SEC-2055: SaveContextServletOutputStream flush/close delegates to original ServletOutputStream instead of using super

2025-10-30 22:28:46 +00:00 · 2012-09-19 08:59:39 -05:00 · 2012-09-19 08:59:39 -05:00 · dbc88f3226
commit dbc88f3226
parent abe5e4af48
2 changed files with 36 additions and 4 deletions
--- a/web/src/main/java/org/springframework/security/web/context/SaveContextOnUpdateOrErrorResponseWrapper.java
+++ b/web/src/main/java/org/springframework/security/web/context/SaveContextOnUpdateOrErrorResponseWrapper.java
@ -203,16 +203,14 @@ public abstract class SaveContextOnUpdateOrErrorResponseWrapper extends HttpServ
            this.delegate.write(b);
        }

-        @Override
        public void flush() throws IOException {
            doSaveContext();
-            super.flush();
+            delegate.flush();
        }

-        @Override
        public void close() throws IOException {
            doSaveContext();
-            super.close();
+            delegate.close();
        }
    }
 }
--- a/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
+++ b/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
@ -16,6 +16,8 @@ import static org.junit.Assert.*;
 import static org.mockito.Mockito.*;
 import static org.springframework.security.web.context.HttpSessionSecurityContextRepository.*;

+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;

 import org.junit.After;
@ -257,6 +259,38 @@ public class HttpSessionSecurityContextRepositoryTests {
        assertEquals(SecurityContextHolder.getContext(), request.getSession().getAttribute("imTheContext"));
    }

+    // SEC-SEC-2055
+    @Test
+    public void outputStreamCloseDelegate() throws Exception {
+        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
+        repo.setSpringSecurityContextKey("imTheContext");
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        HttpServletResponse response = mock(HttpServletResponse.class);
+        ServletOutputStream outputstream = mock(ServletOutputStream.class);
+        when(response.getOutputStream()).thenReturn(outputstream);
+        HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
+        SecurityContextHolder.setContext(repo.loadContext(holder));
+        SecurityContextHolder.getContext().setAuthentication(testToken);
+        holder.getResponse().getOutputStream().close();
+        verify(outputstream).close();
+    }
+
+    // SEC-SEC-2055
+    @Test
+    public void outputStreamFlushesDelegate() throws Exception {
+        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
+        repo.setSpringSecurityContextKey("imTheContext");
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        HttpServletResponse response = mock(HttpServletResponse.class);
+        ServletOutputStream outputstream = mock(ServletOutputStream.class);
+        when(response.getOutputStream()).thenReturn(outputstream);
+        HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
+        SecurityContextHolder.setContext(repo.loadContext(holder));
+        SecurityContextHolder.getContext().setAuthentication(testToken);
+        holder.getResponse().getOutputStream().flush();
+        verify(outputstream).flush();
+    }
+
    @Test
    public void noSessionIsCreatedIfSessionWasInvalidatedDuringTheRequest() throws Exception {
        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();