SEC-539: Refactored so that SecurityContextHolder.setContext() is called in exactly one place. Moved setting of httpSession = null to point immediately after its last use.

core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java

@@ -209,34 +209,34 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
 
         boolean httpSessionExistedAtStartOfRequest = httpSession != null;
 
-        SecurityContext contextFromSession = extractSecurityContextFromSession(httpSession);
+        SecurityContext contextBeforeChainExecution = extractSecurityContextFromSession(httpSession);
 
-        // This is the only block in this class in which SecurityContextHolder.setContext() is called
+        // Make the HttpSession null, as we don't want to keep a reference to it lying
-        if (contextFromSession != null) {
+        // around in case chain.doFilter() invalidates it.
-            SecurityContextHolder.setContext(contextFromSession);
+        httpSession = null;
 
-            if (logger.isDebugEnabled()) {
+        if (contextBeforeChainExecution == null) {
-                logger.debug("Obtained a valid SecurityContext from ACEGI_SECURITY_CONTEXT and "
+            contextBeforeChainExecution = generateNewContext();
-                        + "set to SecurityContextHolder: '" + contextFromSession + "'");
-            }
-        } else {
-            SecurityContextHolder.setContext(generateNewContext());
 
             if (logger.isDebugEnabled()) {
                 logger.debug("New SecurityContext instance associated with SecurityContextHolder");
             }
+        } else {
+            if (logger.isDebugEnabled()) {
+                logger.debug("Obtained a valid SecurityContext from ACEGI_SECURITY_CONTEXT and "
+                        + "set to SecurityContextHolder: '" + contextBeforeChainExecution + "'");
+            }
         }
 
-        // Make the HttpSession null, as we want to ensure we don't keep
+        int contextHashBeforeChainExecution = contextBeforeChainExecution.hashCode();
-        // a reference to the HttpSession laying around in case the
-        // chain.doFilter() invalidates it.
-        httpSession = null;
 
-        // Proceed with chain
+        // This is the only place in this class where SecurityContextHolder.setContext() is called
-        int contextHashWhenChainProceeded = SecurityContextHolder.getContext().hashCode();
+        SecurityContextHolder.setContext(contextBeforeChainExecution);
 
         request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
 
+        // Proceed with chain        
+
         try {
             chain.doFilter(request, response);
         } catch (IOException ioe) {
@@ -245,6 +245,7 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
             throw se;
         }
         finally {
+            // This is the only place in this class where SecurityContextHolder.getContext() is called
             SecurityContext contextAfterChainExecution = SecurityContextHolder.getContext();
 
             // Crucial removal of SecurityContextHolder contents - do this before anything else.
@@ -253,7 +254,7 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
             request.removeAttribute(FILTER_APPLIED);
 
             storeSecurityContextInSession(contextAfterChainExecution, request,
-                    httpSessionExistedAtStartOfRequest, contextHashWhenChainProceeded);
+                    httpSessionExistedAtStartOfRequest, contextHashBeforeChainExecution);
 
             if (logger.isDebugEnabled()) {
                 logger.debug("SecurityContextHolder now cleared, as request processing completed");