Only clear SecurityContextHolder if the Authentication object has not changed.
This commit is contained in:
parent
97bd75f78c
commit
df9deea4de
|
@ -12,6 +12,7 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package net.sf.acegisecurity.providers.anonymous;
|
||||
|
||||
import net.sf.acegisecurity.Authentication;
|
||||
|
@ -38,7 +39,7 @@ import javax.servlet.ServletResponse;
|
|||
/**
|
||||
* Detects if there is no <code>Authentication</code> object in the
|
||||
* <code>SecurityContextHolder</code>, and populates it with one if needed.
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* <b>Do not use this class directly.</b> Instead configure
|
||||
* <code>web.xml</code> to use the {@link
|
||||
|
@ -49,11 +50,18 @@ import javax.servlet.ServletResponse;
|
|||
* @version $Id$
|
||||
*/
|
||||
public class AnonymousProcessingFilter implements Filter, InitializingBean {
|
||||
//~ Static fields/initializers =============================================
|
||||
|
||||
private static final Log logger = LogFactory.getLog(AnonymousProcessingFilter.class);
|
||||
|
||||
//~ Instance fields ========================================================
|
||||
|
||||
private String key;
|
||||
private UserAttribute userAttribute;
|
||||
private boolean removeAfterRequest = true;
|
||||
|
||||
//~ Methods ================================================================
|
||||
|
||||
public void setKey(String key) {
|
||||
this.key = key;
|
||||
}
|
||||
|
@ -62,6 +70,31 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean {
|
|||
return key;
|
||||
}
|
||||
|
||||
/**
|
||||
* Controls whether the filter will remove the Anonymous token after the
|
||||
* request is complete. Generally this is desired to avoid the expense of
|
||||
* a session being created by {@link
|
||||
* net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter
|
||||
* HttpSessionContextIntegrationFilter} simply to store the Anonymous
|
||||
* authentication token.
|
||||
*
|
||||
* <p>
|
||||
* Defaults to <code>true</code>, being the most optimal and appropriate
|
||||
* option (ie <code>AnonymousProcessingFilter</code> will clear the token
|
||||
* at the end of each request, thus avoiding the session creation overhead
|
||||
* in a typical configuration.
|
||||
* </p>
|
||||
*
|
||||
* @param removeAfterRequest DOCUMENT ME!
|
||||
*/
|
||||
public void setRemoveAfterRequest(boolean removeAfterRequest) {
|
||||
this.removeAfterRequest = removeAfterRequest;
|
||||
}
|
||||
|
||||
public boolean isRemoveAfterRequest() {
|
||||
return removeAfterRequest;
|
||||
}
|
||||
|
||||
public void setUserAttribute(UserAttribute userAttributeDefinition) {
|
||||
this.userAttribute = userAttributeDefinition;
|
||||
}
|
||||
|
@ -78,8 +111,7 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean {
|
|||
/**
|
||||
* Does nothing - we reply on IoC lifecycle services instead.
|
||||
*/
|
||||
public void destroy() {
|
||||
}
|
||||
public void destroy() {}
|
||||
|
||||
public void doFilter(ServletRequest request, ServletResponse response,
|
||||
FilterChain chain) throws IOException, ServletException {
|
||||
|
@ -93,16 +125,16 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean {
|
|||
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug(
|
||||
"Populated SecurityContextHolder with anonymous token: '" +
|
||||
SecurityContextHolder.getContext().getAuthentication() +
|
||||
"'");
|
||||
"Populated SecurityContextHolder with anonymous token: '"
|
||||
+ SecurityContextHolder.getContext().getAuthentication()
|
||||
+ "'");
|
||||
}
|
||||
} else {
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug(
|
||||
"SecurityContextHolder not populated with anonymous token, as it already contained: '" +
|
||||
SecurityContextHolder.getContext().getAuthentication() +
|
||||
"'");
|
||||
"SecurityContextHolder not populated with anonymous token, as it already contained: '"
|
||||
+ SecurityContextHolder.getContext().getAuthentication()
|
||||
+ "'");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -110,7 +142,9 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean {
|
|||
try {
|
||||
chain.doFilter(request, response);
|
||||
} finally {
|
||||
if (addedToken && removeAfterRequest) {
|
||||
if (addedToken && removeAfterRequest
|
||||
&& createAuthentication(request).equals(SecurityContextHolder.getContext()
|
||||
.getAuthentication())) {
|
||||
SecurityContextHolder.getContext().setAuthentication(null);
|
||||
}
|
||||
}
|
||||
|
@ -121,9 +155,9 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean {
|
|||
*
|
||||
* @param ignored not used
|
||||
*
|
||||
* @throws ServletException DOCUMENT ME!
|
||||
*/
|
||||
public void init(FilterConfig ignored) throws ServletException {
|
||||
}
|
||||
public void init(FilterConfig ignored) throws ServletException {}
|
||||
|
||||
/**
|
||||
* Enables subclasses to determine whether or not an anonymous
|
||||
|
@ -147,24 +181,4 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean {
|
|||
return new AnonymousAuthenticationToken(key,
|
||||
userAttribute.getPassword(), userAttribute.getAuthorities());
|
||||
}
|
||||
|
||||
public boolean isRemoveAfterRequest() {
|
||||
return removeAfterRequest;
|
||||
}
|
||||
|
||||
/**
|
||||
* Controls whether the filter will remove the Anonymous token
|
||||
* after the request is complete. Generally this is desired to
|
||||
* avoid the expense of a session being created by
|
||||
* {@link net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter HttpSessionContextIntegrationFilter}
|
||||
* simply to store the Anonymous authentication token.
|
||||
*
|
||||
* <p>Defaults to <code>true</code>,
|
||||
* being the most optimal and appropriate option (ie <code>AnonymousProcessingFilter</code>
|
||||
* will clear the token at the end of each request, thus avoiding the session creation
|
||||
* overhead in a typical configuration.
|
||||
*/
|
||||
public void setRemoveAfterRequest(boolean removeAfterRequest) {
|
||||
this.removeAfterRequest = removeAfterRequest;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue