Fix for SEC-159. Added clearContext() method to SecurityContextHolder and refactored code to use it instead of putting an empty context into the holder.

This commit is contained in:
Luke Taylor 2006-02-08 23:27:46 +00:00
parent 8c0ce12332
commit dc959b1847
20 changed files with 46 additions and 25 deletions

View File

@ -279,7 +279,7 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
} }
// Remove SecurityContextHolder contents // Remove SecurityContextHolder contents
SecurityContextHolder.setContext(generateNewContext()); SecurityContextHolder.clearContext();
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
logger.debug( logger.debug(

View File

@ -75,4 +75,16 @@ public class SecurityContextHolder {
return (SecurityContext) contextHolder.get(); return (SecurityContext) contextHolder.get();
} }
/**
* Explicitly clears the context value from thread local storage.
* Typically used on completion of a request to prevent potential
* misuse of the associated context information if the thread is
* reused.
*/
public static void clearContext() {
// Internally set the context value to null. This is never visible
// outside the class.
contextHolder.set(null);
}
} }

View File

@ -123,7 +123,7 @@ public class ContextPropagatingRemoteInvocation extends RemoteInvocation {
} finally { } finally {
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
logger.debug( logger.debug(

View File

@ -39,6 +39,15 @@ import javax.servlet.ServletException;
public class CaptchaChannelProcessorTemplateTests extends TestCase { public class CaptchaChannelProcessorTemplateTests extends TestCase {
//~ Methods ================================================================ //~ Methods ================================================================
public void setUp() {
SecurityContextHolder.clearContext();
}
public void tearDown() {
SecurityContextHolder.clearContext();
}
public void testContextRedirect() throws Exception { public void testContextRedirect() throws Exception {
CaptchaChannelProcessorTemplate processor = new TestHumanityCaptchaChannelProcessor(); CaptchaChannelProcessorTemplate processor = new TestHumanityCaptchaChannelProcessor();
processor.setKeyword("X"); processor.setKeyword("X");

View File

@ -66,7 +66,7 @@ public class ContextPropagatingRemoteInvocationTests extends TestCase {
// Set to null, as ContextPropagatingRemoteInvocation already obtained // Set to null, as ContextPropagatingRemoteInvocation already obtained
// a copy and nulling is necessary to ensure the Context delivered by // a copy and nulling is necessary to ensure the Context delivered by
// ContextPropagatingRemoteInvocation is used on server-side // ContextPropagatingRemoteInvocation is used on server-side
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
// The result from invoking the TargetObject should contain the // The result from invoking the TargetObject should contain the
// Authentication class delivered via the SecurityContextHolder // Authentication class delivered via the SecurityContextHolder

View File

@ -176,7 +176,7 @@ public class FilterSecurityInterceptorTests extends TestCase {
interceptor.invoke(fi); interceptor.invoke(fi);
// Destroy the Context // Destroy the Context
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
public void testNormalStartupAndGetter() throws Exception { public void testNormalStartupAndGetter() throws Exception {
@ -233,7 +233,7 @@ public class FilterSecurityInterceptorTests extends TestCase {
interceptor.invoke(fi); interceptor.invoke(fi);
// Destroy the Context // Destroy the Context
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
//~ Inner Classes ========================================================== //~ Inner Classes ==========================================================

View File

@ -164,12 +164,12 @@ public class AnonymousProcessingFilterTests extends TestCase {
protected void setUp() throws Exception { protected void setUp() throws Exception {
super.setUp(); super.setUp();
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
protected void tearDown() throws Exception { protected void tearDown() throws Exception {
super.tearDown(); super.tearDown();
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
private void executeFilterInContainerSimulator(FilterConfig filterConfig, private void executeFilterInContainerSimulator(FilterConfig filterConfig,

View File

@ -111,11 +111,11 @@ public class SecurityContextLoginModuleTests extends TestCase {
protected void setUp() throws Exception { protected void setUp() throws Exception {
module = new SecurityContextLoginModule(); module = new SecurityContextLoginModule();
module.initialize(subject, null, null, null); module.initialize(subject, null, null, null);
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
protected void tearDown() throws Exception { protected void tearDown() throws Exception {
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
module = null; module = null;
} }
} }

View File

@ -98,6 +98,6 @@ public class AuthorizeTagAttributeTests extends TestCase {
} }
protected void tearDown() throws Exception { protected void tearDown() throws Exception {
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
} }

