Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-16 15:23:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-776: Http Session created for Anonymous request

Browse Source 
http://jira.springframework.org/browse/SEC-776. Added AuthenticationtrustResolver to HttpSCIF to check for anonymous authentication.
This commit is contained in:
Luke Taylor 2008-04-22 13:22:38 +00:00
parent 88ea87642a
commit e12b6afefa
1 changed files with 19 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
core/src/main/java/org/springframework/security/context/HttpSessionContextIntegrationFilter.java
View File

@ -28,6 +28,8 @@ import javax.servlet.http.HttpSession;
import org.springframework.beans.factory.InitializingBean; import org.springframework.beans.factory.InitializingBean;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.util.ReflectionUtils; import org.springframework.util.ReflectionUtils;
import org.springframework.security.AuthenticationTrustResolver;
import org.springframework.security.AuthenticationTrustResolverImpl;
import org.springframework.security.ui.SpringSecurityFilter; import org.springframework.security.ui.SpringSecurityFilter;
import org.springframework.security.ui.FilterChainOrder; import org.springframework.security.ui.FilterChainOrder;
@ -151,6 +153,8 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
*/ */
private boolean cloneFromHttpSession = false; private boolean cloneFromHttpSession = false;
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
public boolean isCloneFromHttpSession() { public boolean isCloneFromHttpSession() {
return cloneFromHttpSession; return cloneFromHttpSession;
} }
@ -320,7 +324,8 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
/** /**
* Stores the supplied security context in the session (if available) and if it has changed since it was * Stores the supplied security context in the session (if available) and if it has changed since it was
* set at the start of the request. * set at the start of the request. If the AuthenticationTrustResolver identifies the current user as
* anonymous, then the context will not be stored.
* *
* @param securityContext the context object obtained from the SecurityContextHolder after the request has * @param securityContext the context object obtained from the SecurityContextHolder after the request has
* been processed by the filter chain. SecurityContextHolder.getContext() cannot be used to obtain * been processed by the filter chain. SecurityContextHolder.getContext() cannot be used to obtain
@ -376,6 +381,12 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
// If HttpSession exists, store current SecurityContextHolder contents but only if // If HttpSession exists, store current SecurityContextHolder contents but only if
// the SecurityContext has actually changed (see JIRA SEC-37) // the SecurityContext has actually changed (see JIRA SEC-37)
if (httpSession != null && securityContext.hashCode() != contextHashBeforeChainExecution) { if (httpSession != null && securityContext.hashCode() != contextHashBeforeChainExecution) {
// See SEC-766
if (authenticationTrustResolver.isAnonymous(securityContext.getAuthentication())) {
if (logger.isDebugEnabled()) {
logger.debug("SecurityContext contents are anonymous - context wil not be stored in HttpSession. ");
}
} else {
httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, securityContext); httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, securityContext);
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
@ -383,6 +394,7 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
} }
} }
} }
}
private HttpSession safeGetSession(HttpServletRequest request, boolean allowCreate) { private HttpSession safeGetSession(HttpServletRequest request, boolean allowCreate) {
try { try {