SEC-776: Http Session created for Anonymous request
http://jira.springframework.org/browse/SEC-776. Added AuthenticationtrustResolver to HttpSCIF to check for anonymous authentication.
This commit is contained in:
parent
88ea87642a
commit
e12b6afefa
|
@ -28,6 +28,8 @@ import javax.servlet.http.HttpSession;
|
|||
import org.springframework.beans.factory.InitializingBean;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.util.ReflectionUtils;
|
||||
import org.springframework.security.AuthenticationTrustResolver;
|
||||
import org.springframework.security.AuthenticationTrustResolverImpl;
|
||||
import org.springframework.security.ui.SpringSecurityFilter;
|
||||
import org.springframework.security.ui.FilterChainOrder;
|
||||
|
||||
|
@ -150,6 +152,8 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
|
|||
* method.
|
||||
*/
|
||||
private boolean cloneFromHttpSession = false;
|
||||
|
||||
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
|
||||
|
||||
public boolean isCloneFromHttpSession() {
|
||||
return cloneFromHttpSession;
|
||||
|
@ -320,7 +324,8 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
|
|||
|
||||
/**
|
||||
* Stores the supplied security context in the session (if available) and if it has changed since it was
|
||||
* set at the start of the request.
|
||||
* set at the start of the request. If the AuthenticationTrustResolver identifies the current user as
|
||||
* anonymous, then the context will not be stored.
|
||||
*
|
||||
* @param securityContext the context object obtained from the SecurityContextHolder after the request has
|
||||
* been processed by the filter chain. SecurityContextHolder.getContext() cannot be used to obtain
|
||||
|
@ -356,7 +361,7 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
|
|||
+ "(because the allowSessionCreation property is false) - SecurityContext thus not "
|
||||
+ "stored for next request");
|
||||
}
|
||||
} else if (!contextObject.equals(securityContext)) {
|
||||
} else if (!contextObject.equals(securityContext)) {
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("HttpSession being created as SecurityContextHolder contents are non-default");
|
||||
}
|
||||
|
@ -376,11 +381,18 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
|
|||
// If HttpSession exists, store current SecurityContextHolder contents but only if
|
||||
// the SecurityContext has actually changed (see JIRA SEC-37)
|
||||
if (httpSession != null && securityContext.hashCode() != contextHashBeforeChainExecution) {
|
||||
httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, securityContext);
|
||||
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("SecurityContext stored to HttpSession: '" + securityContext + "'");
|
||||
}
|
||||
// See SEC-766
|
||||
if (authenticationTrustResolver.isAnonymous(securityContext.getAuthentication())) {
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("SecurityContext contents are anonymous - context wil not be stored in HttpSession. ");
|
||||
}
|
||||
} else {
|
||||
httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, securityContext);
|
||||
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("SecurityContext stored to HttpSession: '" + securityContext + "'");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue