From df9deea4de1a1c8a85077c2da0993c4e07200e24 Mon Sep 17 00:00:00 2001 From: Ben Alex Date: Tue, 8 Nov 2005 01:39:27 +0000 Subject: [PATCH] Only clear SecurityContextHolder if the Authentication object has not changed. --- .../anonymous/AnonymousProcessingFilter.java | 78 +++++++++++-------- 1 file changed, 46 insertions(+), 32 deletions(-) diff --git a/core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java b/core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java index 8a434912b4..f27676295f 100644 --- a/core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java +++ b/core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java @@ -12,6 +12,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ + package net.sf.acegisecurity.providers.anonymous; import net.sf.acegisecurity.Authentication; @@ -38,7 +39,7 @@ import javax.servlet.ServletResponse; /** * Detects if there is no Authentication object in the * SecurityContextHolder, and populates it with one if needed. - * + * *

* Do not use this class directly. Instead configure * web.xml to use the {@link @@ -49,11 +50,18 @@ import javax.servlet.ServletResponse; * @version $Id$ */ public class AnonymousProcessingFilter implements Filter, InitializingBean { + //~ Static fields/initializers ============================================= + private static final Log logger = LogFactory.getLog(AnonymousProcessingFilter.class); + + //~ Instance fields ======================================================== + private String key; private UserAttribute userAttribute; private boolean removeAfterRequest = true; + //~ Methods ================================================================ + public void setKey(String key) { this.key = key; } @@ -62,6 +70,31 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean { return key; } + /** + * Controls whether the filter will remove the Anonymous token after the + * request is complete. Generally this is desired to avoid the expense of + * a session being created by {@link + * net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter + * HttpSessionContextIntegrationFilter} simply to store the Anonymous + * authentication token. + * + *

+ * Defaults to true, being the most optimal and appropriate + * option (ie AnonymousProcessingFilter will clear the token + * at the end of each request, thus avoiding the session creation overhead + * in a typical configuration. + *

+ * + * @param removeAfterRequest DOCUMENT ME! + */ + public void setRemoveAfterRequest(boolean removeAfterRequest) { + this.removeAfterRequest = removeAfterRequest; + } + + public boolean isRemoveAfterRequest() { + return removeAfterRequest; + } + public void setUserAttribute(UserAttribute userAttributeDefinition) { this.userAttribute = userAttributeDefinition; } @@ -78,8 +111,7 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean { /** * Does nothing - we reply on IoC lifecycle services instead. */ - public void destroy() { - } + public void destroy() {} public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { @@ -93,16 +125,16 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean { if (logger.isDebugEnabled()) { logger.debug( - "Populated SecurityContextHolder with anonymous token: '" + - SecurityContextHolder.getContext().getAuthentication() + - "'"); + "Populated SecurityContextHolder with anonymous token: '" + + SecurityContextHolder.getContext().getAuthentication() + + "'"); } } else { if (logger.isDebugEnabled()) { logger.debug( - "SecurityContextHolder not populated with anonymous token, as it already contained: '" + - SecurityContextHolder.getContext().getAuthentication() + - "'"); + "SecurityContextHolder not populated with anonymous token, as it already contained: '" + + SecurityContextHolder.getContext().getAuthentication() + + "'"); } } } @@ -110,7 +142,9 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean { try { chain.doFilter(request, response); } finally { - if (addedToken && removeAfterRequest) { + if (addedToken && removeAfterRequest + && createAuthentication(request).equals(SecurityContextHolder.getContext() + .getAuthentication())) { SecurityContextHolder.getContext().setAuthentication(null); } } @@ -121,9 +155,9 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean { * * @param ignored not used * + * @throws ServletException DOCUMENT ME! */ - public void init(FilterConfig ignored) throws ServletException { - } + public void init(FilterConfig ignored) throws ServletException {} /** * Enables subclasses to determine whether or not an anonymous @@ -147,24 +181,4 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean { return new AnonymousAuthenticationToken(key, userAttribute.getPassword(), userAttribute.getAuthorities()); } - - public boolean isRemoveAfterRequest() { - return removeAfterRequest; - } - - /** - * Controls whether the filter will remove the Anonymous token - * after the request is complete. Generally this is desired to - * avoid the expense of a session being created by - * {@link net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter HttpSessionContextIntegrationFilter} - * simply to store the Anonymous authentication token. - * - *

Defaults to true, - * being the most optimal and appropriate option (ie AnonymousProcessingFilter - * will clear the token at the end of each request, thus avoiding the session creation - * overhead in a typical configuration. - */ - public void setRemoveAfterRequest(boolean removeAfterRequest) { - this.removeAfterRequest = removeAfterRequest; - } }