View File

@ -73,7 +73,7 @@ public class AuthorizeTagCustomGrantedAuthorityTests extends TestCase {
} }
protected void tearDown() throws Exception { protected void tearDown() throws Exception {
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
//~ Inner Classes ========================================================== //~ Inner Classes ==========================================================

View File

@ -81,6 +81,6 @@ public class AuthorizeTagExpressionLanguageTests extends TestCase {
} }
protected void tearDown() throws Exception { protected void tearDown() throws Exception {
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
} }

View File

@ -120,6 +120,6 @@ public class AuthorizeTagTests extends TestCase {
} }
protected void tearDown() throws Exception { protected void tearDown() throws Exception {
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
} }

View File

@ -51,7 +51,7 @@ public class AuthzImplAttributeTest extends TestCase {
} }
protected void tearDown() throws Exception { protected void tearDown() throws Exception {
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
public void testAssertsIfAllGrantedSecond() { public void testAssertsIfAllGrantedSecond() {

View File

@ -49,7 +49,7 @@ public class AuthzImplAuthorizeTagTest extends TestCase {
} }
protected void tearDown() throws Exception { protected void tearDown() throws Exception {
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
public void testAlwaysReturnsUnauthorizedIfNoUserFound() { public void testAlwaysReturnsUnauthorizedIfNoUserFound() {

View File

@ -419,12 +419,12 @@ public class AbstractProcessingFilterTests extends TestCase {
protected void setUp() throws Exception { protected void setUp() throws Exception {
super.setUp(); super.setUp();
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
protected void tearDown() throws Exception { protected void tearDown() throws Exception {
super.tearDown(); super.tearDown();
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
private MockHttpServletRequest createMockRequest() { private MockHttpServletRequest createMockRequest() {

View File

@ -67,7 +67,7 @@ public class ExceptionTranslationFilterTests extends TestCase {
protected void tearDown() throws Exception { protected void tearDown() throws Exception {
super.tearDown(); super.tearDown();
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
public void testAccessDeniedWhenAnonymous() throws Exception { public void testAccessDeniedWhenAnonymous() throws Exception {

View File

@ -74,7 +74,7 @@ public class BasicProcessingFilterTests extends MockObjectTestCase {
protected void setUp() throws Exception { protected void setUp() throws Exception {
super.setUp(); super.setUp();
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
// Create User Details Service, provider and authentication manager // Create User Details Service, provider and authentication manager
InMemoryDaoImpl dao = new InMemoryDaoImpl(); InMemoryDaoImpl dao = new InMemoryDaoImpl();
@ -97,7 +97,7 @@ public class BasicProcessingFilterTests extends MockObjectTestCase {
protected void tearDown() throws Exception { protected void tearDown() throws Exception {
super.tearDown(); super.tearDown();
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
public void testDoFilterWithNonHttpServletRequestDetected() public void testDoFilterWithNonHttpServletRequestDetected()

View File

@ -86,7 +86,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
protected void setUp() throws Exception { protected void setUp() throws Exception {
super.setUp(); super.setUp();
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
// Create User Details Service // Create User Details Service
InMemoryDaoImpl dao = new InMemoryDaoImpl(); InMemoryDaoImpl dao = new InMemoryDaoImpl();
UserMapEditor editor = new UserMapEditor(); UserMapEditor editor = new UserMapEditor();
@ -107,7 +107,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
protected void tearDown() throws Exception { protected void tearDown() throws Exception {
super.tearDown(); super.tearDown();
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
public void testDoFilterWithNonHttpServletRequestDetected() public void testDoFilterWithNonHttpServletRequestDetected()

View File

@ -76,12 +76,12 @@ public class RememberMeProcessingFilterTests extends TestCase {
protected void setUp() throws Exception { protected void setUp() throws Exception {
super.setUp(); super.setUp();
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
protected void tearDown() throws Exception { protected void tearDown() throws Exception {
super.tearDown(); super.tearDown();
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
public void testDetectsAuthenticationManagerProperty() public void testDetectsAuthenticationManagerProperty()

View File

@ -137,7 +137,7 @@ public class ClientApplication {
System.out.println(stopWatch.prettyPrint()); System.out.println(stopWatch.prettyPrint());
} }
SecurityContextHolder.setContext(new SecurityContextImpl()); SecurityContextHolder.clearContext();
} }
public static void main(String[] args) { public static void main(String[] args) {