diff --git a/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java b/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java index c461bdd560..6afc41ad71 100644 --- a/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java +++ b/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java @@ -279,7 +279,7 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, } // Remove SecurityContextHolder contents - SecurityContextHolder.setContext(generateNewContext()); + SecurityContextHolder.clearContext(); if (logger.isDebugEnabled()) { logger.debug( diff --git a/core/src/main/java/org/acegisecurity/context/SecurityContextHolder.java b/core/src/main/java/org/acegisecurity/context/SecurityContextHolder.java index c3974c7147..7cf1bdc7fc 100644 --- a/core/src/main/java/org/acegisecurity/context/SecurityContextHolder.java +++ b/core/src/main/java/org/acegisecurity/context/SecurityContextHolder.java @@ -75,4 +75,16 @@ public class SecurityContextHolder { return (SecurityContext) contextHolder.get(); } + + /** + * Explicitly clears the context value from thread local storage. + * Typically used on completion of a request to prevent potential + * misuse of the associated context information if the thread is + * reused. + */ + public static void clearContext() { + // Internally set the context value to null. This is never visible + // outside the class. + contextHolder.set(null); + } } diff --git a/core/src/main/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocation.java b/core/src/main/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocation.java index 23837b6397..4c33b41212 100644 --- a/core/src/main/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocation.java +++ b/core/src/main/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocation.java @@ -123,7 +123,7 @@ public class ContextPropagatingRemoteInvocation extends RemoteInvocation { } finally { - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); if (logger.isDebugEnabled()) { logger.debug( diff --git a/core/src/test/java/org/acegisecurity/captcha/CaptchaChannelProcessorTemplateTests.java b/core/src/test/java/org/acegisecurity/captcha/CaptchaChannelProcessorTemplateTests.java index 8fb2088f5a..6d6e7c5477 100644 --- a/core/src/test/java/org/acegisecurity/captcha/CaptchaChannelProcessorTemplateTests.java +++ b/core/src/test/java/org/acegisecurity/captcha/CaptchaChannelProcessorTemplateTests.java @@ -39,6 +39,15 @@ import javax.servlet.ServletException; public class CaptchaChannelProcessorTemplateTests extends TestCase { //~ Methods ================================================================ + public void setUp() { + SecurityContextHolder.clearContext(); + } + + public void tearDown() { + SecurityContextHolder.clearContext(); + } + + public void testContextRedirect() throws Exception { CaptchaChannelProcessorTemplate processor = new TestHumanityCaptchaChannelProcessor(); processor.setKeyword("X"); diff --git a/core/src/test/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocationTests.java b/core/src/test/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocationTests.java index 2146b3aff0..63bdba5c27 100644 --- a/core/src/test/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocationTests.java +++ b/core/src/test/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocationTests.java @@ -66,7 +66,7 @@ public class ContextPropagatingRemoteInvocationTests extends TestCase { // Set to null, as ContextPropagatingRemoteInvocation already obtained // a copy and nulling is necessary to ensure the Context delivered by // ContextPropagatingRemoteInvocation is used on server-side - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); // The result from invoking the TargetObject should contain the // Authentication class delivered via the SecurityContextHolder diff --git a/core/src/test/java/org/acegisecurity/intercept/web/FilterSecurityInterceptorTests.java b/core/src/test/java/org/acegisecurity/intercept/web/FilterSecurityInterceptorTests.java index 68ba6c053f..c4117e2513 100644 --- a/core/src/test/java/org/acegisecurity/intercept/web/FilterSecurityInterceptorTests.java +++ b/core/src/test/java/org/acegisecurity/intercept/web/FilterSecurityInterceptorTests.java @@ -176,7 +176,7 @@ public class FilterSecurityInterceptorTests extends TestCase { interceptor.invoke(fi); // Destroy the Context - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } public void testNormalStartupAndGetter() throws Exception { @@ -233,7 +233,7 @@ public class FilterSecurityInterceptorTests extends TestCase { interceptor.invoke(fi); // Destroy the Context - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } //~ Inner Classes ========================================================== diff --git a/core/src/test/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilterTests.java