Fix for SEC-159. Added clearContext() method to SecurityContextHolder and refactored code to use it instead of putting an empty context into the holder.

2006-02-08 23:27:46 +00:00 · 2006-02-08 23:27:46 +00:00 · dc959b1847
parent 8c0ce12332
commit dc959b1847
20 changed files with 46 additions and 25 deletions
--- a/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java
+++ b/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java
@ -279,7 +279,7 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
                }

                // Remove SecurityContextHolder contents
-                SecurityContextHolder.setContext(generateNewContext());
+                SecurityContextHolder.clearContext();

                if (logger.isDebugEnabled()) {
                    logger.debug(
--- a/core/src/main/java/org/acegisecurity/context/SecurityContextHolder.java
+++ b/core/src/main/java/org/acegisecurity/context/SecurityContextHolder.java
@ -75,4 +75,16 @@ public class SecurityContextHolder {

        return (SecurityContext) contextHolder.get();
    }
+
+    /**
+     * Explicitly clears the context value from thread local storage.
+     * Typically used on completion of a request to prevent potential
+     * misuse of the associated context information if the thread is
+     * reused. 
+     */
+    public static void clearContext() {
+        // Internally set the context value to null. This is never visible
+        // outside the class.
+        contextHolder.set(null);
+    }
 }
--- a/core/src/main/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocation.java
+++ b/core/src/main/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocation.java
@ -123,7 +123,7 @@ public class ContextPropagatingRemoteInvocation extends RemoteInvocation {

        } finally {

-            SecurityContextHolder.setContext(new SecurityContextImpl());
+            SecurityContextHolder.clearContext();

            if (logger.isDebugEnabled()) {
                logger.debug(
--- a/core/src/test/java/org/acegisecurity/captcha/CaptchaChannelProcessorTemplateTests.java
+++ b/core/src/test/java/org/acegisecurity/captcha/CaptchaChannelProcessorTemplateTests.java
@ -39,6 +39,15 @@ import javax.servlet.ServletException;
 public class CaptchaChannelProcessorTemplateTests extends TestCase {
    //~ Methods ================================================================

+    public void setUp() {
+        SecurityContextHolder.clearContext();
+    }
+
+    public void tearDown() {
+        SecurityContextHolder.clearContext();
+    }
+
+
    public void testContextRedirect() throws Exception {
        CaptchaChannelProcessorTemplate processor = new TestHumanityCaptchaChannelProcessor();
        processor.setKeyword("X");
--- a/core/src/test/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocationTests.java
+++ b/core/src/test/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocationTests.java
@ -66,7 +66,7 @@ public class ContextPropagatingRemoteInvocationTests extends TestCase {
        // Set to null, as ContextPropagatingRemoteInvocation already obtained
        // a copy and nulling is necessary to ensure the Context delivered by
        // ContextPropagatingRemoteInvocation is used on server-side
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();

        // The result from invoking the TargetObject should contain the
        // Authentication class delivered via the SecurityContextHolder
--- a/core/src/test/java/org/acegisecurity/intercept/web/FilterSecurityInterceptorTests.java
+++ b/core/src/test/java/org/acegisecurity/intercept/web/FilterSecurityInterceptorTests.java
@ -176,7 +176,7 @@ public class FilterSecurityInterceptorTests extends TestCase {
        interceptor.invoke(fi);

        // Destroy the Context
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }

    public void testNormalStartupAndGetter() throws Exception {
@ -233,7 +233,7 @@ public class FilterSecurityInterceptorTests extends TestCase {
        interceptor.invoke(fi);

        // Destroy the Context
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }

    //~ Inner Classes ==========================================================
--- a/core/src/test/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilterTests.java
+++ b/core/src/test/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilterTests.java
@ -164,12 +164,12 @@ public class AnonymousProcessingFilterTests extends TestCase {

    protected void setUp() throws Exception {
        super.setUp();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }

    protected void tearDown() throws Exception {
        super.tearDown();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }

    private void executeFilterInContainerSimulator(FilterConfig filterConfig,
--- a/core/src/test/java/org/acegisecurity/providers/jaas/SecurityContextLoginModuleTests.java
+++ b/core/src/test/java/org/acegisecurity/providers/jaas/SecurityContextLoginModuleTests.java
@ -111,11 +111,11 @@ public class SecurityContextLoginModuleTests extends TestCase {
    protected void setUp() throws Exception {
        module = new SecurityContextLoginModule();
        module.initialize(subject, null, null, null);
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }

    protected void tearDown() throws Exception {
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
        module = null;
    }
 }
--- a/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagAttributeTests.java
+++ b/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagAttributeTests.java
@ -98,6 +98,6 @@ public class AuthorizeTagAttributeTests extends TestCase {
    }

    protected void tearDown() throws Exception {
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }
 }
--- a/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java
+++ b/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java
@ -73,7 +73,7 @@ public class AuthorizeTagCustomGrantedAuthorityTests extends TestCase {
    }

    protected void tearDown() throws Exception {
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }

