null object for ACEGI_SECURITY_CONTEXT");
}
- SecurityContextHolder.setContext(generateNewContext());
-
- return;
+ return null;
}
// We now have the security context object from the session.
@@ -297,26 +310,21 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
}
}
- if (contextFromSessionObject instanceof SecurityContext) {
- if (logger.isDebugEnabled()) {
- logger.debug("Obtained from ACEGI_SECURITY_CONTEXT a valid SecurityContext and "
- + "set to SecurityContextHolder: '" + contextFromSessionObject + "'");
- }
-
- SecurityContextHolder.setContext((SecurityContext) contextFromSessionObject);
- } else {
+ if (!(contextFromSessionObject instanceof SecurityContext)) {
if (logger.isWarnEnabled()) {
- logger
- .warn("ACEGI_SECURITY_CONTEXT did not contain a SecurityContext but contained: '"
- + contextFromSessionObject
- + "'; are you improperly modifying the HttpSession directly "
- + "(you should always use SecurityContextHolder) or using the HttpSession attribute "
- + "reserved for this class? - new SecurityContext instance associated with "
- + "SecurityContextHolder");
+ logger.warn("ACEGI_SECURITY_CONTEXT did not contain a SecurityContext but contained: '"
+ + contextFromSessionObject
+ + "'; are you improperly modifying the HttpSession directly "
+ + "(you should always use SecurityContextHolder) or using the HttpSession attribute "
+ + "reserved for this class?");
}
- SecurityContextHolder.setContext(generateNewContext());
+ return null;
}
+
+ // Everything OK. The only non-null return from this method.
+
+ return (SecurityContext) contextFromSessionObject;
}
private void storeSecurityContextInSession(ServletRequest request,