b/core/src/test/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilterTests.java index b4fe83eeed..3010c9dc5f 100644 --- a/core/src/test/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilterTests.java +++ b/core/src/test/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilterTests.java @@ -164,12 +164,12 @@ public class AnonymousProcessingFilterTests extends TestCase { protected void setUp() throws Exception { super.setUp(); - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } protected void tearDown() throws Exception { super.tearDown(); - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } private void executeFilterInContainerSimulator(FilterConfig filterConfig, diff --git a/core/src/test/java/org/acegisecurity/providers/jaas/SecurityContextLoginModuleTests.java b/core/src/test/java/org/acegisecurity/providers/jaas/SecurityContextLoginModuleTests.java index f77d0b157c..b7f2bbcb04 100644 --- a/core/src/test/java/org/acegisecurity/providers/jaas/SecurityContextLoginModuleTests.java +++ b/core/src/test/java/org/acegisecurity/providers/jaas/SecurityContextLoginModuleTests.java @@ -111,11 +111,11 @@ public class SecurityContextLoginModuleTests extends TestCase { protected void setUp() throws Exception { module = new SecurityContextLoginModule(); module.initialize(subject, null, null, null); - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } protected void tearDown() throws Exception { - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); module = null; } } diff --git a/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagAttributeTests.java b/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagAttributeTests.java index c2a94535ba..cec03e9993 100644 --- a/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagAttributeTests.java +++ b/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagAttributeTests.java @@ -98,6 +98,6 @@ public class AuthorizeTagAttributeTests extends TestCase { } protected void tearDown() throws Exception { - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } } diff --git a/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java b/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java index 431b52bb75..4672e7e9e1 100644 --- a/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java +++ b/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java @@ -73,7 +73,7 @@ public class AuthorizeTagCustomGrantedAuthorityTests extends TestCase { } protected void tearDown() throws Exception { - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } //~ Inner Classes ========================================================== diff --git a/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagExpressionLanguageTests.java b/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagExpressionLanguageTests.java index f846fb5aaf..6ce29ff98c 100644 --- a/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagExpressionLanguageTests.java +++ b/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagExpressionLanguageTests.java @@ -81,6 +81,6 @@ public class AuthorizeTagExpressionLanguageTests extends TestCase { } protected void tearDown() throws Exception { - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } } diff --git a/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagTests.java b/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagTests.java index 34e6d6f70b..61888cbe6a 100644 --- a/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagTests.java +++ b/core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagTests.java @@ -120,6 +120,6 @@ public class AuthorizeTagTests extends TestCase { } protected void tearDown() throws Exception { - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } } diff --git a/core/src/test/java/org/acegisecurity/taglibs/velocity/AuthzImplAttributeTest.java b/core/src/test/java/org/acegisecurity/taglibs/velocity/AuthzImplAttributeTest.java index be72697769..e08dada3c1 100644 --- a/core/src/test/java/org/acegisecurity/taglibs/velocity/AuthzImplAttributeTest.java +++ b/core/src/test/java/org/acegisecurity/taglibs/velocity/AuthzImplAttributeTest.java @@ -51,7 +51,7 @@ public class AuthzImplAttributeTest extends TestCase { } protected void tearDown() throws Exception { - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } public void testAssertsIfAllGrantedSecond() { diff --git a/core/src/test/java/org/acegisecurity/taglibs/velocity/AuthzImplAuthorizeTagTest.java b/core/src/test/java/org/acegisecurity/taglibs/velocity/AuthzImplAuthorizeTagTest.java index f9437d06fa..0cfe4fa0d1 100644 --- a/core/src/test/java/org/acegisecurity/taglibs/velocity/AuthzImplAuthorizeTagTest.java +++ b/core/src/test/java/org/acegisecurity/taglibs/velocity/AuthzImplAuthorizeTagTest.java @@ -49,7 +49,7 @@ public class AuthzImplAuthorizeTagTest extends TestCase { } protected