From e12b6afefac137ef5d52c736b7188ac0b5cc44fe Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Tue, 22 Apr 2008 13:22:38 +0000 Subject: [PATCH] SEC-776: Http Session created for Anonymous request http://jira.springframework.org/browse/SEC-776. Added AuthenticationtrustResolver to HttpSCIF to check for anonymous authentication. --- .../HttpSessionContextIntegrationFilter.java | 26 ++++++++++++++----- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/core/src/main/java/org/springframework/security/context/HttpSessionContextIntegrationFilter.java b/core/src/main/java/org/springframework/security/context/HttpSessionContextIntegrationFilter.java index 78bc9b9a06..e0b9aadbb4 100644 --- a/core/src/main/java/org/springframework/security/context/HttpSessionContextIntegrationFilter.java +++ b/core/src/main/java/org/springframework/security/context/HttpSessionContextIntegrationFilter.java @@ -28,6 +28,8 @@ import javax.servlet.http.HttpSession; import org.springframework.beans.factory.InitializingBean; import org.springframework.util.Assert; import org.springframework.util.ReflectionUtils; +import org.springframework.security.AuthenticationTrustResolver; +import org.springframework.security.AuthenticationTrustResolverImpl; import org.springframework.security.ui.SpringSecurityFilter; import org.springframework.security.ui.FilterChainOrder; @@ -150,6 +152,8 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im * method. */ private boolean cloneFromHttpSession = false; + + private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl(); public boolean isCloneFromHttpSession() { return cloneFromHttpSession; @@ -320,7 +324,8 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im /** * Stores the supplied security context in the session (if available) and if it has changed since it was - * set at the start of the request. + * set at the start of the request. If the AuthenticationTrustResolver identifies the current user as + * anonymous, then the context will not be stored. * * @param securityContext the context object obtained from the SecurityContextHolder after the request has * been processed by the filter chain. SecurityContextHolder.getContext() cannot be used to obtain @@ -356,7 +361,7 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im + "(because the allowSessionCreation property is false) - SecurityContext thus not " + "stored for next request"); } - } else if (!contextObject.equals(securityContext)) { + } else if (!contextObject.equals(securityContext)) { if (logger.isDebugEnabled()) { logger.debug("HttpSession being created as SecurityContextHolder contents are non-default"); } @@ -376,11 +381,18 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im // If HttpSession exists, store current SecurityContextHolder contents but only if // the SecurityContext has actually changed (see JIRA SEC-37) if (httpSession != null && securityContext.hashCode() != contextHashBeforeChainExecution) { - httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, securityContext); - - if (logger.isDebugEnabled()) { - logger.debug("SecurityContext stored to HttpSession: '" + securityContext + "'"); - } + // See SEC-766 + if (authenticationTrustResolver.isAnonymous(securityContext.getAuthentication())) { + if (logger.isDebugEnabled()) { + logger.debug("SecurityContext contents are anonymous - context wil not be stored in HttpSession. "); + } + } else { + httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, securityContext); + + if (logger.isDebugEnabled()) { + logger.debug("SecurityContext stored to HttpSession: '" + securityContext + "'"); + } + } } }