Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-16 07:13:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-776: Http Session created for Anonymous request

Browse Source 
http://jira.springframework.org/browse/SEC-776. Added AuthenticationtrustResolver to HttpSCIF to check for anonymous authentication.
This commit is contained in:
Luke Taylor 2008-04-22 13:22:38 +00:00
parent 88ea87642a
commit e12b6afefa
1 changed files with 19 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
core/src/main/java/org/springframework/security/context/HttpSessionContextIntegrationFilter.java
View File

@ -28,6 +28,8 @@ import javax.servlet.http.HttpSession;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.util.Assert;
import org.springframework.util.ReflectionUtils;
import org.springframework.security.AuthenticationTrustResolver;
import org.springframework.security.AuthenticationTrustResolverImpl;
import org.springframework.security.ui.SpringSecurityFilter;
import org.springframework.security.ui.FilterChainOrder;
@ -151,6 +153,8 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
*/
private boolean cloneFromHttpSession = false;
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
public boolean isCloneFromHttpSession() {
return cloneFromHttpSession;
}
@ -320,7 +324,8 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
/**
* Stores the supplied security context in the session (if available) and if it has changed since it was
* set at the start of the request.
* set at the start of the request. If the AuthenticationTrustResolver identifies the current user as
* anonymous, then the context will not be stored.
*
* @param securityContext the context object obtained from the SecurityContextHolder after the request has
* been processed by the filter chain. SecurityContextHolder.getContext() cannot be used to obtain
@ -376,6 +381,12 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
// If HttpSession exists, store current SecurityContextHolder contents but only if
// the SecurityContext has actually changed (see JIRA SEC-37)
if (httpSession != null && securityContext.hashCode() != contextHashBeforeChainExecution) {
// See SEC-766
if (authenticationTrustResolver.isAnonymous(securityContext.getAuthentication())) {
if (logger.isDebugEnabled()) {
logger.debug("SecurityContext contents are anonymous - context wil not be stored in HttpSession. ");
}
} else {
httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, securityContext);
if (logger.isDebugEnabled()) {
@ -383,6 +394,7 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
}
}
}
}
private HttpSession safeGetSession(HttpServletRequest request, boolean allowCreate) {
try {