    //~ Inner Classes ==========================================================
--- a/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagExpressionLanguageTests.java
+++ b/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagExpressionLanguageTests.java
@ -81,6 +81,6 @@ public class AuthorizeTagExpressionLanguageTests extends TestCase {
    }

    protected void tearDown() throws Exception {
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }
 }
--- a/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagTests.java
+++ b/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagTests.java
@ -120,6 +120,6 @@ public class AuthorizeTagTests extends TestCase {
    }

    protected void tearDown() throws Exception {
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }
 }
--- a/core/src/test/java/org/acegisecurity/taglibs/velocity/AuthzImplAttributeTest.java
+++ b/core/src/test/java/org/acegisecurity/taglibs/velocity/AuthzImplAttributeTest.java
@ -51,7 +51,7 @@ public class AuthzImplAttributeTest extends TestCase {
    }

    protected void tearDown() throws Exception {
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }

    public void testAssertsIfAllGrantedSecond() {
--- a/core/src/test/java/org/acegisecurity/taglibs/velocity/AuthzImplAuthorizeTagTest.java
+++ b/core/src/test/java/org/acegisecurity/taglibs/velocity/AuthzImplAuthorizeTagTest.java
@ -49,7 +49,7 @@ public class AuthzImplAuthorizeTagTest extends TestCase {
    }

    protected void tearDown() throws Exception {
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }

    public void testAlwaysReturnsUnauthorizedIfNoUserFound() {
--- a/core/src/test/java/org/acegisecurity/ui/AbstractProcessingFilterTests.java
+++ b/core/src/test/java/org/acegisecurity/ui/AbstractProcessingFilterTests.java
@ -419,12 +419,12 @@ public class AbstractProcessingFilterTests extends TestCase {

    protected void setUp() throws Exception {
        super.setUp();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }

    protected void tearDown() throws Exception {
        super.tearDown();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }

    private MockHttpServletRequest createMockRequest() {
--- a/core/src/test/java/org/acegisecurity/ui/ExceptionTranslationFilterTests.java
+++ b/core/src/test/java/org/acegisecurity/ui/ExceptionTranslationFilterTests.java
@ -67,7 +67,7 @@ public class ExceptionTranslationFilterTests extends TestCase {

    protected void tearDown() throws Exception {
        super.tearDown();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }

    public void testAccessDeniedWhenAnonymous() throws Exception {
--- a/core/src/test/java/org/acegisecurity/ui/basicauth/BasicProcessingFilterTests.java
+++ b/core/src/test/java/org/acegisecurity/ui/basicauth/BasicProcessingFilterTests.java
@ -74,7 +74,7 @@ public class BasicProcessingFilterTests extends MockObjectTestCase {

    protected void setUp() throws Exception {
        super.setUp();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();

        // Create User Details Service, provider and authentication manager
        InMemoryDaoImpl dao = new InMemoryDaoImpl();
@ -97,7 +97,7 @@ public class BasicProcessingFilterTests extends MockObjectTestCase {

    protected void tearDown() throws Exception {
        super.tearDown();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }

    public void testDoFilterWithNonHttpServletRequestDetected()
--- a/core/src/test/java/org/acegisecurity/ui/digestauth/DigestProcessingFilterTests.java
+++ b/core/src/test/java/org/acegisecurity/ui/digestauth/DigestProcessingFilterTests.java
@ -86,7 +86,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {

    protected void setUp() throws Exception {
        super.setUp();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
        // Create User Details Service
        InMemoryDaoImpl dao = new InMemoryDaoImpl();
        UserMapEditor editor = new UserMapEditor();
@ -107,7 +107,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {

    protected void tearDown() throws Exception {
        super.tearDown();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }

    public void testDoFilterWithNonHttpServletRequestDetected()
--- a/core/src/test/java/org/acegisecurity/ui/rememberme/RememberMeProcessingFilterTests.java
+++ b/core/src/test/java/org/acegisecurity/ui/rememberme/RememberMeProcessingFilterTests.java
@ -76,12 +76,12 @@ public class RememberMeProcessingFilterTests extends TestCase {

    protected void setUp() throws Exception {
        super.setUp();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }

    protected void tearDown() throws Exception {
        super.tearDown();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }

    public void testDetectsAuthenticationManagerProperty()
--- a/samples/contacts/src/main/java/sample/contact/ClientApplication.java
+++ b/samples/contacts/src/main/java/sample/contact/ClientApplication.java
@ -137,7 +137,7 @@ public class ClientApplication {
            System.out.println(stopWatch.prettyPrint());
        }

-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
    }

    public static void main(String[] args) {