void tearDown() throws Exception { - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } public void testAlwaysReturnsUnauthorizedIfNoUserFound() { diff --git a/core/src/test/java/org/acegisecurity/ui/AbstractProcessingFilterTests.java b/core/src/test/java/org/acegisecurity/ui/AbstractProcessingFilterTests.java index 492c29f36d..866c2a881a 100644 --- a/core/src/test/java/org/acegisecurity/ui/AbstractProcessingFilterTests.java +++ b/core/src/test/java/org/acegisecurity/ui/AbstractProcessingFilterTests.java @@ -419,12 +419,12 @@ public class AbstractProcessingFilterTests extends TestCase { protected void setUp() throws Exception { super.setUp(); - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } protected void tearDown() throws Exception { super.tearDown(); - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } private MockHttpServletRequest createMockRequest() { diff --git a/core/src/test/java/org/acegisecurity/ui/ExceptionTranslationFilterTests.java b/core/src/test/java/org/acegisecurity/ui/ExceptionTranslationFilterTests.java index 8c14fa972b..741f79120a 100644 --- a/core/src/test/java/org/acegisecurity/ui/ExceptionTranslationFilterTests.java +++ b/core/src/test/java/org/acegisecurity/ui/ExceptionTranslationFilterTests.java @@ -67,7 +67,7 @@ public class ExceptionTranslationFilterTests extends TestCase { protected void tearDown() throws Exception { super.tearDown(); - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } public void testAccessDeniedWhenAnonymous() throws Exception { diff --git a/core/src/test/java/org/acegisecurity/ui/basicauth/BasicProcessingFilterTests.java b/core/src/test/java/org/acegisecurity/ui/basicauth/BasicProcessingFilterTests.java index 4c7ee85a76..ef710032df 100644 --- a/core/src/test/java/org/acegisecurity/ui/basicauth/BasicProcessingFilterTests.java +++ b/core/src/test/java/org/acegisecurity/ui/basicauth/BasicProcessingFilterTests.java @@ -74,7 +74,7 @@ public class BasicProcessingFilterTests extends MockObjectTestCase { protected void setUp() throws Exception { super.setUp(); - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); // Create User Details Service, provider and authentication manager InMemoryDaoImpl dao = new InMemoryDaoImpl(); @@ -97,7 +97,7 @@ public class BasicProcessingFilterTests extends MockObjectTestCase { protected void tearDown() throws Exception { super.tearDown(); - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } public void testDoFilterWithNonHttpServletRequestDetected() diff --git a/core/src/test/java/org/acegisecurity/ui/digestauth/DigestProcessingFilterTests.java b/core/src/test/java/org/acegisecurity/ui/digestauth/DigestProcessingFilterTests.java index 3fe18d0282..86ee1eabd2 100644 --- a/core/src/test/java/org/acegisecurity/ui/digestauth/DigestProcessingFilterTests.java +++ b/core/src/test/java/org/acegisecurity/ui/digestauth/DigestProcessingFilterTests.java @@ -86,7 +86,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase { protected void setUp() throws Exception { super.setUp(); - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); // Create User Details Service InMemoryDaoImpl dao = new InMemoryDaoImpl(); UserMapEditor editor = new UserMapEditor(); @@ -107,7 +107,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase { protected void tearDown() throws Exception { super.tearDown(); - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } public void testDoFilterWithNonHttpServletRequestDetected() diff --git a/core/src/test/java/org/acegisecurity/ui/rememberme/RememberMeProcessingFilterTests.java b/core/src/test/java/org/acegisecurity/ui/rememberme/RememberMeProcessingFilterTests.java index d37d16d2ab..46bf50f36c 100644 --- a/core/src/test/java/org/acegisecurity/ui/rememberme/RememberMeProcessingFilterTests.java +++ b/core/src/test/java/org/acegisecurity/ui/rememberme/RememberMeProcessingFilterTests.java @@ -76,12 +76,12 @@ public class RememberMeProcessingFilterTests extends TestCase { protected void setUp() throws Exception { super.setUp(); - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } protected void tearDown() throws Exception { super.tearDown(); - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } public void testDetectsAuthenticationManagerProperty() diff --git a/samples/contacts/src/main/java/sample/contact/ClientApplication.java b/samples/contacts/src/main/java/sample/contact/ClientApplication.java index 7329b20c85..2a6e7b4b11 100644 --- a/samples/contacts/src/main/java/sample/contact/ClientApplication.java +++ b/samples/contacts/src/main/java/sample/contact/ClientApplication.java @@ -137,7 +137,7 @@ public class ClientApplication { System.out.println(stopWatch.prettyPrint()); } - SecurityContextHolder.setContext(new SecurityContextImpl()); + SecurityContextHolder.clearContext(); } public static void main(String[] args) {