SEC-776: Http Session created for Anonymous request

http://jira.springframework.org/browse/SEC-776. Added AuthenticationtrustResolver to HttpSCIF to check for anonymous authentication.
2025-07-16 07:13:30 +00:00 · 2008-04-22 13:22:38 +00:00 · 2008-04-22 13:22:38 +00:00 · e12b6afefa
commit e12b6afefa
parent 88ea87642a
1 changed files with 19 additions and 7 deletions
--- a/core/src/main/java/org/springframework/security/context/HttpSessionContextIntegrationFilter.java
+++ b/core/src/main/java/org/springframework/security/context/HttpSessionContextIntegrationFilter.java
@ -28,6 +28,8 @@ import javax.servlet.http.HttpSession;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.util.Assert;
 import org.springframework.util.ReflectionUtils;
 import org.springframework.security.AuthenticationTrustResolver;
 import org.springframework.security.AuthenticationTrustResolverImpl;
 import org.springframework.security.ui.SpringSecurityFilter;
 import org.springframework.security.ui.FilterChainOrder;
@ -150,6 +152,8 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
     * method.
     */
    private boolean cloneFromHttpSession = false;
    private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl(); 
    public boolean isCloneFromHttpSession() {
        return cloneFromHttpSession;
@ -320,7 +324,8 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
    /**
     * Stores the supplied security context in the session (if available) and if it has changed since it was
-     * set at the start of the request.
+     * set at the start of the request. If the AuthenticationTrustResolver identifies the current user as
     * anonymous, then the context will not be stored. 
     *
     * @param securityContext the context object obtained from the SecurityContextHolder after the request has
     *        been processed by the filter chain. SecurityContextHolder.getContext() cannot be used to obtain
@ -356,7 +361,7 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
                                        + "(because the allowSessionCreation property is false) - SecurityContext thus not "
                                        + "stored for next request");
                    }
-                } else if (!contextObject.equals(securityContext)) {
+                } else if (!contextObject.equals(securityContext)) {                	
                    if (logger.isDebugEnabled()) {
                        logger.debug("HttpSession being created as SecurityContextHolder contents are non-default");
                    }
@ -376,11 +381,18 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
        // If HttpSession exists, store current SecurityContextHolder contents but only if
        // the SecurityContext has actually changed (see JIRA SEC-37)
        if (httpSession != null && securityContext.hashCode() != contextHashBeforeChainExecution) {
-            httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, securityContext);
+        	// See SEC-766
-
+        	if (authenticationTrustResolver.isAnonymous(securityContext.getAuthentication())) {
-            if (logger.isDebugEnabled()) {
+                if (logger.isDebugEnabled()) {
-                logger.debug("SecurityContext stored to HttpSession: '" + securityContext + "'");
+                    logger.debug("SecurityContext contents are anonymous - context wil not be stored in HttpSession. ");
-            }
+                }
        	} else {
 	            httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, securityContext);
 	            if (logger.isDebugEnabled()) {
 	                logger.debug("SecurityContext stored to HttpSession: '" + securityContext + "'");
 	            }
        	}
        }
    }