SEC-1039: Corrected reference to security context key to match new value.
This commit is contained in:
Luke Taylor
parent
a650b73550
commit
fd7fc0c8a5
|
|
@ -12,7 +12,7 @@ import org.springframework.security.Authentication;
|
|||
import org.springframework.security.AuthenticationTrustResolver;
|
||||
import org.springframework.security.AuthenticationTrustResolverImpl;
|
||||
import org.springframework.security.concurrent.SessionRegistry;
|
||||
import org.springframework.security.context.HttpSessionContextIntegrationFilter;
|
||||
import org.springframework.security.context.HttpSessionSecurityContextRepository;
|
||||
import org.springframework.security.context.SecurityContext;
|
||||
import org.springframework.security.context.SecurityContextHolder;
|
||||
import org.springframework.security.util.SessionUtils;
|
||||
|
|
@ -20,10 +20,10 @@ import org.springframework.security.util.SessionUtils;
|
|||
/**
|
||||
* Detects that a user has been authenticated since the start of the request and starts a new session.
|
||||
* <p>
|
||||
* This is essentially a generalization of the functionality that was implemented for SEC-399.
|
||||
* Additionally, it will update the configured SessionRegistry if one is in use, thus preventing problems when used
|
||||
* with Spring Security's concurrent session control.
|
||||
*
|
||||
* This is essentially a generalization of the functionality that was implemented for SEC-399.
|
||||
* Additionally, it will update the configured SessionRegistry if one is in use, thus preventing problems when used
|
||||
* with Spring Security's concurrent session control.
|
||||
*
|
||||
* @author Martin Algesten
|
||||
* @author Luke Taylor
|
||||
* @since 2.0
|
||||
|
|
@ -32,18 +32,18 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
|
|||
//~ Static fields/initializers =====================================================================================
|
||||
|
||||
static final String FILTER_APPLIED = "__spring_security_session_fixation_filter_applied";
|
||||
|
||||
|
||||
//~ Instance fields ================================================================================================
|
||||
|
||||
private SessionRegistry sessionRegistry;
|
||||
|
||||
|
||||
/**
|
||||
* Indicates that the session attributes of the session to be invalidated
|
||||
* should be migrated to the new session. Defaults to <code>true</code>.
|
||||
*/
|
||||
private boolean migrateSessionAttributes = true;
|
||||
private boolean migrateSessionAttributes = true;
|
||||
|
||||
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
|
||||
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
|
||||
|
||||
protected void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
|
||||
throws IOException, ServletException {
|
||||
|
|
@ -52,13 +52,13 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
|
|||
chain.doFilter(request, response);
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
|
||||
|
||||
HttpSession session = request.getSession();
|
||||
SecurityContext sessionSecurityContext =
|
||||
(SecurityContext) session.getAttribute(HttpSessionContextIntegrationFilter.SPRING_SECURITY_CONTEXT_KEY);
|
||||
|
||||
SecurityContext sessionSecurityContext =
|
||||
(SecurityContext) session.getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
|
||||
|
||||
if (sessionSecurityContext == null && isAuthenticated()) {
|
||||
// The user has been authenticated during the current request, so do the session migration
|
||||
startNewSessionIfRequired(request, response);
|
||||
|
|
@ -66,32 +66,32 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
|
|||
|
||||
chain.doFilter(request, response);
|
||||
}
|
||||
|
||||
|
||||
private boolean isAuthenticated() {
|
||||
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
|
||||
|
||||
return authentication != null && !authenticationTrustResolver.isAnonymous(authentication);
|
||||
|
||||
return authentication != null && !authenticationTrustResolver.isAnonymous(authentication);
|
||||
}
|
||||
|
||||
|
||||
public void setMigrateSessionAttributes(boolean migrateSessionAttributes) {
|
||||
this.migrateSessionAttributes = migrateSessionAttributes;
|
||||
}
|
||||
|
||||
public void setSessionRegistry(SessionRegistry sessionRegistry) {
|
||||
this.sessionRegistry = sessionRegistry;
|
||||
}
|
||||
this.sessionRegistry = sessionRegistry;
|
||||
}
|
||||
|
||||
public int getOrder() {
|
||||
public int getOrder() {
|
||||
return FilterChainOrder.SESSION_FIXATION_FILTER;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Called when the a user wasn't authenticated at the start of the request but has been during it
|
||||
* <p>
|
||||
* A new session will be created, the session attributes copied to it (if
|
||||
* A new session will be created, the session attributes copied to it (if
|
||||
* <tt>migrateSessionAttributes</tt> is set) and the sessionRegistry updated with the new session information.
|
||||
*/
|
||||
protected void startNewSessionIfRequired(HttpServletRequest request, HttpServletResponse response) {
|
||||
protected void startNewSessionIfRequired(HttpServletRequest request, HttpServletResponse response) {
|
||||
SessionUtils.startNewSessionIfRequired(request, migrateSessionAttributes, sessionRegistry);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue