SEC-539: Moved SecurityContextHolder.setContext() call into the try {} block to emphasize that it is only set for the duration of chain.doFilter() and immediately cleared afterwards. Changed the debug messages about setting the context, since it has not strictly taken place when they are logged.

core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java

@@ -219,25 +219,24 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
             contextBeforeChainExecution = generateNewContext();
 
             if (logger.isDebugEnabled()) {
-                logger.debug("New SecurityContext instance associated with SecurityContextHolder");
+                logger.debug("New SecurityContext instance will be associated with SecurityContextHolder");
             }
         } else {
             if (logger.isDebugEnabled()) {
-                logger.debug("Obtained a valid SecurityContext from ACEGI_SECURITY_CONTEXT and "
+                logger.debug("Obtained a valid SecurityContext from ACEGI_SECURITY_CONTEXT to "
-                        + "set to SecurityContextHolder: '" + contextBeforeChainExecution + "'");
+                        + "associate with SecurityContextHolder: '" + contextBeforeChainExecution + "'");
             }
         }
 
         int contextHashBeforeChainExecution = contextBeforeChainExecution.hashCode();
-
-        // This is the only place in this class where SecurityContextHolder.setContext() is called
-        SecurityContextHolder.setContext(contextBeforeChainExecution);
-
         request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
 
         // Proceed with chain
 
         try {
+            // This is the only place in this class where SecurityContextHolder.setContext() is called
+            SecurityContextHolder.setContext(contextBeforeChainExecution);
+
             chain.doFilter(request, response);
         }
         finally {