From d7cef1ba31b483728bcc14cdeef38c04bd0307ed Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Tue, 28 Aug 2007 23:11:58 +0000
Subject: [PATCH] SEC-539: Moved SecurityContextHolder.setContext() call into
 the try {} block to emphasize that it is only set for the duration of
 chain.doFilter() and immediately cleared afterwards. Changed the debug
 messages about setting the context, since it has not strictly taken place
 when they are logged.

---
 .../HttpSessionContextIntegrationFilter.java        | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java b/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java
index def5211f1a..947c0d8579 100644
--- a/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java
+++ b/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java
@@ -219,25 +219,24 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
             contextBeforeChainExecution = generateNewContext();
 
             if (logger.isDebugEnabled()) {
-                logger.debug("New SecurityContext instance associated with SecurityContextHolder");
+                logger.debug("New SecurityContext instance will be associated with SecurityContextHolder");
             }
         } else {
             if (logger.isDebugEnabled()) {
-                logger.debug("Obtained a valid SecurityContext from ACEGI_SECURITY_CONTEXT and "
-                        + "set to SecurityContextHolder: '" + contextBeforeChainExecution + "'");
+                logger.debug("Obtained a valid SecurityContext from ACEGI_SECURITY_CONTEXT to "
+                        + "associate with SecurityContextHolder: '" + contextBeforeChainExecution + "'");
             }
         }
 
         int contextHashBeforeChainExecution = contextBeforeChainExecution.hashCode();
-
-        // This is the only place in this class where SecurityContextHolder.setContext() is called
-        SecurityContextHolder.setContext(contextBeforeChainExecution);
-
         request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
 
         // Proceed with chain
 
         try {
+            // This is the only place in this class where SecurityContextHolder.setContext() is called
+            SecurityContextHolder.setContext(contextBeforeChainExecution);
+
             chain.doFilter(request, response);
         }
         finally {