From e88f47a96a212a0918c515dc395ab4eec6ef6e1e Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Wed, 10 Nov 2010 12:53:56 +0000
Subject: [PATCH] SEC-1561: Add check on whether the security context attribute
 is set in the current session to make sure it is stored when a new session
 has been created during the request.

---
 .../web/context/HttpSessionSecurityContextRepository.java     | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
index 89521f3615..234123b480 100644
--- a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
+++ b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
@@ -344,7 +344,9 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
 
             // If HttpSession exists, store current SecurityContextHolder contents but only if
             // the SecurityContext has actually changed (see JIRA SEC-37)
-            if (httpSession != null && context.hashCode() != contextHashBeforeChainExecution) {
+            // We also check that the session contains the context, in case a new session has been created (SEC-1561)
+            if (httpSession != null && (context.hashCode() != contextHashBeforeChainExecution ||
+                    httpSession.getAttribute(SPRING_SECURITY_CONTEXT_KEY) == null)) {
                 httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, context);
 
                 if (logger.isDebugEnabled()) {